Apple mandates App Store apps support ATS security protocol by 2017

In an announcement at a Worldwide Developers Conference session on Tuesday, Apple said apps submitted to its various App Stores will be required to use the App Transport Security standard by the end of 2016, a decision that underscores the company's dedication to customer privacy.

Introduced as part of iOS 9, ATS transfers app data over HTTPS connections instead of HTTP, thereby reducing the potential of user exposure to nefarious code or data theft. Starting Jan. 1, 2017, all new apps and app updates submitted to the App Store will need to support the protocol, reports TechCrunch.

ATS is turned on by default in Apple's development tools, though developers currently have the option to deactivate the security feature if they so choose.

Apple's upcoming deadline mirrors a wider industry shift toward HTTPS-based connections. Banks and internet service providers dealing with highly sensitive user data were among the first to deploy HTTPS solutions, and an increasing number of companies have since adopted similar safeguards. Device manufacturers marketing bespoke operating systems, like Apple's iOS and Mac, have followed suit.

ATS found itself at the center of a small controversy last year when Google publicly disclosed a technique of sidestepping the iOS security protocol with just a few lines of code.

Google discovered that ATS was blocking ads from displaying correctly in certain mobile apps, which presented an obvious threat to its lucrative advertising business. In response, the internet search giant posted a "short term fix" to its Ads Developers Blog proposing developers inject HTTPS exceptions into their apps. By allowing non-secure HTTP requests to succeed, these exceptions inherently put users at risk.

In any case, developers looking to sell their wares on Apple's App Stores will have no choice but to comply with ATS guidelines come January.

9 Comments

indieshack 9 Years · 336 comments

About 8 years ago

Great in theory but in practice this will kill some apps stone dead which use third party web data. Very bad news.

VisualSeed 8 Years · 217 comments

indieshack said:

Great in theory but in practice this will kill some apps stone dead which use third party web data. Very bad news.

A lot of data doesn't really even require it. Fetching weather or stock quotes for instance. Read only data that you pass no credentials to access. If the sources want to use SSL, that's great, but many of them haven't been touched in years. Unless they see a revenue impact to their services by being banned from iOS apps, many won't do anything.

VisualSeed said:

A lot of data doesn't really even require it. Fetching weather or stock quotes for instance. Read only data that you pass no credentials to access. If the sources want to use SSL, that's great, but many of them haven't been touched in years. Unless they see a revenue impact to their services by being banned from iOS apps, many won't do anything.

And that's the problem. I have an app that I'm about to submit which uses public data from a non-profit scientific entity for which there is no https service. I've worked in outfits like that for years and switching on HTTPS can be a serious server load issue for them plus the certificate maintenance. It's dawned on me that Apple won't "switch off" apps already in the app store which use the ATS exception, so I'm likely fine for the time being but in my view it's a sledgehammer approach by Apple not helped by the poor communication from apple about ATS. 6 months isn't a reasonable timeframe to expect app data sources to switch and in my view this was a poorly thought out strategy brought in by bad Apple managers with poor foresight but with a view to pleasing their bosses by implementing a "privacy" strategy. It is what it is.

netmage 14 Years · 314 comments

Fetching weather implies telling the Internet your location - is preventing an unknown middle man the ability to track your location important to you?

libertyforall 16 Years · 1417 comments

Why wait to mandate it in 2017 Apple?! Push for it now in July for better security of your app users! *rolls eyes*