Apple is giving developers more time to become compliant with new encryption requirements
While Apple had originally announced a January 1st as the date that all apps submitted to the company’s App Store would need to support App Transport Security (ATS), it changed course at the last minute.
Now the deadline has been extended indefinitely. Apple did not list a hard date in its December 21st announcement and has yet to publicly announce one since.
The cause for the delay, as reported by Appthority, was the staggeringly low percentage of apps that would be capable of meeting the requirement by January 1st. As of 12/22, the day after Apple announced it would delay its ATS deadline, just 5% of all existing apps would be compliant.
As of now, December 22, the 3% readiness figure has grown to only 5%. We assume that Apple, too, realized that an unacceptably high number of apps would fail to meet the ATS deadline unless it was extended.
There are numerous factors that could keep a developer from being compliant. For instance, a great number of apps integrate with third-parties for analytics, media hosting, and advertising, and unless those services all become compliant, there’s little the developers can do to become compliant themselves.
App Transport Security was first introduced in iOS 9, it forces apps to communicate with internet servers using secure connections via HTTPS. Think of it like enabling SSL for your apps. Before ATS, encryption was left entirely up to the developers, many of whom did implement their own frameworks for enabling HTTPS. Unfortunately, that also lent itself to some rather creative implementations. ATS will clean that up by ensuring that only industry-standard encryption and ciphers are used during the connections.
As per when Apple might be able to enforce its ATS mandate, Appthority is not optimistic:
It’s curious that Apple did not provide a new date for compliance. Has the goal of achieving a higher level of security for app transport been delayed, or abandoned? We might have expected a new deadline if Apple was merely delaying the date by which ATS support is required. Even if the goal of full ATS support has not been abandoned, we’re unlikely to see it come to pass anytime soon.
One thing that will be working in Apple’s favor is the large-scale HTTPS migration that is likely to place in 2017, across the internet.
With the browser community aiming to make encryption a baseline security standard for the entire web – and implementing changes like negative visual indicators and interstitial warnings – an unprecedented number of websites and services are likely to migrate to HTTPS in the coming year. This will likely include many of the third-party services currently holding up developer compliance.
Unfortunately, with the total number of developers out there and the amount of money, there is to be made just producing cheap shovelware, the only way Apple may be able to achieve its goal is with a hard deadline that temporarily pulls the plug on apps until they become compliant. Nothing creates a sense of urgency like a developer’s revenue drying up.
Important Resources to Read
- Apple App Transport Security to Kill the Unencrypted Web
- Building Up iOS App Identity with Code Signing
- HTTPS Encryption for iOS and Android – A Step Towards Cybersecurity Awareness
- What is SSL on iPhone? How to Enable SSL on an iPhone
- Building Up iOS App Identity with Code Signing
- Apple App Transport Security – killing the Unencrypted Internet
- 10 Best Mobile Application Security Best Practices for Developers
Buy Cheap SSL Certificates at $4.97
Multi-Domain SSL Certificates for Microsoft Exchange Servers
Get Your Microsoft Exchange Server 2010, 2013, 2016, 2017, 2018, and 2019 SSL Certificate from Top SSL Brands. Secure multiple domains on the multiple servers with a single exchange SSL certificate.
