Apple to extend the iOS App Transport Security (ATS) Time Duration

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

Apple is giving developers more time to become compliant with new encryption requirements

While Apple had originally announced a January 1st as the date that all apps submitted to the company’s App Store would need to support App Transport Security (ATS), it changed course at the last minute.

Now the deadline has been extended indefinitely. Apple did not list a hard date in its December 21st announcement and has yet to publicly announce one since.

apple app transport security

The cause for the delay, as reported by Appthority, was the staggeringly low percentage of apps that would be capable of meeting the requirement by January 1st. As of 12/22, the day after Apple announced it would delay its ATS deadline, just 5% of all existing apps would be compliant.

As of now, December 22, the 3% readiness figure has grown to only 5%. We assume that Apple, too, realized that an unacceptably high number of apps would fail to meet the ATS deadline unless it was extended.

There are numerous factors that could keep a developer from being compliant. For instance, a great number of apps integrate with third-parties for analytics, media hosting, and advertising, and unless those services all become compliant, there’s little the developers can do to become compliant themselves.

App Transport Security was first introduced in iOS 9, it forces apps to communicate with internet servers using secure connections via HTTPS. Think of it like enabling SSL for your apps. Before ATS, encryption was left entirely up to the developers, many of whom did implement their own frameworks for enabling HTTPS. Unfortunately, that also lent itself to some rather creative implementations. ATS will clean that up by ensuring that only industry-standard encryption and ciphers are used during the connections.

As per when Apple might be able to enforce its ATS mandate, Appthority is not optimistic:

It’s curious that Apple did not provide a new date for compliance. Has the goal of achieving a higher level of security for app transport been delayed, or abandoned? We might have expected a new deadline if Apple was merely delaying the date by which ATS support is required. Even if the goal of full ATS support has not been abandoned, we’re unlikely to see it come to pass anytime soon.

One thing that will be working in Apple’s favor is the large-scale HTTPS migration that is likely to place in 2017, across the internet.

With the browser community aiming to make encryption a baseline security standard for the entire web – and implementing changes like negative visual indicators and interstitial warnings – an unprecedented number of websites and services are likely to migrate to HTTPS in the coming year. This will likely include many of the third-party services currently holding up developer compliance.

Unfortunately, with the total number of developers out there and the amount of money, there is to be made just producing cheap shovelware, the only way Apple may be able to achieve its goal is with a hard deadline that temporarily pulls the plug on apps until they become compliant. Nothing creates a sense of urgency like a developer’s revenue drying up.

Important Resources to Read

Buy Cheap SSL Certificates – Save Up to 90%

How to Generate CSR and P12 Certificate to Sign Your iOS Apps
Building Up iOS App Identity with Code Signing
This entry was posted in iPhone Security by Mit Gajjar. Bookmark the permalink.

About Mit Gajjar

I have been working as SSL security expert for 6 years and i have assisted to plenty of users to solve their technical issues while installation of SSL certificates on their web servers. It’s really great experience working with Platinum Partner Company CheapSSLSecurity to offer the most reliable SSL certificate security solution on the internet. Being Platinum Partner Company of Symantec, GeoTrust Thawte, Comodo, and RapidSSL, CheapSSLSecurity offers the cheapest SSL certificates security on the internet which starts at just only $3.20/yr.