{"id":2903,"date":"2017-02-10T01:24:26","date_gmt":"2017-02-10T09:24:26","guid":{"rendered":"https:\/\/cheapsslsecurity.com\/blog\/?p=2903"},"modified":"2021-01-26T09:13:10","modified_gmt":"2021-01-26T17:13:10","slug":"apple-to-extend-the-ios-app-transport-security-ats-time-duration","status":"publish","type":"post","link":"https:\/\/cheapsslsecurity.com\/blog\/apple-to-extend-the-ios-app-transport-security-ats-time-duration\/","title":{"rendered":"Apple to extend the iOS App Transport Security (ATS) Time Duration"},"content":{"rendered":"

Apple is giving developers more time to become compliant with new encryption requirements<\/h2>\n

While Apple<\/strong> had originally announced a January 1st<\/sup> <\/strong>as the date that all apps submitted to the company\u2019s App Store would need to support App Transport Security (ATS)<\/strong>, it changed course at the last minute.<\/p>\n

Now the deadline has been extended indefinitely. Apple did not list a hard date in its December 21st<\/sup> announcement and has yet to publicly announce one since.<\/p>\n

\"apple<\/p>\n

The cause for the delay, as reported by Appthority<\/a>, was the staggeringly low percentage of apps that would be capable of meeting the requirement by January 1st<\/sup>. As of 12\/22, the day after Apple announced it would delay its ATS deadline, just 5% of all existing apps would be compliant.<\/p>\n

As of now, December 22, the 3% readiness figure has grown to only 5%. We assume that Apple, too, realized that an unacceptably high number of apps would fail to meet the ATS deadline unless it was extended.<\/p><\/blockquote>\n

There are numerous factors that could keep a developer from being compliant. For instance, a great number of apps integrate with third-parties for analytics, media hosting, and advertising, and unless those services all become compliant, there\u2019s little the developers can do to become compliant themselves.<\/p>\n

App Transport Security<\/strong><\/a> was first introduced in iOS 9<\/strong>, it forces apps to communicate with internet servers using secure connections via HTTPS. Think of it like enabling SSL for your apps. Before ATS, encryption was left entirely up to the developers, many of whom did implement their own frameworks for enabling HTTPS. Unfortunately, that also lent itself to some rather creative implementations. ATS will clean that up by ensuring that only industry-standard encryption and ciphers are used during the connections.<\/p>\n

As per when Apple might be able to enforce its ATS mandate, Appthority is not optimistic:<\/p>\n

\n

It\u2019s curious that Apple did not provide a new date for compliance. Has the goal of achieving a higher level of security for app transport been delayed, or abandoned? We might have expected a new deadline if Apple was merely delaying the date by which ATS support is required. Even if the goal of full ATS support has not been abandoned, we\u2019re unlikely to see it come to pass anytime soon.<\/p>\n<\/blockquote>\n

One thing that will be working in Apple\u2019s favor is the large-scale HTTPS migration that is likely to place in 2017, across the internet.<\/p>\n

With the browser community aiming to make encryption a baseline security standard for the entire web \u2013 and implementing changes like negative visual indicators and interstitial warnings \u2013 an unprecedented number of websites and services are likely to migrate to HTTPS in the coming year. This will likely include many of the third-party services currently holding up developer compliance.<\/p>\n

Unfortunately, with the total number of developers out there and the amount of money, there is to be made just producing cheap shovelware, the only way Apple may be able to achieve its goal is with a hard deadline that temporarily pulls the plug on apps until they become compliant. Nothing creates a sense of urgency like a developer\u2019s revenue drying up.<\/p>\n

Important Resources to Read<\/h3>\n