5 JUL 2016 1508
Just like Web apps, mobile apps are important gateways to malicious attacks. For this reason, mobile security should be one of the main developers’ priorities.
Yes, it’s true that the timeline can get behind especially at some point in the development stages of a mobile app. When that happens, chances are, there would be rushed protocols and some important elements such as security, lacking in effectiveness. As a developer, it’s extremely important that you take the necessary time and measures to ensure that apps are free from security threats.
Having in mind how costly smartphones are, the effect can be so huge if malicious malware, worms as well as viruses disable them, thereby rendering these devices useless.
It's more than 12 months since Apple rolled out App Transport Security (ATS), which is supposed to secure all the connections between apps and servers. However, many developers still skimp on precautions and this can lead to serious information breaches. We all know what happened to Fandango app in the early months of this year. Just in case you don't know, there was a serious information breach that resulted from failure to take precautions.
To avoid such happenings, Apple thought it wise to outline new requirements that will put an end to security threats to all apps in its App Store. During the company’s Worldwide Developers’ Conference in June 2016, the security department announced that all apps in its App Store would have to switch to App Transport Security by the end of the year.
WWDC 2016 and new security requirements of Apple
WWDC2016 was full of new developments and requirements as far as the use of apps is concerned. When it was time for security presentation, Ivan Krstic, the current head of security engineering and architecture of Apple, stated in his speech, that it was high time they made App Transport Security a mandatory requirement for all their App Store apps.
Specifically, he said that by the end of 2016, all apps in Apple’s App Store would have switched on App Transport Security. ATS is an important security feature that ensures your data is safe while in transit.
By the end of 2016, ATS is going to be mandatory for app developers who want to submit their apps to Apple’s App Store.
This means that by January 1, 2017, all apps that are going to be submitted to the App Store have to enforce ATS. So, it’s now official, that by the end of this year (2016), Apple is going to mandate all iOS apps to enforce secure connections over the web.
How App Transport Security Works
First, App Transport Security, or ATS, is simply a security feature in iOS 9 that Apple introduced a year ago. It ensures that all connections between apps and servers are encrypted. Even though ATS is a very necessary security feature, I bet many app developers did not expect Apple to make it a compulsory requirement.
When App Transport Security is enabled, it'll force an app to connect automatically to web services over an HTTPS connection instead of HTTP. HTTPS synchronizes the users' data while in transit and this ensures that they are safe from prying eyes.
Rolled out as a default feature of iOS 9, ATS ensures that apps load resources only over the HTTPS instead of HTTP. As a developer, you should understand that HTTPS is the secure variant but not HTTP.
Well, you might be wondering what the ‘S' in the HTTPS stands for right? Of course, you guessed it right! The "S" simply stands for secure. After all, HTTPS is all about the security of your data. If you're keen enough, you'll notice the "S" either appearing in your browser every time you try to login into your email or banking accounts.
Unfortunately, mobile apps are not often very transparent with users especially when it comes to the security of their web connections. This is possible because it’s not easy to tell if an app is connected via HTTP or the secure variant, HTTPS. The good news is that this is only possible until the end of this year. From 1 January 2017, you’ll be sure about the security of your connection because developers will have no choice but to enable ATS.
As data travels online, it should be secured. Requiring app developers to use HTTPS is a movement that has been here for quite some time and it should please you that Apple too has joined. This should come as great news to you as the user because you’ll be the biggest beneficiary of this movement. For app developers too, the movement is good news because ensuring the security of your apps will guard your reputation.
Why Apple is taking a tougher stance on developers
When Apple rolled out iOS 9 a year ago, it introduced its App Transport Security (ATS) standard. The ATS restricts apps from transferring data via HTTP connection. Instead, it forces apps to transfer data through HTTPS. HTTPS is an encrypted communication protocol that ensures that the data is secure.
1. Many developers are not ready to adopt ATS
After introducing Apple Transport Security (ATS), Apple encouraged iOS app developers to update their apps in order to accommodate for the new standard. One year down the line, many app developers still do not use the ATS feature.
In more often than not, many mobile apps are not that transparent with users concerning the security of their web connections. This has been made possible by the fact that it’s not always easy to tell if an app is connected through HTTP or HTTPS. For this reason, Apple has decided to take a tough stance on the security issue, requiring all apps to use the Apple Transport Security feature by the end of 2016.
Even though developers know very well that ATS will prevent data theft, not all of them are ready to update their apps to accommodate for this new standard. This has actually pushed Apple to make it mandatory by the end of this year.
Just imagine how it would feel like to know that your apps are safe from security threats. This would actually give all developers peace of mind. I don’t know about you but for me, ATS is a standard that could have come even earlier.
So, by 1 January 2017, there would be no cases of malicious code infiltrating iOS devices through apps.
2. To block developers from deactivating ATS.
Even though software development kit of Apple turns on ATS by default for all developers, the presence of an option to deactivate it makes it possible for developers to deactivate ATS at will. Many developers choose to deactivate ATS for many reasons. One of the main reasons is to allow in-app advertising running through HTTP. This is because ATS often block any in-app advertising that connects through HTTP. And because some developers still want to run their apps through HTTP, they fail to use the ATS features. So, I tend to think that the only option Apple had in ensuring that all developers use ATS features, was to make it a compulsory requirement.
3. Dedication to protect the privacy of users.
After its famous fight against the forceful request of FBI to decrypt a user's iPhone, Apple has been in the front line trying to emphasize the importance of protecting the privacy of users. However, its efforts have not yielded enough fruits and many developers still run their apps through insecure HTTP instead of the secure variant, HTTPS. This led to Apple making a move to set a deadline for developers to adopt ATS. After announcing the deadline at Apple's Worldwide Developer Conference in June 2013 during Apple's security presentation, there is no trace of doubt that the announcement will spur app developers to adopt ATS before 1 January 2017.
Therefore, it’s now official that come 1 January 2017, all app updates and new apps that developers will submit for review through the App Store will have to use ATS. Stop wondering whether there is a way you can be exempted from this requirement because Apple made it very clear that there would be no exceptions.
Why you should adopt App Transport Security
Yes, it’s true that Apple has announced the deadline for all app developers to adopt ATS feature for them to continue sending their apps into the App Store. But don’t you think adopting ATS is long overdue? Here are some of the few, and main reasons you should adopt ATS if you’re a mobile app developer:
- App Transport Security (ATS) implements unsurpassed practices in the source connections between a mobile app and its backend. It allows an app to add a declaration to its list file, which specifies the domains it’s supposed to secure communication with;
- App Transport Security prevents any accidental disclosure and therefore, it ensures that the data is safe from attackers;
- ATS offers secure default behavior.
The good news is that adopting ATS is just like a walk in the park. If you asked me, I would strongly advise that you adopt App Transport Security as soon as possible, irrespective of whether you're updating your already existing app or creating a new one.
When developing a new app, it’s important that you use HTTPS exclusively and if you’re updating an existing app, it’s advisable that you use HTTPS as much as you can, as you create an effective plan for migration of all your other apps as soon as you can.
Because it’s very important to protect your app from security threats, Apple has made the best decision by requiring all developers to use HTTPS. With this, Apple will help a great deal in securing data as it travels online. We strongly recommend that you adopt App Transport Security as soon as you can because it’s the surest way of ensuring that your apps are free from security threats. We strongly recommend that you use HTTPS all the time when developing new app or updating already existing one.