Apple Will Require Use of ATS by 2017
As of January 1, 2017, App Transport Security will be mandatory for all apps.
Apple has announced that App Transport Security (ATS), a feature which enforces the secure transmission of data between an app on a user’s device and the app’s servers, will become mandatory on January 1st 2017. This announcement was made at WWDC, Apple’s developer conference, in June.
For users, this means improved security and assurance that their data isn’t being transmitted in plaintext over the internet. When you use an app, data is transmitted from your phone to the app’s back-end servers. Every app serves a different purpose, so this data will vary. But in most cases apps allow you to sign in, search, and store data like receipts or what you ate for the day. You don’t want passwords and personal information being sent across the internet without encryption.
Unlike web browsers, which feature clear indicators of a secure HTTPS connection (the green padlock in the address bar), apps rarely indicate if your connection is secure. Usually you had to go find out on your own if an app uses HTTPS for data transmission, and even then you usually had to take their word for it. ATS will enforce the secure transmission of data and allow you to rest easy.
Developers will have to start supporting HTTPS by getting an SSL certificate for their server infrastructure. Apple originally released ATS at last year’s WWDC but has allowed its use to be optional.
ATS is not its own encryption protocol, but a feature which enforces the use of HTTPS and “best practices in the secure connections between an app and its back end”. When ATS is used, the iOS device will be able to detect and stop an app from sending data back to its servers over unsecure HTTP (similar to HSTS, a mechanism used with servers and web browsers).
ATS also requires the use of TLS 1.2 and a cipher suite that provides forward secrecy. Developers will need to ensure their server is configured properly. TLS 1.2 is the most recent version of the SSL/TLS protocol, and most modern servers have it turned on by default. Forward secrecy refers to the way that connections are encrypted. An encryption cipher which supports forward secrecy, like ECDHE, is able to offer security to past sessions even if the private key is compromised. Xamarin.com has specific details on SSL configurations that satisfy ATS requirements.
Developers should take note of another recent change: As of June 1st, 2016, all apps submitted to the app store must support IPv6-only networking.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown