As of January 1, 2017, App Transport Security will be mandatory for all apps.
Apple has announced that App Transport Security (ATS), a feature which enforces the secure transmission of data between an app on a user’s device and the app’s servers, will become mandatory on January 1st 2017. This announcement was made at WWDC, Apple’s developer conference, in June.
For users, this means improved security and assurance that their data isn’t being transmitted in plaintext over the internet. When you use an app, data is transmitted from your phone to the app’s back-end servers. Every app serves a different purpose, so this data will vary. But in most cases apps allow you to sign in, search, and store data like receipts or what you ate for the day. You don’t want passwords and personal information being sent across the internet without encryption.
Unlike web browsers, which feature clear indicators of a secure HTTPS connection (the green padlock in the address bar), apps rarely indicate if your connection is secure. Usually you had to go find out on your own if an app uses HTTPS for data transmission, and even then you usually had to take their word for it. ATS will enforce the secure transmission of data and allow you to rest easy.
Developers will have to start supporting HTTPS by getting an SSL certificate for their server infrastructure. Apple originally released ATS at last year’s WWDC but has allowed its use to be optional.
ATS is not its own encryption protocol, but a feature which enforces the use of HTTPS and “best practices in the secure connections between an app and its back end”. When ATS is used, the iOS device will be able to detect and stop an app from sending data back to its servers over unsecure HTTP (similar to HSTS, a mechanism used with servers and web browsers).
ATS also requires the use of TLS 1.2 and a cipher suite that provides forward secrecy. Developers will need to ensure their server is configured properly. TLS 1.2 is the most recent version of the SSL/TLS protocol, and most modern servers have it turned on by default. Forward secrecy refers to the way that connections are encrypted. An encryption cipher which supports forward secrecy, like ECDHE, is able to offer security to past sessions even if the private key is compromised. Xamarin.com has specific details on SSL configurations that satisfy ATS requirements.
Developers should take note of another recent change: As of June 1st, 2016, all apps submitted to the app store must support IPv6-only networking.