Apple Will Require Use of ATS by 2017
As of January 1, 2017, App Transport Security will be mandatory for all apps.
Apple has announced that App Transport Security (ATS), a feature which enforces the secure transmission of data between an app on a user’s device and the app’s servers, will become mandatory on January 1st 2017. This announcement was made at WWDC, Apple’s developer conference, in June.
For users, this means improved security and assurance that their data isn’t being transmitted in plaintext over the internet. When you use an app, data is transmitted from your phone to the app’s back-end servers. Every app serves a different purpose, so this data will vary. But in most cases apps allow you to sign in, search, and store data like receipts or what you ate for the day. You don’t want passwords and personal information being sent across the internet without encryption.
Unlike web browsers, which feature clear indicators of a secure HTTPS connection (the green padlock in the address bar), apps rarely indicate if your connection is secure. Usually you had to go find out on your own if an app uses HTTPS for data transmission, and even then you usually had to take their word for it. ATS will enforce the secure transmission of data and allow you to rest easy.
Developers will have to start supporting HTTPS by getting an SSL certificate for their server infrastructure. Apple originally released ATS at last year’s WWDC but has allowed its use to be optional.
ATS is not its own encryption protocol, but a feature which enforces the use of HTTPS and “best practices in the secure connections between an app and its back end”[1]. When ATS is used, the iOS device will be able to detect and stop an app from sending data back to its servers over unsecure HTTP (similar to HSTS, a mechanism used with servers and web browsers).
ATS also requires the use of TLS 1.2 and a cipher suite that provides forward secrecy. Developers will need to ensure their server is configured properly. TLS 1.2 is the most recent version of the SSL/TLS protocol, and most modern servers have it turned on by default. Forward secrecy refers to the way that connections are encrypted. An encryption cipher which supports forward secrecy, like ECDHE, is able to offer security to past sessions even if the private key is compromised. Xamarin.com has specific details on SSL configurations that satisfy ATS requirements.
Developers should take note of another recent change: As of June 1st, 2016, all apps submitted to the app store must support IPv6-only networking.
[1] https://developer.apple.com/library/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown