Apple’s ATS standard requires apps to use secure connections.
We’re nearing the end of the year, when workplaces move a bit slower, and holiday vacations are just around the corner. That makes this the perfect time to give you a few important year-end reminders.
On Monday we told you about Paypal’s TLS 1.2 requirement.
Now we have a reminder for Apple developers: Apple is going to require App Transport Security (ATS) on January 1st, 2017
UPDATE: Apple has announced that, as of December 21, it is delaying its deadline in order to give developers more time to become compliant. Per Apple:
App Transport Security (ATS), introduced in iOS 9 and OS X v10.11, improves user security and privacy by requiring apps to use secure network connections over HTTPS. At WWDC 2016 we announced that apps submitted to the App Store will be required to support ATS at the end of the year. To give you additional time to prepare, this deadline has been extended and we will provide another update when a new deadline is confirmed.
You likely know about ATS. Apple has been talking about it for a while. Hopefully you are already on your way to supporting it, but if not, here is a summary of what ATS is and some resources to get you started.
App Transport Security (ATS)
ATS is a technical standard that enforces secure connections made with apps. This means any connections between an app and a server/website on the internet must use HTTPS with a modern configuration. This is an important requirement for protecting user information and privacy.
On Jan 1st, 2017, Apple will expect that any new apps submitted to the App Store, and updates to existing apps, will meet ATS requirements. At some point, Apple may apply ATS requirements to existing apps, but this is not likely to happen soon.
The main requirements of ATS are:
- Connections use HTTPS
- Connections use TLS 1.2
- A Perfect Forward Secrecy (PFS) cipher is used (list here)
- ATS applies to all App Store apps across Apple operating systems (iOS 9 +, macOS 10, tvOS 10, watchOS 3)
- ATS only applies to public host names
- ATS only applies to NSURLSession, NSURLConnection, and anything utilizing those APIs
Ideally, you will be able to support these requirements for all connections your app makes. For your own servers, this means installing an SSL certificate and ensuring you have modern configuration settings. For third-party servers, check to see if they support HTTPS (and politely ask them to, if they don’t).
Apple knows that there are some situations out of your control, and situations where using HTTPS is not yet possible. In those cases, there is a way to get an exception.
If you are an iOS developer, you may already be familiar with disabling ATS by listing exceptions in your app’s Info.plist file. In 2017, you will still be able list exceptions – so it isn’t true that HTTP connections are 100% out-right banned.
But, any listed exceptions will now trigger a review by Apple and you will have to provide “reasonable justification” for that exception – this means taking detailed notes for each and every domain or key you want an exception for. Saying ‘I can’t afford an SSL certificate/can’t be bothered to install one’ will not fulfill that requirement. Neither will enabling NSAllowsArbitraryLoads to achieve a blanket-exemption.
It’s also important to know that just supporting HTTPS does not automatically make you ATS compliant. You must also use TLS 1.2 – making ‘weaker’ connections with older protocol versions are viewed as non-compliant in the same way that using HTTP would be.
An example of an acceptable reason is if an app connects to a third-party server which does not have HTTPS support. Another example listed by Apple is the “app loads media content that is encrypted and that contains no personalized information,” which would allow you to skip TLS if the media is already encrypted.
If you have an iOS app, note that iOS 9 & 10 have support for different Cocoa keys, which are the tools you can use for exceptions. Depending on what you need to access over HTTP, you will need to use different keys to do so for iOS 9 & 10 (the resources below cover that in more detail).
If you are an Apple developer working on implementing ATS, these resources can help you get started:
Apple’s Developer Forums: Notes on ATS by “eskimo,” a member of Apple’s Developer Relations
Apple’s Developer Site: ATS Configuration Basics (covers key options, configuration scenarios, and what keys will trigger an app review).
Data Theorem Lab: Getting Ready for ATS Enforcement in 2017 (covers specific scenarios and a method for exempting content in WebViews)
 This requirement is not being enforced yet. This means you can exempt from it without triggering an app review. However, if you can, you should enable this now as it will be enforced later in 2017. If you cannot, you should research how/if your server can be updated to support these ciphers.
 Connections to IP addresses, unqualified host names, and .local hosts are not affected by ATS