Apple's Mandatory iOS App Transport Security Feature Postponed

Written by Alice Fountain
Published on Jan. 24, 2017

Last month, Dom & Tom’s CEO, Dom Tancredi wrote an article for App Developers Magazine about the major changes that were ahead for the mobile industry in 2017 and the mandatory implementation of the App Transport Security (ATS) feature. With over 346,000 views on his article alone and the countless other publications opposing the enforcement of the rule within such a short period, we think Apple may have listened.

On December 21st, Apple released a brief statement announcing that they would extend the deadline for apps submitted to the App Store to give developers additional time to prepare for the security change.

“App Transport Security (ATS), introduced in iOS 9 and OS X v10.11, improves user security and privacy by requiring apps to use secure network connections over HTTPS. At WWDC 2016 we announced that apps submitted to the App Store will be required to support ATS at the end of the year. To give you additional time to prepare, this deadline has been extended and we will provide another update when a new deadline is confirmed,” Apple wrote.

In 2015 Apple released iOS 9 and introduced the App Transport Security (ATS) security feature which requires an app to connect to web services over a secure HTTPS connection rather than an HTTP connection. When this feature was released it was not mandatory and many developers simply used exceptions to bypass the enforced default feature, thus opting out of ATS. What many iOS developers were not aware of was that in the not so distant future this security feature will not only be mandatory for all new submissions to the Apple store, it will be a requirement of apps already published in the Apple store.

The iOS 10 ATS “Bug”

Keeping data and personal information secure has become an increasingly high priority for Apple and while it is important to keep users information private, there are far too many websites and APIs that still use HTTP and could not make the change before the end of last year. When this change does become mandatory, one of the most affected types of apps will be ones that consume content served over HTTP, such as major media publications and websites that have audio and video content. Since the release of iOS 10, a significant “bug” was discovered that seems to cause web audio and video content not to play when viewed from within an app when content is transmitted insecurely. 

For example, when a Facebook user is scrolling through their newsfeed and comes across a video that was posted on a TV network that they want to view, the user would click on the video and nothing will be displayed because the TV network does not comply with ATS since their content is delivered via an HTTP connection. This is not only the case with Facebook, any audio or video content that you attempt to play that regularly pulls from the web will be automatically disabled or will be blocked because the resource load is insecure if the application has not declared the source domain as an exception.

Media Encryption

The issue is not that developers oppose the increased security, it is the fact that it takes hundreds of hours to switch a site from HTTP to HTTPS. An organization will have to acquire and install the security certificate, as well as audit the assets linked to the website to make sure they are transmitted through the new domain. Two of the biggest news publications, The New York Times and the Los Angeles Times have not made the switch to HTTPS, therefore their content will not be accessible through any mobile apps who have not declared their domains as exceptions. Organizations of this scale will require a tremendous amount of planning to efficiently and cost-effectively migrate all their content over to a secure protocol. 

Petition for Exceptions

To clarify, there are some exceptions to the mandatory ATS requirements, however, that does not mean that all of the previous exceptions will be valid moving forward. Developers will need to provide “reasonable justification” for these exceptions and as is the case with Apple, there is little transparency when it comes to their decision-making process. An exception for streaming media that is already encrypted in bulk may be granted through AVFoundation to allow it to load without connection over TLS. Additionally, a web content exception may be granted if your app is loading arbitrary content from the web and you are using WKWebView then you can set the below key to allow those loads and be exempt from the ATS requirements.

NSAppTransportSecurity : Dictionary {
NSAAllowArbitraryLoads : Boolean
NSAllowsArbitraryLoadsInWebContent : Boolean
}

While these exceptions are available, developers should not expect that they will always be available and should plan for the fact that Apple may reject the request for an exception.

What Can You Do?

– If you are developing a new mobile app then you should use HTTPS for all network communication.

– If you have an app that has already been approved and in the Apple Store, then you should dedicate a team to audit your current app and immediately migrate from HTTP to HTTPS and adapt to the changes as soon as possible.

– If you have an app that connects to web services that are not secured, then you should declare their domains as exceptions in the application info.plist as a short-term solution and begin to evaluate your options moving forward.

– If you have an app that it loading 3rd party content via HTTP, then you should work with the content providers to create an HTTPS endpoint to prevent any disruption in transmission and display.

Conclusion

Although Apple has yet to set a new deadline, developers can breathe a sigh of relief (for now) and continue preparing for the change. A developer should check to see how the ATS security feature could impact their existing apps and any future apps that will go to market moving forward. They must evaluate their options and see what changes need to be made so when the deadline arrives, the content does not get blocked.

In order to migrate to HTTPS a significant amount of time, development and money are needed including the application for security certificates. Ultimately, even with exceptions granted, companies will need to realize that increased security requirements are only going to become more prevalent and it is best to prepare for those changes and create a long-term plan now instead of wait for those deadlines to come.

If these security restrictions are not fixed or addressed then businesses will undoubtedly see an increase in user frustration, poor user experience and potentially a loss of revenue. While it would be great if Apple’s features were “bug”-free, more likely, the blame will be shifted to the digital properties for not upgrading the security of their channels.

Explore Job Matches.