PINDROP BLOG

Apple Delays Requirement for App Transport Security

Apple has pushed back a deadline for developers to support a key transport security technology in apps submitted to the company’s app stores.

Officials said at the Apple Worldwide Developers Conference earlier this year that developers would have to support Apple Transport Security by the end of 2016. But on Wednesday, the company announced that it has decided to extend the deadline indefinitely.

“At WWDC 2016 we announced that apps submitted to the App Store will be required to support ATS at the end of the year. To give you additional time to prepare, this deadline has been extended and we will provide another update when a new deadline is confirmed,” Apple said in a statement.

ATS is Apple’s collection of transport security standards designed to provide attack resistance for data that’s sent between iOS and macOS apps and back end servers. It requires apps to support a number of modern transport security technologies, including TLS 1.2, AES-128 or stronger, and certificates must be signed using SHA-2. ATS also requires the use of forward secrecy, a key-exchange method that protects encrypted sessions even if the server certificate is compromised at some point in the future.

“You add all these together and you have what we think is a secure connection that protects the data of your clients,” Lucia Ballard, secure transports engineering manager at Apple, said in a talk at the WWDC.

Apple is planning to enforce support for ATS at the app store level, meaning any apps submitted to the iOS or macOS app stores have to support the technology to be approved. The enforcement of ATS for developers is meant to provide users with an increased level of security and integrity for the communications their apps have with remote servers. That’s not something that users have any control over, because it’s been left up to the developer to decide what kind of transport security to use, if any.

While some apps have been using HTTPS for communications, it’s been a choice. And, as Ballard said in her WWDC talk, just using HTTPS isn’t enough. There are many known attacks against older versions of TLS, which is why Apple is requiring the use of TLS 1.2.

“Not all HTTPS is created equal,” she said.

Image: PhotoAtelier, CC By license