When Apple in July announced it would require all iOS apps to use a technology called "App Transport Security" by the start of 2017, the move was widely regarded as a positive one for user privacy. Now, just barely a week before the deadline, Apple pulled back and extended the deadline indefinitely. The requirement, if implemented, would fill a significant security hole on iOS devices, according to experts.
Apple takes a strong and public position in favor of protecting its users' privacy. The highest profile example of this is perhaps the company's standoff in January with the FBI over its insistence that data be encrypted on iOS devices at rest, regardless of the owner or reasons for a government's requests to override those protections. (In that case, the intelligence agency wanted access to an alleged terrorist's personal device to scrape it for evidence and other information).
What is App Transport Security?
App Transport Security requires mobile apps to encrypt data in transit using HTTPS, thereby encrypting all data that is transported across the network via iOS devices, according to Robbie Forkish, vice president of engineering at Appthority, a mobile risk analysis firm that also sells assessment services for mobile devices, apps and APIs.
"To give you additional time to prepare, this deadline has been extended and we will provide another update when a new deadline is confirmed," Apple wrote Wednesday evening in a brief note to developers.
The company originally introduced App Transport Security in iOS 9 in September 2015 but uptake has been tepid. Appthority earlier this month concluded in a report that just 3 percent of the top 200 iOS apps installed on enterprise devices worldwide meet Apple's security mandate. During the three weeks since that research was published, four additional apps added support for App Transport Security. "That takes the percentage from 3 percent to 5 percent," Forkish says. "Obviously there's a huge gap between having all the apps comply."
Why Apple wants stronger iOS app encryption
Apple is pushing for the security tech to be adopted throughout the app ecosystem, following a trend that began a few years ago when HTTPS became the default in browsers, according to Forkish. "An increasing number of percentages across the web are now fully encrypted end to end," he says. "There's this gap where the majority of apps, in communicating with their backend servers, do so unencrypted. That kind of stands out now as an insecure part of the overall ecosystem."
Enterprises should be concerned about this gap in security, and CIOs who have relied on Apple to provide necessary security are realizing that strategy is no longer viable, if it ever was, according to Forkish. CIOs need to be aware of the apps that don't support App Transport Security and seek out alternatives that provide the same productivity functions but in a more secure manner, he says.
Sign up for Computerworld eNewsletters.