App Transport Security (ATS): Good for Security and Privacy
In practice, the change is more procedural than technical: By default, ATS is enabled for apps linked against iOS 9 and newer SDKs, though developers could disable it or create exemptions for specific domains or types of traffic. The announcement made in June 2016 during the annual Apple WWDC does not change the behavior or implementation but does create a new requirement for admission to the App Store. Previously, there was no penalty if an app developer chose to bypass security best practices. But when the new review procedures go into effect at the beginning of next year, apps that are submitted with ATS disabled will be rejected. Of course, developers can apply for exceptions but that process will almost certainly delay the approval process.
The policy is a security and privacy win for both consumers
and enterprises because the new requirement will go a long way toward
protecting data in transit. This is especially important considering mobile
users are notorious for using whatever Wi-Fi hotspot is available to them
(protected or otherwise) and since native mobile apps often lack the typical
visual indicators present in web browsers to denote secure connectivity. As
beneficial as ATS will be, it is unfortunately not a silver bullet. It’s
important to note that the change affects only apps submitted for App Store
review after January 1, 2017 and that apps without ATS submitted before the
deadline will not be removed. For enterprises - especially those who rely on
third party developers- it’s also important to remember that in-house apps are
not subject to the same policies and code reviews as App Store apps and may,
therefore, not conform to best practices.
This is not to say that the mandate is a trivial change for
developers. A cursory examination of developer forums reveals a great deal of
reticence and confusion. Meanwhile, MobileIron partner, Appthority, recently
published research suggesting that the overwhelming majority of apps disable
ATS or permit insecure connections. These alarming statistics, combined with
broader findings about the disappointing state of server-side security
configurations (such as failing to address basic OWASP recommendations) echo
the findings from the MobileIron 2Q2016 Mobile Security and Risk Review
evincing a troubling-- and continued-- lack of basic security hygiene. Organizations
shouldn’t wait to assess the state of their mobile apps.
ATS is a great step forward, but it’s only one part of a
larger whole in cyber security that remains our shared responsibility. Take advantage
of this important advancement but don’t forget to do your part too.
Source: AppTech News
No comments:
Post a Comment