Why App Transport Security Can’t Get Here Soon Enough

App Transport Security (ATS): Good for Security and Privacy

In practice, the change is more procedural than technical: By default, ATS is enabled for apps linked against iOS 9 and newer SDKs, though developers could disable it or create exemptions for specific domains or types of traffic. The announcement made in June 2016 during the annual Apple WWDC does not change the behavior or implementation but does create a new requirement for admission to the App Store. Previously, there was no penalty if an app developer chose to bypass security best practices. But when the new review procedures go into effect at the beginning of next year, apps that are submitted with ATS disabled will be rejected. Of course, developers can apply for exceptions but that process will almost certainly delay the approval process.

The policy is a security and privacy win for both consumers and enterprises because the new requirement will go a long way toward protecting data in transit. This is especially important considering mobile users are notorious for using whatever Wi-Fi hotspot is available to them (protected or otherwise) and since native mobile apps often lack the typical visual indicators present in web browsers to denote secure connectivity. As beneficial as ATS will be, it is unfortunately not a silver bullet. It’s important to note that the change affects only apps submitted for App Store review after January 1, 2017 and that apps without ATS submitted before the deadline will not be removed. For enterprises - especially those who rely on third party developers- it’s also important to remember that in-house apps are not subject to the same policies and code reviews as App Store apps and may, therefore, not conform to best practices.

This is not to say that the mandate is a trivial change for developers. A cursory examination of developer forums reveals a great deal of reticence and confusion. Meanwhile, MobileIron partner, Appthority, recently published research suggesting that the overwhelming majority of apps disable ATS or permit insecure connections. These alarming statistics, combined with broader findings about the disappointing state of server-side security configurations (such as failing to address basic OWASP recommendations) echo the findings from the MobileIron 2Q2016 Mobile Security and Risk Review evincing a troubling-- and continued-- lack of basic security hygiene. Organizations shouldn’t wait to assess the state of their mobile apps.

ATS is a great step forward, but it’s only one part of a larger whole in cyber security that remains our shared responsibility. Take advantage of this important advancement but don’t forget to do your part too.

Source: AppTech News

Apple Extends Developer Deadline for Mandatory App Transport Security Support

Apple on Wednesday informed developers that it has extended the deadline by which apps submitted to the various App Stores will required to use App Transport Security (ATS), a standard introduced in iOS 9 and OS X 10.11.

According to Apple Developer, ATS, first introduced in iOS 9 and OS X v10.11, will now not become mandatory for apps to support by the 1 January 2017. Instead, Apple has decided to give developers "additional time to prepare" for the switch and so has extended the original deadline.
Although ATS is switched on by default in Apple's development toolset, developers currently have the option of deactivating the feature. During this year's Worldwide Developers Conference, however, the company said it would begin enforcing ATS support starting Jan. 1, 2017.

ATS is a feature of Apple's iOS and OS X operating systems which ensure that applications do not load resources over HTTP connections, which are not secure and may be eavesdropped on by attackers. Instead, ATS requires that resources are loaded through HTTPS, a secure communication protocol often used by other services including online banks and e-commerce websites which encrypts data through Transport Layer Security Layer (TLS).

Currently, ATS is enabled by default but app developers do have the option of disabling the feature.

Apple has not announced an expected timeline for ATS integration, saying only that developers will be updated when a new deadline is confirmed. No new deadline has been set for developers to utilize ATS, but the iPad and iPhone maker has promised an update when a new date has been confirmed.

Source : Apple Developer

Appthority warns only 3% of enterprise apps comply with upcoming Apple security mandate

Apple is making a series of security changes for the new year – yet according to new research from Appthority, only 3% of enterprise apps are fully compliant with the new security mandate.

In June 2016, Apple announced that App Transport Security (ATS) will become a requirement for new App Store apps from 1 January 2017.

ATS, which was introduced in iOS 9, forces an app to connect to web services over an HTTPS connection rather than HTTP to keep data secure while in transit by encrypting it.

“Appthority researchers found that the majority of apps in the enterprise don’t fully utilize the best practices encryption standard, which should be a concern to enterprises,” said Robbie Forkish, vice-president of engineering at Appthority.

“The new ATS mandate only applies to new submissions to the App Store, and Apple will be allowing exceptions to ATS, so, while the requirement should strengthen data security, there will still be iOS apps not using data encryption in enterprise environments, even after 1 January 2017.

“For this reason, it’s incredibly important that businesses have visibility into, and management of, the risks related to apps with these exceptions, as they can put enterprise data at risk,” he said.

The research also revealed 55% of apps in use by enterprises allow the use of HTTP, instead of requiring HTTPS, while 83% had ATS disabled for all network connections and 26% had ATS disabled at a global level, with specific exceptions set up for domains.

According to Appthority, existing apps that do not comply with the ATS mandate will not be removed from the App Store, which means enterprises will have to continue to be vigilant about apps in their environments. Read more about the report here.

Source: Apps Tech News