Vast Majority of iOS Apps Fail to Meet Apple's Encryption Requirements

Developers of iOS apps have their work cut out for them as the New Year approaches, as only 3 percent of top apps implement Apple's mandated App Transport Security.

Apple App Security 2

Application developers for Apple’s iOS platform are running against an end-of-the-year deadline to encrypt all communications to and from iOS apps using the platform’s encryption standard, known as App Transport Security or ATS, mobile-app management firm Appthority said on Dec. 6.

So, far only 3 percent of apps currently seen in enterprise environments implement the mandated communications encryption, Appthority found in a recent analysis of its collected data. Another 55 percent of applications allow the use of ATS but do not require all data to use the communications-security protocol.

“As of Jan. 1, you need to have a good reason to have exceptions to the ATS implementation; otherwise the app will not be approved to go on the app store,” Robbie Forkish, Appthority’s vice president of engineering, told eWEEK. “As of today, there is still a lot of ground to cover.”

Appthority looked at the top-200 iOS applications detected by its system inside corporate networks to see how many encrypt their data. The company looked at both business and consumer apps that employees regularly use while at the workplace.

In June, Apple stated that it will refuse updates to any application that does not implement the security measure starting Jan. 1, 2017. In the past, developers have been able to mark their app as an exception, but Apple has said that it will require documented reasons for each exception.

Apple originally made the announcement at its Worldwide Developers Conference in June. In a presentation on “What’s New in Security,” Lucia Ballard, secure transports engineering manager for Apple, told attendees that the company wants to ensure customers’ data is secure.

“If you use your phone as much as I do, you know that it's accumulated an incredible wealth of detail about your personal life, and a lot of that comes across the network,” she said during her presentation.

“So, that's why we think at Apple (that) all of this detail should be protected by default. We think HTTPS is the new HTTP. So, for every resource you're loading across the network, you should provide confidentiality and data integrity to your users.”

While adding ATS to an existing app is not overly complicated, it does require that the developer audit the program and make sure that all third-party libraries and frameworks also use the data encryption.

In addition, iOS apps that pull data from other sources may not have the ability to make sure that those external servers adopt transport layer security (TLS), the encryption standard on which ATS is built.

Appthority’s Forkish worries that developers may keep delaying the update of their app, if they find supporting ATS is too difficult.

“So if I’m an app developer, and I’m either too busy to get around to doing an update or I think that it is too complicated and I don’t want to take … what should be a small, amount of time to understand how to implement ATS, one solution would be to just not update the app,” he said. “Apple is not going to be pulling apps off the app store. They are simply using this as a screen for allowing apps on the store.”

For its part, Apple is accepting reasonable justifications for why ATS cannot be implemented, such as a server from which an app is pulling data being out of the control of the developer. Yet, the company is recommending that developers take steps now.

In a response to developers in August, one Apple staff member told a forum of developers that they should audit their apps usage of HTTP and HTTPS, minimize the number of requested exceptions and keep notes of the reasons for those ATS exceptions.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...