App developers not ready for iOS transport security requirements

Many iOS apps opt out of Apple's App Transport Security (ATS) feature or deliberately weaken it

A month before Apple is expected to enforce stricter security requirements for app communications in iOS, enterprise developers don't seem ready to embrace them, a new study shows.

The study was performed by security firm Appthority on the most common 200 apps installed on iOS devices in enterprise environments. The researchers looked at how well these apps conform to Apple's App Transport Security (ATS) requirements.

ATS was first introduced and was enabled by default in iOS 9. It forces all apps to communicate with Internet servers using encrypted HTTPS (HTTP over SSL/TLS) connections and ensures that only industry-standard encryption protocols and ciphers without known weaknesses are used. For example, SSL version 3 is not allowed and neither is the RC4 stream cipher, due to known vulnerabilities.

Before ATS, app developers implemented HTTPS using third-party frameworks, but configuring SSL/TLS properly is hard so implementation errors were common. These weakened the protection that the protocol is supposed to provide against traffic snooping and other man-in-the-middle attacks.

Currently iOS provides a method for apps to opt out of ATS entirely or to use it only for specific connections, but Apple wants to change that. At its Worldwide Developers’ Conference in June, the company announced that it will require all apps published on the App Store to turn on ATS by the end of this year.

The requirement won't be enforced at the OS level, but through the App Store review process. Using some of the ATS exceptions will still be possible, but developers will have to provide a "reasonable justification" for using them if they want their apps to be approved.

During their study, the Appthority researchers found that 97 percent of the analyzed apps -- 193 out of 200 -- used exceptions and other settings that weakened the default ATS configuration.

"Among the top 200 iOS apps that we analyzed, 166 apps (83 percent) bypass at least some ATS requirements by setting 'NSAllowsArbitraryLoads' attribute to 'true' in their Info.plist files," the Appthority researchers said in their report. "However, not all of them bypass ATS requirements for all network connections. For instance, a company can still support ATS requirements for network connections with its domain, while allowing ATS to bypass all other connections."

Among the apps that didn't use HTTPS for all of their connections were popular ones like Facebook, Twitter, LinkedIn, Facebook Messenger, Skype, Viber, WhatsApp, Fox News, CNN, BBC, Netflix, ESPN, Hulu, Pandora, Amazon Cloud Player, Word, Excel, PowerPoint, and OneNote, but also utility apps like Flashlight, QR code readers and games.

While it could be argued that some connections don't need HTTPS because they aren't used to transfer sensitive data, the Appthority researchers found 10 applications that did send device IDs, email addresses, physical addresses, zip codes, geolocation information and even passwords or secret keys over unencrypted HTTP links.

There are many reasons why developers can't turn on ATS for all connections and are likely to request ATS exceptions during the app review process. For example, many apps don't talk only to their developers' servers, but also to third-party advertising, market research, analytics and image or video hosting services. The use of HTTPS on these external services are out of app developers' control.

ATS provides fine-grained exceptions like "NSAllowsArbitraryLoadsInMedia," which can, for example, be used to allow the streaming of video or audio content over HTTP, while encrypting all other connections.

However, based on Appthority's analysis, it seems that so far developers have preferred using the more generic “NSAllowsArbitraryLoads” which disables ATS for all connections, when dealing with such problems.

The company didn't find any app that used the "NSAllowsArbitraryLoadsInMedia" or the "NSAllowsArbitraryLoadsInWebContent" attributes to limit the scope of ATS exceptions. It hopes that Apple's new requirements will change that.

Many apps that do use ATS disable some of its security features. For example, none of the apps analyzed by Appthority used Certificate Transparency, which is available in ATS.

Furthermore, seven of them disabled SSL certificate validation and 46 didn't use certificate pinning. Thirty-eight apps disabled Forward Secrecy and eight apps set the allowed TLS protocol version to 1.0 or 1.1, even though the secure default in ATS is TLS 1.2.

"We still expect iOS apps with unencrypted data in enterprise environments, even after January 1," the Appthority researchers said. "When Apple approves such apps for the App Store, there will still be the security risks associated with unencrypted data for some connections, so it’s important for enterprises to have visibility into and management of the risks related to apps with those exceptions."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?