Apple Backtracks on 2017 Mandate for HTTPS-Only Apps

Apple issued a mandate during its 2016 WorldWide Developer Conference, requiring developers of all iOS and OS X applications in Apple’s App Store to adopt ATS, or App Transport Security. Much like HTTPS, the protocol was to enhance the cybersecurity inherent in apps. The deadline was set as December 31st 2016. Now, Apple has delayed the deadline to a date unknown.

Having arrived in 2015, the App Transport Security (ATS) is a better security standard for networking in the Apple ecosystem. By default, it exists in both iOS, Apple’s mobile operating system and OS X, its desktop, laptop operating systems.

Essentially, ATS ensures that applications do not load resources over the legacy and vulnerable HTTP connection standard, which can be exploited by eavesdropping hackers. ATS ensure that resources are loaded through HTTPS.

Apple heralded ATS as an essential networking security feature.

“It improves privacy and data integrity by ensuring your app’s network connections employ only industry-standard protocols and ciphers without known weaknesses,” an Apple developer release read. “This helps instill user trust that your app does not accidentally leak transmitted data to malicious parties.”

However, a newly released note to developers sees the technology extend its deadline. While the reasons aren’t stated, it’s almost certainly because not all developers – perhaps even a majority – behind the hundreds of thousands of apps in the App Store, switched over to ATS.

The brief note, in its entirety, read:

App Transport Security (ATS), introduced in iOS 9 and OS X v10.11, improves user security and privacy by requiring apps to use secure network connections over HTTPS. At WWDC 2016 we announced that apps submitted to the App Store will be required to support ATS at the end of the year. To give you additional time to prepare, this deadline has been extended and we will provide another update when a new deadline is confirmed.

There is a marked effort by software giants like Apple and Google in pushing developers toward adopting and enabling HTTPS-only websites. Recently, the UK government’s websites switched over to HTTPS. Popular website Reddit also switched over to a HTTPS-only standard.

Image credit: Pexels.