Light Dark
December 8, 2016 By Larry Loeb 2 min read

App Transport Security (ATS) is a method Apple uses to describe an app’s network security posture. It takes many factors and elements into account, such as HTTPS, Transport Layer Security (TLS), Perfect Forward Secrecy (PFS) and Certificate Transparency.

Apple stated several times at this year’s World Wide Developer’s Conference that it would enforce compliance with this standard at the beginning of 2017, even though it had been enabled by default since the days of iOS 9. The company also plans to begin reviewing non-ATS apps in its official App Store.

Companies Not Ready for App Transport Security

However, security firm Appthority conducted an analysis of the top 200 iOS apps found on enterprise devices and found that the industry has a long, long way to go when it comes to full compliance with ATS.

According to the study, 97 percent of the apps examined had used an exception in operation or other, less restrictive settings that could weaken the default ATS configuration. Additionally, 57 percent do not use ATS in any way, shape or form.

The idea behind ATS was to make apps communicate over the internet using encrypted HTTPS connections. Apple also wanted to force the use of strong encryption protocols and ciphers that had no known weaknesses. By providing the development community with the software to create these HTTPS connections, the tech giant hoped to avoid configuration errors that had routinely occurred with third-party solutions.

Apple’s Pipe Dream for 2017

HTTPS use has long been a sticking point for many popular apps. CSO Online reported that major apps such as Facebook, Facebook Messenger, Twitter, LinkedIn, Skype, Netflix, ESPN and more all use non-HTTPS communication.

These companies may have their reasons for putting off ATS. Apps talk not only to their own servers, but also to third-party advertising, market research, analytics and file hosting services. These external services may not allow HTTPS connections, but the program still needs to be able to communicate with them.

It seems that full ATS compliance by enterprise-worthy apps will not happen by the start of 2017. What Apple will do in response to this noncompliance remains to be seen.

 |  |  |  |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from

May 6, 2024

Evolving red teaming for AI environments

2 min read - As AI becomes more ingrained in businesses and daily life, the importance of security grows more paramount. In fact, according to the IBM Institute for Business Value, 96% of executives say adopting generative AI (GenAI) makes a security breach likely in their organization in the next three years. Whether it’s a model performing unintended actions, generating misleading or harmful responses or revealing sensitive information, in the AI era security can no longer be an afterthought to innovation.AI red teaming is emerging…

May 3, 2024

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

May 2, 2024

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature