Light Dark
December 8, 2016 By Larry Loeb 2 min read

App Transport Security (ATS) is a method Apple uses to describe an app’s network security posture. It takes many factors and elements into account, such as HTTPS, Transport Layer Security (TLS), Perfect Forward Secrecy (PFS) and Certificate Transparency.

Apple stated several times at this year’s World Wide Developer’s Conference that it would enforce compliance with this standard at the beginning of 2017, even though it had been enabled by default since the days of iOS 9. The company also plans to begin reviewing non-ATS apps in its official App Store.

Companies Not Ready for App Transport Security

However, security firm Appthority conducted an analysis of the top 200 iOS apps found on enterprise devices and found that the industry has a long, long way to go when it comes to full compliance with ATS.

According to the study, 97 percent of the apps examined had used an exception in operation or other, less restrictive settings that could weaken the default ATS configuration. Additionally, 57 percent do not use ATS in any way, shape or form.

The idea behind ATS was to make apps communicate over the internet using encrypted HTTPS connections. Apple also wanted to force the use of strong encryption protocols and ciphers that had no known weaknesses. By providing the development community with the software to create these HTTPS connections, the tech giant hoped to avoid configuration errors that had routinely occurred with third-party solutions.

Apple’s Pipe Dream for 2017

HTTPS use has long been a sticking point for many popular apps. CSO Online reported that major apps such as Facebook, Facebook Messenger, Twitter, LinkedIn, Skype, Netflix, ESPN and more all use non-HTTPS communication.

These companies may have their reasons for putting off ATS. Apps talk not only to their own servers, but also to third-party advertising, market research, analytics and file hosting services. These external services may not allow HTTPS connections, but the program still needs to be able to communicate with them.

It seems that full ATS compliance by enterprise-worthy apps will not happen by the start of 2017. What Apple will do in response to this noncompliance remains to be seen.

 |  |  |  |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from

March 18, 2025

Bypassing Windows Defender Application Control with Loki C2

10 min read - Windows Defender Application Control (WDAC) is a security solution that restricts execution to trusted software. Since it is classified as a security boundary, Microsoft offers bug bounty payouts for qualifying bypasses, making it an active and competitive field of research.Typical outcomes of a WDAC bypass bug bounty submission:Bypass is fixed; possible bounty awardedBypass is not fixed but instead "mitigated" by being added to the WDAC recommended block list. Likely no bounty awarded but honorable mention is typically givenBypass is not…

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

February 21, 2025

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature