All iOS applications will be required to use Secure HTTP by the end of this year, with a few exceptions
Apple is to require the use of secure communications for nearly all its iOS applications starting from the beginning of next year, the company announced at its developer conference.
The move extends Apple’s aggressive stance on encryption, which in recent months has seen it face off against the FBI in US court and publicly criticise draft UK legislation that would weaken such tools.
Apple, Google and others have placed more of an emphasis on encryption since revelations beginning in 2013 of the mass collection of communications data by the US government for surveillance purposes.
With iOS 9, released in March, Apple introduced a feature called App Transport Security (ATS) that, when in use, causes all unencrypted communications to fail. However, Apple initially gave developers the option of switching ATS off, acknowledging that in many cases the use of secure HTTP, or HTTPS, is not practical.
Now, however, the company has said it will require the use of ATS except in a few cases, with the change set to take place as of 1 January, 2017.
“By the end of 2016, when your apps communicate with your own server back ends, they must do so using a secure TLS channel using TLS 1.2, unless the data being communicated is bulk data such as media streaming and data that’s already encrypted,” Ivan Krstić, Apple’s head of security engineering and architecture, told an audience at the conference, which took place in San Francisco last week.
The change is a significant move for iOS developers, who will now be required to serve all data using HTTPS servers, which are considerably more expensive and complex to manage than those running standard HTTP, notably involving the purchase and administration of security certificates.
Google recently acknowledged this in providing code to developers that would switch ATS off in cases where advertisements using non-HTTPS networks would have failed to display.
“While Google remains committed to industry-wide adoption of HTTPS, there isn’t always full compliance on third party ad networks and custom creative code served via our systems,” Google stated at the time. “To ensure ads continue to serve on iOS9 devices for developers transitioning to HTTPS, the recommended short-term fix is to add an exception that allows HTTP requests to succeed and non-secure content to load successfully.”
Developers writing on Apple forums have questioned how the HTTPS requirement will affect low-cost, unencrypted servers and sites linked to hardware that can’t be made HTTPS-compliant or large public databases that are unlikely to meet the January deadline for encrypting their communications.
Computer security firm Sophos said even with exceptions in place, the move is likely to spur more encryption in applications for devices such as the iPad and the iPhone, increasing their security.
“A year from now, it seems highly likely that most modern mainstream iOS apps will be HTTPS-only,” wrote Sophos’ Bill Camarda in an advisory. “And that can only be good.”
Are you a security pro? Try our quiz!