Google offers 'short term fix' to help ad publishers bypass Apple's iOS 9 security protocol

Posted:
in iPhone edited August 2015
Google on Thursday informed developers of a five-line bit of code crafted to sidestep Apple's upcoming App Transport Security encryption feature in iOS 9 by creating HTTPS exceptions, which could in some cases block mobile ads from appearing.




The workaround was published to Google's official Ads Developer Blog in a post titled "Handling App Transport Security in iOS 9," a reference to Apple's upcoming privacy tool.

Apple's ATS standard is built into iOS 9 to restrict insecure and potentially nefarious code served via HTTP from infiltrating the operating system. Developers whose apps are not yet ATS-compliant could see their mobile ads blocked as a result of this tightened security, which in turn poses a threat to Google's money-making ad business.

Google said it strives to meet industry standard protocols, but can't guarantee compliance from third-party ad networks or custom code served through its own systems. Therefore, the company proposes publishers add an exception that sidesteps Apple's ATS encryption requirement to allow incoming non-HTTPS connections.

"To ensure ads continue to serve on iOS9 devices for developers transitioning to HTTPS, the recommended short term fix is to add an exception that allows HTTP requests to succeed and non-secure content to load successfully," writes Tristan Emrich, a member of Google's Mobile Ads Developer Relations team.

As noted by Re/code, the Internet search giant apparently received some flak after issuing the instruction set. In an update, Google attempted to clear the air about its intentions, explaining the post was meant to "outline some options" for developers who had asked about resource changes expected to come into effect with iOS 9.

"To be clear, developers should only consider disabling ATS if other approaches to comply with ATS standards are unsuccessful. Apple has provided a tech note describing different approaches, including the ability to selectively enable ATS for a list of provided HTTPS sites," Emrich says.

Google still advocates for strong HTTPS protection, including ATS compliance, across its product line and is not suggesting against strong encryption. Indeed, the blog post notes developers should maintain ATS compliance on the backend or move over to the secure method as soon as possible.

Google is in a conundrum, as it still serves up a healthy supply of plain HTTP ads, proceeds of which are the company's lifeblood. In the end, it seems Google doesn't want its altruistic goals impinging on its bottom line.
«1345

Comments

  • Reply 1 of 81
    If true, how can Apple possibly allow Google to do something like this on its software!? What could Apple do other than to throw out Google altogether from iOS devices?

    (As a depressing aside, I have Ghostery on Mac OS web browser, and in the past few days, it has been blocking somewhere between 60-70 and sites/bots EVERY SINGLE time I go to the AppleInsider website. One of the worst sites in this regard.)
  • Reply 2 of 81

    bypassing security seems like something google knows quite a bit about.

  • Reply 3 of 81
    irelandireland Posts: 17,751member
    Don't be evil. Unless...

    An advertising company, but look, their logo looks like those colourful fridge magnets!
  • Reply 4 of 81
    iqatedoiqatedo Posts: 1,724member

    Google showing its true colours?

  • Reply 5 of 81
    sflocalsflocal Posts: 5,732member

    I finished reading Google's ATS handling.  It seems to only be limited apps that communicate using nonsecure HTTP connections.  I hate Google in general, but even their paper says that they want people to start upgrading their apps to use encrypted HTTPS connections, and if that is done, everything will be fine and no "workarounds" will be needed.  



    Am I missing something?  It's more like Google is telling app developers to update their apps to be more current and secure.

  • Reply 6 of 81

    A iOS 9/OS X 10.11 app wouldn't be able to reach AppleInsider either without bypassing ATS. Just tried it, https on the main site and forums is broken.

  • Reply 7 of 81
    Google did a similar thing before with safari on the Mac.

    Google sucks. That is all. They can spin it into good intentions all they want. It is still bad news.

    Apple needs to enter the search and web infrastructure business.

    Kill off this crap.
  • Reply 8 of 81
    nagrommenagromme Posts: 2,834member
    If this is a technique Apple expressly allows and even mentions in a tech note, then ideal or not, I surely don't blame Google for pointing some developers in that direction.
  • Reply 9 of 81

    If Google's ad business dies, they die.

  • Reply 10 of 81
    roakeroake Posts: 764member
    I wonder if Google yet realizes that the ghost of Steve Jobs has indeed gone thermonuclear.

    Not until they see the mushroom cloud, I suspect.
  • Reply 11 of 81
    jungmarkjungmark Posts: 6,869member
    Oh Google. At least you're supporting your actual customers. It just happens to be advertisers and not the common user.
  • Reply 12 of 81
    If true, how can Apple possibly allow Google to do something like this on its software!? What could Apple do other than to throw out Google altogether from iOS devices?

    (As a depressing aside, I have Ghostery on Mac OS web browser, and in the past few days, it has been blocking somewhere between 60-70 and sites/bots EVERY SINGLE time I go to the AppleInsider website. One of the worst sites in this regard.)

    Which filter set(s) do you have enabled? Just the recommended ones?
  • Reply 13 of 81
    ireland wrote: »
    Don't be evil. Unless...

    An advertising company, but look, their logo looks like those colourful fridge magnets!

    Bingo. Google is an advertisement auction service. That's how they turn a profit. The search engine is simply an outlet for serving up the ads.
  • Reply 14 of 81
    nagromme wrote: »
    If this is a technique Apple expressly allows and even mentions in a tech note, then ideal or not, I surely don't blame Google for pointing some developers in that direction.

    Thanks! Your response pushed me to read Google's blog post AND Apple's tech note.

    Disappointingly, the story is written to portray Google as purposely publishing an undocumented way to break iOS 9 security.

    Google's blog post was also poorly written.
  • Reply 15 of 81
    Google is simply telling developers how to bypass Apple's security in order to serve ads and malware.

    Shame on them.

    I look forward to installing an ad-blocker ASAP on my iOS devices. I would love to see Ghostery in IOS so now only can we block ads but trackers as well.
  • Reply 16 of 81
    iqatedoiqatedo Posts: 1,724member
    Quote:
    Originally Posted by IQatEdo View Post

     

    Google showing its true colours?


     

    Quote:
    Originally Posted by nagromme View Post



    If this is a technique Apple expressly allows and even mentions in a tech note, then ideal or not, I surely don't blame Google for pointing some developers in that direction.

     

    Quote:
    Originally Posted by leavingthebigG View Post





    Thanks! Your response pushed me to read Google's blog post AND Apple's tech note.



    Disappointingly, the story is written to portray Google as purposely publishing an undocumented way to break iOS 9 security.



    Google's blog post was also poorly written.



    Possibly quite innocent then?

  • Reply 17 of 81
    Googles business model is stealing and then selling information. They deserve to go out of business.
  • Reply 18 of 81
    thepixeldocthepixeldoc Posts: 2,257member
    jameskatt2 wrote: »
    Google is simply telling developers how to bypass Apple's security in order to serve ads and malware.

    Shame on them.

    I look forward to installing an ad-blocker ASAP on my iOS devices. I would love to see Ghostery in IOS so now only can we block ads but trackers as well.

    In just a few weeks I believe you'll have your wish:

    http://www.theappzine.com/news/crystal-ad-blocker-reduces-ios-9-bandwidth-usage-and-load-times-massive-scale

    Repercussion short list.... but as with everything, there's always a reaction to every action (or something like that):
    1. Many good points for Apple, not least of which that they may get more switchers to iPhone;
    2. *If* Crystal and other ad-blockers pick up the majority of iPhone users, how is the media going to react to this;
    3. in close relation to the above, how will assorted websites deal with the matter? Will they just say good bye to mobile ad revenue? Or will they put up content blockers of their own to get you to white-list their sites?

    *** The darnedest thing is that major Apple supporting websites like iMore and ... um... cough... this one.... have the worst performance in comparison to other tech-blogs, due to all of the ads and tracking scripts they use. :\
  • Reply 19 of 81
    tallest skiltallest skil Posts: 43,399member
    SUE THEM.


     


    SUE THEM OVER THIS.


     


    SUE THEM OVER THEIR SAFARI BREACH AGAIN.


     


    DESTROY THEM.

     

    Hardcode into iOS: “if Google, then refuse to load”. Remove their products from the App Store. MAKE THEM BLEED.

  • Reply 20 of 81
    cnocbuicnocbui Posts: 3,613member
    Quote:

    Originally Posted by jungmark View Post



    Oh Google. At least you're supporting your actual customers. It just happens to be advertisers and not the common user.



    When Apple gives away it's products for free, do let me know.

Sign In or Register to comment.