Apple extends developer deadline to support App Transport Security into 2017
Apple on Wednesday informed developers that it has extended the deadline by which apps submitted to the various App Stores will required to use App Transport Security, a standard introduced in iOS 9 and OS X 10.11.
According to a brief statement posted to Apple's Developer News website, the ATS implementation mandate has been pushed back to an as yet unannounced date in order to give app makers "additional time to prepare" their wares for support.
ATS debuted in 2015 as a method of improving security and privacy by forcing apps to transfer data through secure connections over HTTPS. Similar protocols are already employed by banks, internet service providers and other companies dealing with highly sensitive user data.
Although ATS is switched on by default in Apple's development toolset, developers currently have the option of deactivating the feature. During this year's Worldwide Developers Conference, however, the company said it would begin enforcing ATS support starting Jan. 1, 2017.
Apple's shift to ATS sparked a minor controversy in 2015 when Google publicized a technique of sidestepping the network security protocol. At the time, the search giant discovered ATS was inhibiting ads from displaying in certain mobile apps, so the company proposed a "short term fix" that involved inserting HTTPS exceptions into affected titles.
While the extra lines of code help Google serve up ads, and bring in ad money, the exceptions skirt Apple's recommended protections and inherently put end users at risk.
Apple has not announced an expected timeline for ATS integration, saying only that developers will be updated when a new deadline is confirmed.
According to a brief statement posted to Apple's Developer News website, the ATS implementation mandate has been pushed back to an as yet unannounced date in order to give app makers "additional time to prepare" their wares for support.
ATS debuted in 2015 as a method of improving security and privacy by forcing apps to transfer data through secure connections over HTTPS. Similar protocols are already employed by banks, internet service providers and other companies dealing with highly sensitive user data.
Although ATS is switched on by default in Apple's development toolset, developers currently have the option of deactivating the feature. During this year's Worldwide Developers Conference, however, the company said it would begin enforcing ATS support starting Jan. 1, 2017.
Apple's shift to ATS sparked a minor controversy in 2015 when Google publicized a technique of sidestepping the network security protocol. At the time, the search giant discovered ATS was inhibiting ads from displaying in certain mobile apps, so the company proposed a "short term fix" that involved inserting HTTPS exceptions into affected titles.
While the extra lines of code help Google serve up ads, and bring in ad money, the exceptions skirt Apple's recommended protections and inherently put end users at risk.
Apple has not announced an expected timeline for ATS integration, saying only that developers will be updated when a new deadline is confirmed.
Comments
Regarding Soli's suggestion to denote which apps enforce ATS, I think that's a great idea, shaming apps which don't enforce ATS - would you use a shopping or banking app which was highlighted by Apple as having less-than-perfect security? - rather than imposing a timeline.
The issue is, how to I set up SSL on a mobile device? I'm not even sure this is possible. So while I have added support for SSL throughout my app for remote web sites, I still can't meet the ATS requirements since the exception is required to maintain functionality.
So I've rushed out end-of-year releases to ensure that we have most of the SSL/ATS stuff taken care of, but will probably need to fight this battle with Apple later.