Chris Dzombak

sharing preview • dzombak.com

Nobody is using App Transport Security; what’s next?

I did an informal survey of some widely-used iOS apps. I wanted to see which had opted out of the new App Transport Security checks in iOS 9. The results aren’t very promising.

Nobody is using App Transport Security; what’s next?

Update, January 2016: I gave a talk on App Transport Security: “App Transport Security: What, Why, How?

I did an informal survey yesterday of some widely-used iOS apps, which happen to appear on my phone, that have been updated for iOS 9. I wanted to see which had opted out of the new App Transport Security checks in iOS 9.

The results aren’t very promising:

Tumblr (4.5) is the only app I checked which uses ATS properly: they opt-out for user-generated content but enforce ATS for their own domains.

What is App Transport Security? Why is it important?

App Transport Security is a networking feature built into iOS 9 and OS X 10.11 and applied to apps built against the iOS 9 or OS X 10.11 SDK. It disallows:

This is important because, as we now know, surveillance and MITM are universally pervasive on today’s Internet. Encrypting everything, even nonsensitive data, is now the best practice, because if only sensitive traffic is encrypted on the network it’s easily identified as a target.

ATS forces developers and companies to consider using HTTPS, and for those already using HTTPS it enforces current best practices—practices which, if ignored, lead to a false sense of security: ignoring these practices makes your users vulnerable.

Apps which opt out of ATS for their own communications—including but not limited to those I’ve listed above—are explicitly opting out of security checks which would enforce currently accepted best practices. They’re exposing their users to unnecessary security risks, and giving them a false sense of security.

Surely App X has a reasonable justification for opting out entirely.

Wrong.

Many of the apps listed above have web views where they may display any web page. But it is possible—as Tumblr has—to opt out of ATS in general while allowing ATS to enforce best practices for domains the app’s developer does control.

Tumblr is the only app I checked which does this; Dropbox, 1Password, OneNote and others should, but apparently don’t care enough about their users’ security.

What’s next?

I hope and expect that next year, in conjunction with the next major versions of iOS and OS X, Apple will start making developers justify ATS opt-outs during the App Review process. I fully expect that blanket opt-outs will become cause for app rejection, and as a security-conscious iOS user I can’t wait for that day.

Further Reading


As always, I welcome discussion and feedback; I’m @cdzombak on Twitter.