In July, 2016, at WWDC, Apple announced that that apps submitted to the App Store will be required to support ATS by January 1, 2017. As that deadline neared, Appthority researched the state of enterprise apps’ ATS support and found that only 3% of enterprise apps supported ATS with no exceptions. As we noted earlier this month, there was a huge gap to close and not much time to do so if all apps are to fully support ATS by the new year.
Apple announced last night that the ATS deadline has been extended, with no new target date specified. The announcement was made in the developer’s forum, and stated that the reason was to “give you additional time to prepare.”
As of now, December 22, the 3% readiness figure has grown to only 5%. We assume that Apple, too, realized that an unacceptably high number of apps would fail to meet the ATS deadline unless it was extended.
It’s curious that Apple did not provide a new date for compliance. Has the goal of achieving a higher level of security for app transport been delayed, or abandoned? We might have expected a new deadline if Apple was merely delaying the date by which ATS support is required. Even if the goal of full ATS support has not been abandoned, we’re unlikely to see it come to pass anytime soon.
At Appthority, we’ve always applauded Apple’s stance on privacy and encryption. We assume they wouldn’t have removed their January 1 mandate unless they were convinced that developers were unable or unwilling to meet that deadline. It’s also possible that Apple determined that vetting apps against the stronger ATS requirement would add delays to the App Store approval process, something that Apple has worked to improve in the past 18 months. Nonetheless, we find it disappointing that the iOS community is failing to take this important step in app transport security.
In light of this new development, we recommend that enterprises track the state of apps’ ATS compliance and consider alternatives to apps that access sensitive corporate data and don’t secure their network connections using ATS. We further recommend that enterprises select apps that employ certificate pinning, so as to proactively avoid man-in-the-middle (MiTM) attacks. And check back at Appthority’s Mobile Threat Blog, as we’ll continue to monitor updates regarding App Store ATS requirements.
Image Credit: PHOTO: GABRIELLE LURIE/AFP/GETTY IMAGES