How iOS App Transport Security (ATS) change will affect you

referenced by : App Developer Magazine 

---

Major changes are ahead for the mobile industry and as per the usual, Apple holds the keys to all major requirements and changes. In 2015 Apple released iOS 9 and introduced the App Transport Security (ATS) security feature which requires an app to connect to web services over a secure HTTPS connection rather than an HTTP connection. When this feature was released it was not mandatory and many developers simply used exceptions to bypass the enforced default feature, thus opting out of ATS. What many iOS developers are not aware of is that on January 1, 2017, this security feature will not only be mandatory for all new submissions to the Apple store, it will be a requirement of apps already published in the Apple store.

The iOS 10 ATS "Bug"

Keeping data and personal information secure has become an increasingly high priority for Apple and while it is important to keep users information private, there are far too many websites and APIs that still use HTTP and cannot make the change before the end of the year. One of the most affected types of apps will be ones that consume content served over HTTP, such as major publications and websites that have audio and video content. Since the release of iOS 10, a significant "bug” was discovered that seems to cause web audio and video content not to play when viewed from within an app when content is transmitted insecurely. 

For example, when a Facebook user is scrolling through their newsfeed and comes across a video that was posted on a TV network that they want to view, the user would click on the video and nothing will be displayed because the TV network does not comply with ATS since their content is delivered via an HTTP connection. This is not only the case with Facebook, any audio or video content that you attempt to play that regularly pulls from the web will be automatically disabled or will be blocked because the resource load is insecure if the application has not declared the source domain as an exception.

Media Encryption

The issue is that it takes hundreds of hours to switch a site from HTTP to HTTPS as an organization will have to acquire and install the security certificate, as well as audit the assets linked to the website to make sure they're transmitted through the new domain. Two of the biggest news publications, The New York Times and the Los Angeles Times have not made the switch to HTTPS, therefore their content will not be accessible through any mobile apps who have not declared their domains as exceptions. Organizations of this scale will require a tremendous amount of planning to efficiently and cost-effectively migrate all their content over to a secure protocol. 

Petition for Exceptions

To clarify, there will be some exceptions to the mandatory ATS requirements, however, that does not mean that all of the previous exceptions will be valid moving forward. Developers will need to provide reasonable justification for these exceptions and as is the case with Apple, there is little transparency when it comes to their decision-making process. An exception for streaming media that is already encrypted in bulk may be granted through AVFoundation to allow it to load without connection over TLS. Additionally, a web content exception may be granted if your app is loading arbitrary content from the web and you are using WKWebView then you can set the below key to allow those loads and be exempt from the ATS requirements.

NSAppTransportSecurity : Dictionary {

  NSAAllowArbitraryLoads : Boolean

NSAllowsArbitraryLoadsInWebContent : Boolean

}

While these exceptions are available, developers should not expect that they will always be available and should plan for the fact that Apple may reject the request for an exception.

What You Can Do?

- If you are developing a new mobile app then you should use HTTPS for all network communication.

- If you have an app that has already been approved and in the Apple Store, then you should dedicate a team to audit your current app and immediately migrate from HTTP to HTTPS and adapt to the changes prior to the new year.

- If you have an app that connects to web services that are not secured, then you should declare their domains as exceptions in the application info.plist as a short-term solution and begin to evaluate your options moving forward.

- If you have an app that it loading 3rd party content via HTTP, then you should work with the content providers to create an HTTPS endpoint to prevent any disruption in transmission and display.