What is App Transport Security (ATS)?

First introduced in iOS 9, App Transport Security closes a huge gap in user security and privacy by forcing mobile apps to use better security protocols when accessing data from the internet.

The biggest impact of ATS is that all internet connections in an iOS app must be HTTPS.

Requirements of ATS:

  • HTTPS connections
  • TLS 1.2 connections
  • Strong cryptography via ciphers like AES-128 & certificates signed with SHA-2
  • Forward secrecy

Why now?

Apple released iOS 9 in September of 2015, so why is this back in the news?

With the iOS 9 release, App Transport Security is a default setting. Apple allowed developers to bypass the secure connection requirement, though. One line of code could configure an app to ignore ATS for specific sites or even all sites.

In June at WWDC 2016, Apple announced that all mobile apps approved to the App Store in 2017 would have to support ATS.

Any exceptions?

Developers can still create exemptions in their app, but they will have to provide a reasonable justification to get the app approved on the store.

What is a reasonable explanation? We’re early into the new ATS approval process, but some possible exceptions may include:

  • High cost to change the app backend
  • Apps that don’t transmit or receive any user information
  • Apps accessing 3rd party APIs that the developer does not control

Hold on, though…

Apple hoped that an early announcement would give developers enough time to transition their apps to ATS compliant.

But by the beginning of December 2016, a few weeks until the transition deadline, only 3% of the top 200 apps supported ATS requirements without any exceptions.

On 12/16/2016, Apple announced that they are extending the transition deadline to an unannounced date.

If you are an app owner or developer, don’t let this extension stop you from transitioning. ATS is an important security feature needed in the mobile industry. Apple will make ATS a requirement sooner rather than later.

More info from Apple:

Other informative links: