Apple starts clock on HTTPS app rule
You've got until the end of the year to tighten up security, devs
Apple says that iOS app developers will need to adopt HTTPS security before the year is out.
Speaking in a session (iOS or Safari required) at Apple's Worldwide Developers Conference, head of security engineering and architecture Ivan Krstić announced that effective at the end of this calendar year, Apple will mandate the use of App Transport Security (ATS).
"This means that by the end of 2016, when your apps communicate with server backends, they must do so using a secure TLS back-channel unless the data is bulk data such as media streaming, or data that is already encrypted," said Krstić.
"This is going to provide a great deal of real security for our users and the communication that your apps have over the network."
Apple released ATS last year and has made the tool accessible to Apps since iOS 9.0. Cupertino says that many developers are already using the security tools.
Designed to prevent attackers from intercepting data traffic, ATS ensures that all HTTP connections made by an app use the secure TLS 1.2 protocol to encrypt data while in transit. Krstić listed ATS as a "best practice" for developers alongside other measures, such as Touch ID authentication and maintaining updated API code that third-party developers should use.
Krstić said that secure apps are part of a multi-tier security approach to Apple, and function alongside built-in security protections such as the secure enclave, and strong security policies including widespread installation of OS updates by iPhone and iPad users.
The Apple security engineer credits his company's security approach as the reason iOS malware is all but unheard of in comparison to nefarious software found on competing Android devices.
Those protections have also brought Apple criticism from government and law enforcement agencies, most notably earlier this year when Cupertino engaged in a standoff with the FBI over its refusal to help investigators crack the iPhone used by one of the San Bernardino shooters.
Krstić made no mention of that event, but did cite the Secure Enclave components at the heart of the controversy with helping to keep all iPhone owners secure from attacks and surveillance. ®