In 2015, Apple introduced the App Transport Security (ATS) security feature in its newly released iOS 9 which supports iOS mobile app security testing. This enforces the rule that apps connect to the web over a secure https connection instead of an unsecured http connection. The use of https has is now mandatory whereas in the past many developers chose to bypass it and opt out. However, to ensure iOS app security, starting from 1st of January, 2017 the use of https will be enforced for new as well as old apps in Apple’s App Store.
The apps most affected by this change will be those that use content based on HTTP, such as audio and video content publishing websites. After iOS 10 was released, it was discovered that if an audio or video clip was viewed from an app and was insecurely transmitted, it could not be played. This goes on to show that Apple constantly strives to improve its iOS app security and has kept the security of customer information as its top most priority.
Shifting from HTTP to HTTPS is not an easy task and will take time. Organisations have to first install security certificate and audit website assets to check transmission through the new domain. The world’s largest news publication websites, The Los Angeles Times and The New York Times have not yet switched to HTTPS, hence their content will be inaccessible through mobile apps unless the apps declare their domains as exceptions. Large organisations in particular will require a tremendous effort to effectively plan for their iOS app security and to migrate and shift their content to HTTPS.
What needs to be done?
- As a developer of a new app, use HTTPS for network communication
- In case you already have an app running in the App Store, develop a team for auditing your app and migrate to HTTPS before the start of next year
- If your app connects to unsecured web services, declare those domains as exceptions till the time you are able to find a permanent alternate option
Codified Security is here to help make your mobile app secure whether it’s for iOS mobile app security testing, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.