WWDC 2016: Apple ramps up privacy - now all iOS apps must encrypt web connections by year end

Apple is accelerating its push for encryption, mandating that all iOS apps enforce secure connections over the web by the end of 2016.
Written by Liam Tung, Contributing Writer

The mandatory requirement for all iOS software to enable App Transport Security shifts the status quo.

Image: Apple

A year after rolling out App Transport Security (ATS) to enforce secure connections between apps and servers, Apple is moving to make the privacy feature mandatory.

All apps submitted to the App Store must enforce ATS by January 1, 2017, Apple revealed at a session at WWDC, according to TechCrunch.

ATS rolled out as a default feature of iOS 9 last year to ensure apps don't load resources "in the clear" over an HTTP connection, but rather only over the secure variant called HTTPS.

In ATS, traffic is encrypted with the Transport Layer Security Layer (TLS) protocol version 1.2. ATS is also on by default in OS X 10.11.

The mandatory requirement for apps to enable ATS shifts the status quo. Apple currently recommends that new apps should use HTTPS exclusively, while existing apps should use HTTPS as much as possible. It also allowed developers to create exceptions to the rule and load resources over an insecure connection.

Apple notes in technical documents that ATS "prevents accidental disclosure, provides secure default behavior, and is easy to adopt".

It further warns that allowing an insecure connection to a server means that an attacker can see the media file a user is accessing, and that it opens the app up to more points of attack.

Google caused a stir last year after highlighting the method to create exceptions for connections to insecure domains. While Apple actually provided the same detail in its documentation, Google was criticized for appearing to put its advertising business ahead of consumer interests.

While HTTPS is usually linked with banking websites and signified as a secure connection in the URL bar, apps don't communicate whether a connection is secure. Additionally, past research has shown that even banks have had troubles implementing secure connections in their apps.

The new privacy requirement for iOS developers follows Apple's announcement that it will start using "differential privacy" as it collects more data about Apple users to improve automated suggestion for QuickType, emoji, Spotlight, and Lookup Hints in Notes.

Encryption and privacy are also headline features of Apple's newly-announced file management system, called Apple File System, or APFS, for iOS, OS X, tvOS and watchOS.

The system supports encryption natively rather than the current FileVault application for full disk encryption. APFS enables either no encryption, single-key encryption, or multi-key encryption to protect data even when someone else has possession of the hardware.

As Apple notes, its existing file systems are decades old and were made for the era of floppy disks and spinning hard drives rather than today's much larger capacity solid-state drives.

And in an apparent nod to Apple's defiant stance towards government snooping, the company said: "There is now also a greater importance placed on keeping sensitive information secure and safe from prying eyes."

Read more about Apple and privacy

Editorial standards