Apple Pushing Developers Toward HTTPS Connections From Apps

Apple is encouraging developers who create apps for iOS to begin moving their apps to an HTTPS-only model as soon as possible in an effort to thwart eavesdropping on insecure, plaintext HTTP connections.

The move is yet one more sign that major Internet and technology companies are becoming ever more resistant to large-scale, passive surveillance of their users. Many companies, including Google, Microsoft, Yahoo, and others have been moving their Web services to HTTPS by default over the last couple of years. This movement has sped up since the disclosures about the National Security Agency’s methods for eavesdropping on the Internet backbone and various services began in 2013.

Even the federal government is getting in on the act. On Monday, Tony Scott, the federal CIO, announced that all federal agencies must move their public Web sites and services to HTTPS-only by Dec. 31, 2016.

Now, Apple is nudging its huge community of mobile app developers in the same direction. The company’s Worldwide Developer Conference is going on this week, and as part of the upcoming release of iOS 9, Apple published some guidance about the changes in the new operating system. Part of that guidance explains the inclusion of Application Transport Security, a protocol that allows developers to force secure connections to specific domains from their apps.

“App Transport Security (ATS) lets an app add a declaration to its Info.plist file that specifies the domains with which it needs secure communication. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one,” Apple’s instructions say.

Apple is not making the use of ATS mandatory for developers right now, but given the way things are trending, that could be coming in the near future. For now, the company is encouraging developers to use ATS in all new and existing apps.

“If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible,” the company said.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.