Apple has a highly secure and effective technology deployed in its iOS running Apple iPhones. However, over two-thirds of randomly selected and scanned apps revealed the feature was actively disabled. The large portion of apps in the sample data not using the secure and encrypted communications protocol is rather concerning from security and privacy perspectives.
A report published by cyber-security firm Wandera has revealed some startling and concerning statistics about the way third-party iOS apps work and behave within Apple’s mobile operating system. The company reportedly scanned more than 30,000 iOS applications. The research and analysis revealed that 67.7 percent of the apps were intentionally disabling a default iOS security feature. Officially referred to as ATS, which stands for App Transport Security, the feature is meant to ensure secure communication with any remote server.
ATS was first introduced way back in iOS 9. The featured debuted in September 2015, and has been prevalent in every iOS version, and essentially every iPhone, since. Subsequently, in WWDC 2016, Apple confirmed it would be making the support for ATS compulsory for all iOS apps starting January 2017. Strangely, Apple shelved the plans in December 2016, effectively allowing apps to bypass ATS if they so desired.
ATS is still included and enabled by default for all iOS apps. Essentially, the ATS protocol mandates the use of secure HTTPS connections. In other words, ATS can effectively block all the non-secure but quite common HTTP connections. Although HTTPS protocol is now increasingly common and the majority of developers dedicatedly use the same, there are several HTTP servers still operational and active.
The most probable cause for developers to disable ATS support in their apps is ensuring the majority of the ad frameworks and ad networks work smoothly. Interestingly, several such brands and product promotion networks strongly suggest that iOS developers disable ATS inside apps. Although Apple is actively working to ensure iOS is optimized for ad delivery within apps that rely on ad revenue, developers remain skeptical. Several claim removing ‘roadblocks’ such as encryption requirements makes it a lot easier for developers to incorporate ad networks.
Needless to add, paid apps routinely adopt the ATS protocol. This is simply because paid apps do not rely on advertising revenue, and app developers have no reason to disable ATS to ensure their earnings through ads aren’t hindered. Incidentally, some paid apps do disable ATS. However, here too, developers wish to merely ensure data delivery through HTTP and HTTPS servers remain unhindered.