A month before Apple is expected to enforce stricter security requirements for app communications in iOS, enterprise developers are not ready for the changes, a new study indicates.
The study was performed by security firm Appthority on the most common 200 apps installed on iOS devices being used within enterprise environments. The researchers looked at how well these apps conform to Apple's App Transport Security (ATS) requirements.
The researchers found that 97% of the analyzed apps -- 193 out of 200 -- used exceptions and other settings that weakened the default ATS configuration.
ATS was first introduced and was enabled by default in iOS 9. The standard forces all apps to communicate with internet servers using encrypted HTTPS (HTTP over SSL/TLS) connections and ensures that only industry-standard encryption protocols and ciphers without known weaknesses are used. For example, SSL version 3 is not allowed and neither is the RC4 stream cipher, due to known vulnerabilities.
Before ATS, app developers implemented HTTPS using third-party frameworks, but configuring SSL/TLS properly is hard so implementation errors were common. These weakened the protection that the protocol is supposed to provide against traffic snooping and other man-in-the-middle attacks.
Currently iOS provides a method for apps to opt out of ATS entirely or to use it only for specific connections, but Apple wants to change that. At its Worldwide Developers’ Conference in June, the company announced that it will require all apps published on the App Store to turn on ATS by the end of this year.
The requirement won't be enforced at the OS level, but through the App Store review process. Using some of the ATS exceptions will still be possible, but developers will have to provide a "reasonable justification" for using them if they want their apps to be approved.
"Among the top 200 iOS apps that we analyzed, 166 apps (83%) bypass at least some ATS requirements by setting 'NSAllowsArbitraryLoads' attribute to 'true' in their Info.plist files," the Appthority researchers said in their report.
"However, not all of them bypass ATS requirements for all network connections. For instance, a company can still support ATS requirements for network connections with its domain, while allowing ATS to bypass all other connections."
Apps that didn't use HTTPS for all of their connections include Facebook, Twitter, LinkedIn, Facebook Messenger, Skype, Viber, WhatsApp, Fox News, CNN, BBC, Netflix, ESPN, Hulu, Pandora, Amazon Cloud Player, Word, Excel, PowerPoint, and OneNote, but also utility apps like Flashlight, QR code readers and games.