Thursday, June 16, 2016

Apple ramps up privacy...

...all iOS apps must encrypt web connections by year end
calendar-ios-9.jpg
Apple is accelerating its push for encryption, mandating that all iOS apps enforce secure connections over the web by the end of 2016.

A year after rolling out App Transport Security (ATS) to enforce secure connections between apps and servers, Apple is moving to make the privacy feature mandatory.

All apps submitted to the App Store must enforce ATS by January 1, 2017, Apple revealed at a session at WWDC, according to TechCrunch.

ATS rolled out as a default feature of iOS 9 last year to ensure apps don't load resources "in the clear" over an HTTP connection, but rather only over the secure variant called HTTPS.

In ATS, traffic is encrypted with the Transport Layer Security Layer (TLS) protocol version 1.2. ATS is also on by default in OS X 10.11.

The mandatory requirement for apps to enable ATS shifts the status quo. Apple currently recommends that new apps should use HTTPS exclusively, while existing apps should use HTTPS as much as possible. It also allowed developers to create exceptions to the rule and load resources over an insecure connection.

Apple notes in technical documents that ATS "prevents accidental disclosure, provides secure default behavior, and is easy to adopt".

It further warns that allowing an insecure connection to a server means that an attacker can see the media file a user is accessing, and that it opens the app up to more points of attack.

Google caused a stir last year after highlighting the method to create exceptions for connections to insecure domains. While Apple actually provided the same detail in its documentation, Google was criticized for appearing to put its advertising business ahead of consumer interests.

While HTTPS is usually linked with banking websites and signified as a secure connection in the URL bar, apps don't communicate whether a connection is secure. Additionally, past research has shown that even banks have had troubles implementing secure connections in their apps.

The new privacy requirement for iOS developers follows Apple's announcement that it will start using "differential privacy" as it collects more data about Apple users to improve automated suggestion for QuickType, emoji, Spotlight, and Lookup Hints in Notes.

Encryption and privacy are also headline features of Apple's newly-announced file management system, called Apple File System, or APFS, for iOS, OS X, tvOS and watchOS.

The system supports encryption natively rather than the current FileVault application for full disk encryption. APFS enables either no encryption, single-key encryption, or multi-key encryption to protect data even when someone else has possession of the hardware.

No comments:

Post a Comment