Last year, Apple issued a mandate calling for all iOS apps to incorporate App Transport Security, which requires apps to use HTTPS rather than HTTP, by Dec. 31. HTTPS encrypts data in transit and provides an obvious security benefit for applications.
But just before the end of the year, Apple abruptly extended the deadline without giving a reason, and didn't provide a new date. To say the least, this is somewhat worrisome news for enterprise CIOs managing fleets of iOS devices in an time marked by some of the most damaging hacks in recent memory.
Still, ATS had little uptake among iOS developers during the past six months, as CIO reports. Only about 5 percent of the top 200 iOS apps installed on enterprises devices had it installed by year's end.
Some Apple developers weren't very big fans of ATS when it was announced. Here are some typical comments from an Apple developer forum thread on the matter:
I am all for secure communications, but there are some times when it is simply not possible. I have an app that communicates with an physical satellite modem. That satelite modem is local to the wifi network and only exposes an HTTP connection. There is no way to connect to it securely. Is this app simply no longer possible?
I understand that security is important, but there are far too many services that still use HTTP. I have an app that pulls images from NOAA over an HTTP connection. I don't see them switching to HTTPS anytime soon. Without an exception my app would be useless.
While implementing ATS may cause legitimate inconveniences for some app developers, improving security would seem to trump those concerns. For one thing, transport security is a relatively easy measure to apply, says Constellation Resarch VP and principal analyst Steve Wilson. "What's hard is application security. Don't think meeting the Apple Transport mandate is 'problem solved.'"
ATS's slow uptake is telling, Wilson adds. "It speaks of security not being a priority for developers and the reason why is obvious," he says. "Developers are under so much pressure for functionality and release cycles and so security takes a back seat. It's absolutely appalling that we're letting that reality ride."
Enterprises need to make massive shifts in how they invest and prioritize security, and there's a right way to go about it, Wilson says: "Security is all about attention to detail and being painstaking. If you are a security person you need to keep pushing for more resources. It's not about money and heads, but time. Keeping up with the arms race is really time-consuming."
For example, only a small percentage of security professionals overall attend security conferences, where they can mingle with peers and hear the latest research from the field. "Going to Black Hat is not going to solve the problem, but it's an example of how if enterprises are not even going to let their security people stay up to date then you're giving the game away," Wilson says. "The investment I'm looking for is time and patience more than anything."
24/7 Access to Constellation Insights
Subscribe today for unrestricted access to expert analyst views on breaking news.