The release of iOS 9 is around the corner and some of the biggest changes in Apple’s new mobile OS involve enhancing users’ security and privacy. One such feature is called App Transport Security (ATS), which aims to secure all communication between an app and any Web-based services it interacts with.
Apple says App Transport Security “is a feature that improves the security of connections between an app and Web services. The feature consists of default connection requirements that conform to best practices for secure connections. Apps can override this default behaviour and turn off transport security.”
The way things stand today, if developers using Google Mobile Ads SDK enable ATS, it’s possible that many ads will not get served to users because the creatives of the ads are using HTTP, an insecure protocol, which continues to be used for majority of Web traffic. Instead of encouraging – or forcing – partners to switch to HTTPS, Google is recommending developers use an Apple-provided mechanism to add exceptions to their ATS apps, allowing them to continue to use insecure HTTP traffic.
“While Google remains committed to industry-wide adoption of HTTPS, there isn’t always full compliance on third party ad networks and custom creative code served via our systems,” Google said via a blog post explaining the workaround to developers. “To ensure ads continue to serve on iOS 9 devices for developers transitioning to HTTPS, the recommended short term fix is to add an exception that allows HTTP requests to succeed and non-secure content to load successfully.”
The post earlier notes that “all iOS 9 devices running apps built with Xcode 7 that don’t disable ATS will be affected by this change,” a subtle reminder to developers that disabling ATS altogether is also an option available to them.
It’s worth reminding our readers that HTTP traffic is inherently insecure and can be intercepted by anyone. Privacy advocates have long dreamt of an Internet where all communication is secure, but we are very far from that day. Google itself has talked about HTTPS everywhere, but its latest actions don’t seem to walk that talk, at least in the eyes of Electronic Frontier Foundation, a non-profit organisation defending civil liberties in the digital world, which has reportedly criticised the move.
“Google’s done a lot of great work to encourage deployment of HTTPS, and they reiterate that in this post, but their suggested short term fix is over-broad and dangerous,” said Jacob Hoffman-Andrews, Senior Staff Technologist. “Apple’s App Transport Security ensures that apps make secure connections to servers, but the fix in this post disables that protection on all domains. I think developers who install this quick fix are likely to leave it in indefinitely, leaving their apps open to sniffing.”
Google later updated the blog post defending its stand: “We’ve received important feedback about this post and wanted to clarify a few points. We wrote this because developers asked us about resources available to them for the upcoming iOS 9 release, and we wanted to outline some options. To be clear, developers should only consider disabling ATS if other approaches to comply with ATS standards are unsuccessful. Apple has provided a tech note describing different approaches, including the ability to selectively enable ATS for a list of provided HTTPS sites.”
iOS 9 also brings ‘content blockers’, which will (theoretically at least) let users install ad blockers on Safari on iOS 9, putting Google and Apple on another potential warpath.