Apple to mandate App Transport Security for iOS apps by year’s end

During a security presentation at this week’s Worldwide Developers’ Conference, Apple said that Jan. 1, 2017, is the deadline for all iOS apps in the App Store to implement a security feature called App Transport Security (ATS), reports TechCrunch.

The goal is to provide greater protection against hackers and cyber criminals and their malware, adware, ransomware, etc. In requiring developers to use HTTPS, Apple is joining a larger movement to secure data as it travels online. As TechCrunch notes, while the secure protocol is common on login pages, many websites still use plain old HTTP for most of their connections. That’s changing as many sites make the transition to HTTPS, a  protocol for secure communication over a computer network which is widely used on the Internet.

Here’s Apple’s take on ATS (be warned: it’s for developers so is filled with tech-speak): “App Transport Security provides default connection requirements so that apps adhere to best practices for secure connections when using NSURLConnection, CFURL, or NSURLSession APIs.

“Servers must support a minimum of TLS 1.2, forward secrecy, and certificates must be valid and signed using SHA-256 or better with a minimum of a 2048-bit RSA key or 256-bit elliptic curve key.

“Network connections that don’t meet these requirements will fail, unless the app overrides App Transport Security. Invalid certificates always result in a hard failure   and no connection. App Transport Security is automatically applied to apps that are compiled for iOS 9.”