iOS developers still failing to build end-to-end encryption into apps

Despite a mandate from Apple, 68% of developers disable ATS globally on their apps, according to a Wandera report.

Report: A majority of web apps have security holes A new report found that a large percentage of web apps contained at least one security vulnerability, says TechRepublic's Brandon Vigliarolo.

Though Apple has mandated that iOS developers build end-to-end encryption into their apps, the majority of apps do not, according to a Wednesday report from mobile security firm Wandera.

Apple's App Transport Security (ATS) feature helps developers comply with data privacy requirements, and is available and enabled by default. It is essentially a set of rules that ensure iOS apps and app extensions connect to web services using secure connection protocols, the report noted. In June 2016, Apple announced that it would require all iOS apps to use HTTPS connections by January 1, 2017. However, in December 2016, Apple said it was extending this deadline, but still has yet to announce a date.

SEE: Getting started with iOS development (free PDF) (TechRepublic)

Once the deadline is set, apps must enforce the ATS feature, which was originally released with iOS 9. ATS forces the connections to HTTPS instead of HTTP, in order to strengthen privacy.

Wandera analyzed more than 30,000 iOS apps most commonly used by employees, and found that about 68% did not use ATS to encrypt data.

Encrypting data improves user privacy and data integrity, and report noted. The App Review Guidelines currently state that developers need to supply a justification for disabling ATS. However, the report found that the justification does not need to be strong, and in most cases, developers are able to easily disable the feature.

Reasons for disabling ATS may be because apps need to talk to third-party advertising, market research, analytics, and file hosting services, and those external services may not support HTTPS connections, according to the report. For example, advertising networks such as MoPub and Google AdMob recommend disabling ATS completely to ensure ads are loaded correctly, it noted.

While disabling ATS globally does not necessarily mean communication is unencrypted, it does mean the system safeguards are disabled, leaving more room for error, the report said.

The app categories that were most likely to enable ATS globally include finance, health and fitness, utilities, photo and video, and navigation apps, the report found. This is likely because these apps have less need to communicate to the outside web. The app categories most likely to have ATS disabled globally include news, sports, games, weather, and entertainment, the report found.

Ultimately, it is up to developers to ensure ATS features are enabled as needed.

For more, check out How to become an iOS developer: A cheat sheet on TechRepublic.

Also see

By Alison DeNisco Rayome

Alison DeNisco Rayome is a Senior Editor for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.