Apple tells iOS 9 developers to use HTTPS “exclusively”

Apple has thrown its weight behind encrypting the web, encouraging iOS developers to make encryption the default for their apps.

Among the privacy features Apple announced at its worldwide developer conference last week was an important endorsement of encrypting the web by making all websites and apps, HTTPS by default.

Apple is using iOS 9 to influence iOS developers to make their apps encrypted by-default.

“If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible,” Apple explains in its pre-release documentation for iOS 9.

Apple is using a new privacy feature called App Transport Security to sway developers: “App Transport Security (ATS) lets an app add a declaration to its Info.plist file that specifies the domains with which it needs secure communication. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.”

The move comes]] amid growing support for making everything on the web HTTPS. Earlier this week, the White House ordered all federal agencies to ensure their public-facing websites were encrypted by the beginning of 2017.

Microsoft also introduced a feature in IE 11 and its new Edge browser to help website developers enforce HTTPS connections to their site, known as HSTS or HTTP Strict Transport Security.

According to Swiss security and privacy researcher, Frederic Jacobs, Apple’s ATS introduced HSTS for apps in iOS 9.

Apple has riffed off Google’s perceived thirst for information about its users to make statements about its own commitments to privacy, though to be fair, Apple is also following Google’s lead in encrypting the web.

However Apple’s new initiative in iOS 9 is likely to have a big impact by virtue of the number of app developers who depend on it.

“The writing is on the wall: HTTPS is the future, and those who have not adopted it need to develop a plan to do so – before the decision is made for them, either by users who prefer a provider that respects the security of their personal data, or by regulators who may view failing to enable HTTPS as failing to adopt industry best practices,” said Greg Norcie, staff technologist with the Center for Democracy and Technology.

“HTTPS is quickly becoming a best practice on the web, and organizations who fail to adopt it face lost revenue when customers migrate to more privacy respecting providers, as well as potential regulatory scrutiny in the event of a data breach,” he added.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags App Transport Security (ATS)encryptionCenter for Democracy and TechnologyprivacyCSO AustraliaGoogle AppsiOS 9 developersAppleGreg NorcieGoogleMicrosoftFrederic JacobsHTTPS

More about AppleCSOEnex TestLabGoogleMicrosoftTechnologyTransportTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts