Apple has thrown its weight behind encrypting the web, encouraging iOS developers to make encryption the default for their apps.
Among the privacy features Apple announced at its worldwide developer conference last week was an important endorsement of encrypting the web by making all websites and apps, HTTPS by default.
Apple is using iOS 9 to influence iOS developers to make their apps encrypted by-default.
“If you’re developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible,” Apple explains in its pre-release documentation for iOS 9.
Apple is using a new privacy feature called App Transport Security to sway developers: “App Transport Security (ATS) lets an app add a declaration to its Info.plist file that specifies the domains with which it needs secure communication. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt. You should adopt ATS as soon as possible, regardless of whether you’re creating a new app or updating an existing one.”
The move comes]] amid growing support for making everything on the web HTTPS. Earlier this week, the White House ordered all federal agencies to ensure their public-facing websites were encrypted by the beginning of 2017.
Microsoft also introduced a feature in IE 11 and its new Edge browser to help website developers enforce HTTPS connections to their site, known as HSTS or HTTP Strict Transport Security.
According to Swiss security and privacy researcher, Frederic Jacobs, Apple’s ATS introduced HSTS for apps in iOS 9.
Apple has riffed off Google’s perceived thirst for information about its users to make statements about its own commitments to privacy, though to be fair, Apple is also following Google’s lead in encrypting the web.
However Apple’s new initiative in iOS 9 is likely to have a big impact by virtue of the number of app developers who depend on it.
“The writing is on the wall: HTTPS is the future, and those who have not adopted it need to develop a plan to do so – before the decision is made for them, either by users who prefer a provider that respects the security of their personal data, or by regulators who may view failing to enable HTTPS as failing to adopt industry best practices,” said Greg Norcie, staff technologist with the Center for Democracy and Technology.
“HTTPS is quickly becoming a best practice on the web, and organizations who fail to adopt it face lost revenue when customers migrate to more privacy respecting providers, as well as potential regulatory scrutiny in the event of a data breach,” he added.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
- Facebook trials end-to-end encryption for email to end-users
- Appointment of two Australians to ISACA board reflects regional security expertise: director
- Malware getting smarter, stealthier once it breaches networks, Vectra analysis finds
- Medibank Place integrates security system with business process
- Adobe whips up patch for Hacking Team’s Flash 0-day attack
- The week in security: Hackers hack the hackers as Hacking Team falls
- Google to ramp up ‘unwanted software’ warnings in Chrome
- Why you should not trust your Digital Certificates