App Transport Security, or ATS as it’s more commonly known as, is one of the biggest changes Apple has mandated of its development community in a long time. On a simple level, ATS requires that publishers utilize secure, encrypted connections between their app and any back-end services.
Next year, Apple will require all apps and app updates submitted to the App Store to be ATS compliant. To be ATS compliant, all app to server connections must be encrypted. Additional information regarding Apple’s requirements is available on their security page for developers.
ATS & HTTPS
The most common way of attaining ATS Compliance is for a developer to use TLS (Transport Layer Security) secured connections. TLS security is most commonly achieved by making use of HTTPS, the secure form of the hypertext transfer protocol (HTTP), the backbone of the web. With HTTPS, all data exchanged between the client (a browser or app) and the server is securely encrypted.
At its core, ATS helps make “man-in-the-middle” attacks more difficult. Without ATS, an app could make insecure connections to a server, which could then be snooped on by unscrupulous users on the same network. For example, if you’re browsing Facebook on a public wifi connection, another wifi user (or someone else in that chain of data from phone to server) can’t just sniff all your Facebook traffic and see what you’re doing, see your password, and so on. This security is because connections to Facebook makes use of TLS, the same secure protocols being enforced by ATS.
Under iOS9, Apple set HTTPS to be the default for developers, however developers could still switch it off. After January 1, 2017, any new app or app updates will require those connections to be secured with TLS. This includes connections made by any 3rd party SDK’s, including ad providers.
Apple is mandating secure app connections for one simple reason – privacy. While web browsers can make it clear that a site is using HTTPS, enabling privacy-minded users to pick and choose the sites they visit, the nature of apps makes vetting incoming and outgoing traffic more difficult.
Apple’s solution is to mandate that all traffic going into and out of devices running iOS is encrypted.
How to Develop in an ATS Compliant World
Publishers and developers should view ATS compliance as a good thing. It’s important that users trust app publishers and feel secure that their information is in safe hands, whether that’s gameplay patterns, or personal data.
If you’re developing a new app, the guidelines are pretty simple. Use HTTPS connections from the beginning.
- Use HTTPS for all connections
- Make sure that all your back-end servers are HTTPS-compliant. This includes any third-party content providers, SDKs, image hosting, analytics, etc. All calls for data that will be made from your app need to be ATS compliant, regardless of the source.
If you have an existing app:
- Test your app to see which calls are utilizing HTTPS and which are using HTTP
- Figure out where HTTPS is most important for your app. (e.g., secure logins, payment transactions, personal information, etc.) Start here and work out from that point. Just keep in mind that you will more than likely need to secure all of it eventually.
- Follow up with any 3rd-party providers to ensure they are also moving to ATS compliance.
No matter the state of your app, you can make use of a simple command in XCode to validate whether a given URL is ATS compliant: nscurl –ats-diagnostics https://www.google.com
Enforcement and Exemptions
Developers who have apps that make non-secured HTTP requests that they’re not in control of (a 3rd party weather app, for example) can always supply a justification for why their app isn’t fully ATS compliant when submitting the app for review.
Webviews in certain apps becomes very complex, and publishers with apps that utilize them should use the SFSafariViewController Apple introduced in iOS 9, as it was specifically designed for in-app browsers.
When planning on asking for an exception, publishers should be careful about being too broad, as with all things app-review related, Apple has provided scant information on what they consider a reasonable justification.
Apple Developer Relations Employee “Eskimo” on Apple’s Developer forums suggests that developers and publishers who plan on requesting an exemption do the following:
- Watch the WWDC session where we announced this change (WWDC 2016 Session 706 What’s New in Security) It’s also a really good session!
- Audit your app’s use of HTTP and HTTPS
- If your app does have ATS exceptions, construct a minimal ATS exception dictionary, and keep notes about your analysis so that you can refer back to them when you need to submit your justification to Apple’s App Review
AdColony and ATS Compliance
AdColony has two ATS compliant versions of our SDK:
2.6.3 is a simple “drag-and-drop” upgrade to our existing SDK for publishers needing to quickly become ATS-compliant before the holiday app-submission freeze from December 23 to December 27, 2016.
Our new Aurora SDK features vertical Instant-Play™ HD mobile video ads, free Compass™ retention and engagement tools, new and updated Dynamic-End Cards, and more exciting new features, as well as being fully ATS compliant.
Join the Conversation
Is your app ready for submission next year? What are some key strategies for updating your app during the holidays? Tweet your thoughts @AdColony. For the latest AdColony mobile news and updates, follow @AdColony on Twitter, like us on Facebook, or connect on Linkedin.