App Transport Security is a feature that improves the security of connections between an app and web services. The feature consists of default connection requirements that conform to best practices for secure connections. Apps can override this default behavior and turn off transport security.1
If you’re building your iOS App with the latest dev tools (Xcode 7), your App will automatically be opted in to App Transport Security, which essentially means that for your network requests to succeed, the following must be true for each of your endpoints:
- The server must support at least Transport Layer Security (TLS) protocol version 1.2.
- Connection ciphers are limited to those that provide forward secrecy.
- Certificates must be signed using a SHA256 or greater signature hash algorithm, with either a 2048-bit or greater RSA key or a 256-bit or greater Elliptic-Curve (ECC) key.
One month since the public launch of this feature, I was interested to know how many developers had not opted out of this new feature. To get a rough idea, I sampled the current top 200 free iOS apps in the UK store and checked.
Here are the results:
- Only 2% apps are ATS Compliant ; this includes two of Apple’s apps.
- 3% created exceptions for a finite number of domains - this might be required if you do not have control over the endpoints you’re hitting.
- 24% disabled the feature altogether - they do this by allowing arbitrary domains to proceed without enforcing the criteria above.
- The rest have not yet released a version made with Xcode 7, which means this feature does not apply to them; if the past is any guide, Apple will enforce all new apps and updates to be made with Xcode 7 in February 2016.
As Xcode 7 is quite new, I’m not particularly surprised by these numbers, but it will be interesting to see how developers react to ATS over the coming months, and what users’ perception of an app will be if it is subverting this feature in six months.
Are you planning to support it?