Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

6/7/2019
09:50 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Study Finds Most Popular iOS Apps Are Not Encrypting Data

Wandera found that two-thirds (67.8%) of apps still disable Apple Transport Security (ATS) globally and don't set any granular exceptions for specific functions.

Mobile security firm Wandera analyzed over 30,000 of the iOS apps most commonly used by employees and found that more than two-thirds of the apps don't use ATS to encrypt data.

Apple Transport Security (ATS) is a feature of Apple networks. It is basically a set of rules to ensure iOS apps as well as app extensions connect to web services through the use of secure connection protocols. It deals with the security of data in motion.

Apple announced that all iOS apps would be required to follow and use ATS by January 2017. But it had to walk that back.

Why did this walkback occur? Apps will talk to third-party advertising, market research, analytics and file hosting services as part of their normal functioning. These external services may not support the HTTPS connections which ATS would require. Not only that, advertising networks such as MoPub and Google AdMob have recommended disabling ATS completely to ensure that ads are loaded correctly.

Apple tried to get around this by introducing a granularity to ATS. When it was first brought out, it could only be set as globally on or off. After iOS 10, developers could set a global ATS configuration and then exception it on a case-by-case basis for specific functions within an app.

But Wandera found that two-thirds (67.8%) of apps still disable ATS globally and don't set any granular exceptions for specific functions. Only 5.3% of apps use the new more granular keys to disable ATS.

Interestingly, paid apps -- which don't usually have any ad network linked to them which gives the developer revenue -- are more likely (45.7%) to have the full ATS enabled.

Wandera also found that ATS global configuration differs only slightly across categories, with finance leading the pack. Only a third of these financial apps have ATS globally enabled and many of them still contain global exception domains.

For each exception domain, there are three possible ATS exceptions that can be specified. The are allowing HTTP loads, not requiring forward secrecy, and allowing the use of obsolete TLS versions. The developer can specify exceptions on a per-domain basis. More than two-thirds (70%) of apps have no exception domains and the remaining 30% have less than five. Of the apps with ATS globally disabled, 77.3% do not specify any exception domains.

Wandera wonders why this is all happening. They note that, "Perhaps the reason many developers disable ATS, despite Apple's efforts, is because they don't actually understand how it works due to its complexity. Or maybe they are taking the easy way out by just submitting all the domains their apps need as exceptions to avoid any potential interruptions to the end-user experience due to incompatibility with servers. The alternative route would be checking that each domain supports HTTPS and only making exceptions for those that do not. Many developers are under pressure to increase speed to market and remove unnecessary costs, so it's easy to see why they would want to take shortcuts like blanket ATS exceptions." It seems to always come down to the money.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.