Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

6/7/2019
09:50 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Study Finds Most Popular iOS Apps Are Not Encrypting Data

Wandera found that two-thirds (67.8%) of apps still disable Apple Transport Security (ATS) globally and don't set any granular exceptions for specific functions.

Mobile security firm Wandera analyzed over 30,000 of the iOS apps most commonly used by employees and found that more than two-thirds of the apps don't use ATS to encrypt data.

Apple Transport Security (ATS) is a feature of Apple networks. It is basically a set of rules to ensure iOS apps as well as app extensions connect to web services through the use of secure connection protocols. It deals with the security of data in motion.

Apple announced that all iOS apps would be required to follow and use ATS by January 2017. But it had to walk that back.

Why did this walkback occur? Apps will talk to third-party advertising, market research, analytics and file hosting services as part of their normal functioning. These external services may not support the HTTPS connections which ATS would require. Not only that, advertising networks such as MoPub and Google AdMob have recommended disabling ATS completely to ensure that ads are loaded correctly.

Apple tried to get around this by introducing a granularity to ATS. When it was first brought out, it could only be set as globally on or off. After iOS 10, developers could set a global ATS configuration and then exception it on a case-by-case basis for specific functions within an app.

But Wandera found that two-thirds (67.8%) of apps still disable ATS globally and don't set any granular exceptions for specific functions. Only 5.3% of apps use the new more granular keys to disable ATS.

Interestingly, paid apps -- which don't usually have any ad network linked to them which gives the developer revenue -- are more likely (45.7%) to have the full ATS enabled.

Wandera also found that ATS global configuration differs only slightly across categories, with finance leading the pack. Only a third of these financial apps have ATS globally enabled and many of them still contain global exception domains.

For each exception domain, there are three possible ATS exceptions that can be specified. The are allowing HTTP loads, not requiring forward secrecy, and allowing the use of obsolete TLS versions. The developer can specify exceptions on a per-domain basis. More than two-thirds (70%) of apps have no exception domains and the remaining 30% have less than five. Of the apps with ATS globally disabled, 77.3% do not specify any exception domains.

Wandera wonders why this is all happening. They note that, "Perhaps the reason many developers disable ATS, despite Apple's efforts, is because they don't actually understand how it works due to its complexity. Or maybe they are taking the easy way out by just submitting all the domains their apps need as exceptions to avoid any potential interruptions to the end-user experience due to incompatibility with servers. The alternative route would be checking that each domain supports HTTPS and only making exceptions for those that do not. Many developers are under pressure to increase speed to market and remove unnecessary costs, so it's easy to see why they would want to take shortcuts like blanket ATS exceptions." It seems to always come down to the money.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15596
PUBLISHED: 2020-08-12
The ALPS ALPINE touchpad driver before 8.2206.1717.634, as used on various Dell, HP, and Lenovo laptops, allows attackers to conduct Path Disclosure attacks via a "fake" DLL file.
CVE-2020-15868
PUBLISHED: 2020-08-12
Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control.
CVE-2020-17362
PUBLISHED: 2020-08-12
search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
CVE-2020-17449
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS via the error_log file.
CVE-2020-17450
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS on the preview page.