Study Finds Most Popular iOS Apps Are Not Encrypting Data

Wandera found that two-thirds (67.8%) of apps still disable Apple Transport Security (ATS) globally and don't set any granular exceptions for specific functions.

Mobile security firm Wandera analyzed over 30,000 of the iOS apps most commonly used by employees and found that more than two-thirds of the apps don't use ATS to encrypt data.

Apple Transport Security (ATS) is a feature of Apple networks. It is basically a set of rules to ensure iOS apps as well as app extensions connect to web services through the use of secure connection protocols. It deals with the security of data in motion.

Apple announced that all iOS apps would be required to follow and use ATS by January 2017. But it had to walk that back.

Why did this walkback occur? Apps will talk to third-party advertising, market research, analytics and file hosting services as part of their normal functioning. These external services may not support the HTTPS connections which ATS would require. Not only that, advertising networks such as MoPub and Google AdMob have recommended disabling ATS completely to ensure that ads are loaded correctly.

Apple tried to get around this by introducing a granularity to ATS. When it was first brought out, it could only be set as globally on or off. After iOS 10, developers could set a global ATS configuration and then exception it on a case-by-case basis for specific functions within an app.

But Wandera found that two-thirds (67.8%) of apps still disable ATS globally and don't set any granular exceptions for specific functions. Only 5.3% of apps use the new more granular keys to disable ATS.

Interestingly, paid apps -- which don't usually have any ad network linked to them which gives the developer revenue -- are more likely (45.7%) to have the full ATS enabled.

Wandera also found that ATS global configuration differs only slightly across categories, with finance leading the pack. Only a third of these financial apps have ATS globally enabled and many of them still contain global exception domains.

For each exception domain, there are three possible ATS exceptions that can be specified. The are allowing HTTP loads, not requiring forward secrecy, and allowing the use of obsolete TLS versions. The developer can specify exceptions on a per-domain basis. More than two-thirds (70%) of apps have no exception domains and the remaining 30% have less than five. Of the apps with ATS globally disabled, 77.3% do not specify any exception domains.

Wandera wonders why this is all happening. They note that, "Perhaps the reason many developers disable ATS, despite Apple's efforts, is because they don't actually understand how it works due to its complexity. Or maybe they are taking the easy way out by just submitting all the domains their apps need as exceptions to avoid any potential interruptions to the end-user experience due to incompatibility with servers. The alternative route would be checking that each domain supports HTTPS and only making exceptions for those that do not. Many developers are under pressure to increase speed to market and remove unnecessary costs, so it's easy to see why they would want to take shortcuts like blanket ATS exceptions." It seems to always come down to the money.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.