Nobody is using App Transport Security; what’s next?
Update, January 2016: I gave a talk on App Transport Security: “App Transport Security: What, Why, How?”
I did an informal survey yesterday of some widely-used iOS apps, which happen to appear on my phone, that have been updated for iOS 9. I wanted to see which had opted out of the new App Transport Security checks in iOS 9.
The results aren’t very promising:
- Facebook (39.1) opts out of ATS entirely
- Google Maps (4.10.1) opts out of ATS entirely
- Microsoft OneNote (2.16.1) opts out of ATS entirely
- 1Password (6.0) opts out of ATS entirely
- Dropbox (4.0) opts out of ATS entirely
- Instagram (7.6.0) opts out; they try to enforce best practices for some domains, but still allow insecure HTTP loads, so what’s the point?
Tumblr (4.5) is the only app I checked which uses ATS properly: they opt-out for user-generated content but enforce ATS for their own domains.
What is App Transport Security? Why is it important?
App Transport Security is a networking feature built into iOS 9 and OS X 10.11 and applied to apps built against the iOS 9 or OS X 10.11 SDK. It disallows:
- unencrypted HTTP network connections from those apps
- HTTPS connections using old and insecure versions of SSL/TLS
- HTTPS connections using cipher suites that don’t provide forward secrecy
- HTTPS certificates that use insecure hash functions for their digital signatures
This is important because, as we now know, surveillance and MITM are universally pervasive on today’s Internet. Encrypting everything, even nonsensitive data, is now the best practice, because if only sensitive traffic is encrypted on the network it’s easily identified as a target.
ATS forces developers and companies to consider using HTTPS, and for those already using HTTPS it enforces current best practices—practices which, if ignored, lead to a false sense of security: ignoring these practices makes your users vulnerable.
Apps which opt out of ATS for their own communications—including but not limited to those I’ve listed above—are explicitly opting out of security checks which would enforce currently accepted best practices. They’re exposing their users to unnecessary security risks, and giving them a false sense of security.
Surely App X has a reasonable justification for opting out entirely.
Wrong.
- There is almost no justification for using insecure HTTP. Certificates can be had for under $10/year, and Let’s Encrypt will soon allow anyone to secure their site for free.
- There is absolutely no justification for using HTTPS without TLS 1.2, without a cipher suite that provides forward secrecy, or with a certificate signed with insecure hash functions. This provides a false sense of security.
Many of the apps listed above have web views where they may display any web page. But it is possible—as Tumblr has—to opt out of ATS in general while allowing ATS to enforce best practices for domains the app’s developer does control.
Tumblr is the only app I checked which does this; Dropbox, 1Password, OneNote and others should, but apparently don’t care enough about their users’ security.
What’s next?
I hope and expect that next year, in conjunction with the next major versions of iOS and OS X, Apple will start making developers justify ATS opt-outs during the App Review process. I fully expect that blanket opt-outs will become cause for app rejection, and as a security-conscious iOS user I can’t wait for that day.
Further Reading
- App Transport Security Technote
- Configuring App Transport Security Exceptions in iOS 9 and OSX 10.11
- Shipping an App With App Transport Security
- Everything is Broken
As always, I welcome discussion and feedback; I’m @cdzombak on Twitter.