back to article Apple drops requirement for apps to use HTTPS by 2017

One of the initiatives Apple trumpeted at its 2016 WorldWide Developer Conference was a requirement for all iOS and OS X apps in its Store to use adopt App Transport Security as of December 31st 2016. App Transport Security (ATS) arrived in 2015 iOS and OS X in 2015, in Apple's own words, “improves privacy and data integrity …

  1. Charles 9

    Wow, quite the dilemma. It's like with the US and Chip implementation. It's progressing, but at a snail's pace, even WITH the threat of liability being in effect for about a year now. What does one do when neither the carrot nor the stick are working?

    1. Harry the Bastard

      re: What does one do when neither the carrot nor the stick are working?

      elect a carrot-coloured guy with the brains of a a stick

    2. Anonymous Coward
      Anonymous Coward

      weird thing. Chip and pin is not be implemented in the US for security. In The US chip and pin is processed liked a debit card and the end fees to the retail is lower. Once walmart figured this out they actually sued visa and master card to force them to use chip and pin.

      1. Charles 9

        That's irrelevant to the implementation of the Chip. That predates the chip since debit fees are typically lower than credit fees, and this didn't change with the chip being added since dual-option chip cards still give you the choice.

  2. Version 1.0 Silver badge

    Dear Apple

    Cancel it.

    Yours sincerely,


    1. Aitor 1

      Re: Dear Apple

      Https is wide oprn to MiTM as it relies on keys that can be issued by trusted cert orgs. Only without trusting any other than us/uk/chinese/russian/indian companies can you be relatively safe....

      1. Anonymous Coward
        Anonymous Coward

        Re: Dear Apple

        But isn't that undone by key pinning, since the MITM key would be different from the original's key?

      2. Lee D Silver badge

        Re: Dear Apple

        Sorry, but you can own the CA. That doesn't stop the data being encrypted and out of your reach.

        A CA only certifies that a particular certificate is associated with a particular domain, and that someone checked that you own the domain.

        A certificate request to a CA *DOES NOT* contain the private key. Nor can it. You sign something with your key, send it to the CA, who signs it with THEIR key, and sends it back. At no point are the keys, or any information that would help discover the key, ever sent.

        ONLY YOU have the copy of the private key that can decrypt communications made with your key, and all the CA is doing is adding their stamp of approval to your ownership of the domain in question (or that you paid them enough).

        The private key is called that because - IT'S PRIVATE. And it is only ever present on the machines handling requests from outside. The CA doesn't have it, isn't given it, and cannot work it out. You give out your PUBLIC KEY (called that because you can give it away to the general public) in the certificate, but that's what you're trying to do anyway, so people know that ONLY the person with your private key could have decrypted stuff encrypted with your public key - i.e. the data they send you can only be accessed by you).

        With certificate pinning and certificate transparency, people notice dodgy MITM certs quite quickly, and browsers can do it automatically (try faking a Google cert, even with MITM SSL, without having to import your MITM cert into your trusted store first).

        So, please, stop commenting on that which you do not understand. A secure website is secure no matter who signs your cert. If they replace your cert and try to MITM, they will throw up browser errors if you've configured your site anywhere near properly. It's that simple. Even with the full co-operation of the CA.

  3. Frank Bitterlich
    Thumb Up

    ATS is nice, buuutttt....

    .... a PITA if your app has to use a non-https data source from a third party over which you have no control. Like a radio stream.

  4. djstardust

    The thing they really need to drop

    Is their prices

    How they can even remotely justify the prices on the new MacBook Pro is beyond me given the mediocre components and cheap assembly (glue)

    1. This post has been deleted by its author

  5. Drew 11


    Does iOS support DANE yet?

  6. David Austin

    Halfway House

    I think if I was Apple, I would have been tempted to De-list all AppStore Apps that weren't compliment: Existing users could still re-download and install those apps as normal, but no new users could get it: I'm pretty sure most developers would have got a working version out the door pretty quick if new users were cut off to them.

    As with TLS 1.x and User Account Control, there's more than a fair few software houses around that seem happy to not implement new security features for as long as possible, until it ends up bothering them by irate users calling/complaining, or it just stops working

  7. Anonymous Coward
    Anonymous Coward

    Apple messed up. They had a bug in ATS in iOS 10 which made it almost impossible to comply if you used webviews (they key NSAllowsArbitraryLoadsInWebContent doesn't work) . Many companies have been in a panic and spending a lot of money trying to comply, but being hurt by bugs in iOS 10.0 and 10.1...Apparently there are still issues in 10.2 so Apple had no choice but to back off their plans. Leaving it until 21st December to announce the delay shows no respect for app developers or their businesses.

  8. Anonymous Coward
    Anonymous Coward

    ATS means no OpenSSL

    Okay, I am replying Saturdary morn without my first cuppa but .... I recall noodling around their source (when they released it) that their crypto stuff does not invoke OpenSSL.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like