Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Programming Security Apple

Apple Delays App Store Security Deadline For Developers 25

Reader Trailrunner7 writes: Apple has pushed back a deadline for developers to support a key transport security technology in apps submitted to the company's app stores. Officials said at the Apple Worldwide Developers Conference earlier this year that developers would have to support Apple Transport Security by the end of 2016. But on Thursday, the company announced that it has decided to extend the deadline indefinitely. ATS is Apple's collection of transport security standards designed to provide attack resistance for data that's sent between iOS and macOS apps and backend servers. It requires apps to support a number of modern transport security technologies, including TLS 1.2, AES-128 or stronger, and certificates must be signed using SHA-2. ATS also requires the use of forward secrecy, a key-exchange method that protects encrypted sessions even if the server certificate is compromised at some point in the future.
This discussion has been archived. No new comments can be posted.

Apple Delays App Store Security Deadline For Developers

Comments Filter:
  • by Salgak1 ( 20136 ) <salgak@NospAM.speakeasy.net> on Thursday December 22, 2016 @12:39PM (#53538301) Homepage

    . . . .it's not like Apple has a good record on SSL/TLS [theguardian.com]. Heck, other reports are noting that the Apple Store itself re-directs https connects to vanilla http connections. [ycombinator.com]

    This is NOT Rocket Science. . . .

    • Re:Really ? (Score:5, Insightful)

      by TheFakeTimCook ( 4641057 ) on Thursday December 22, 2016 @01:15PM (#53538577)

      . . . .it's not like Apple has a good record on SSL/TLS [theguardian.com]. Heck, other reports are noting that the Apple Store itself re-directs https connects to vanilla http connections. [ycombinator.com]

      This is NOT Rocket Science. . . .

      Obviously, they had significant grumbling from the Dev. community.

      But this is like when they pushed-back the Sandboxing requirement a few years ago: It will happen.

      How about a little less negativity, and a little more support for Apple at least attempting to drag Devs. into using more robust security?

      • by dgatwood ( 11270 )

        The sandboxing thing drove a number of very high-profile developers from the MAS, and is widely regarded as a complete failure, both because of that and because it prevented entire categories of apps from being available through the MAS, eliminating any possibility of most users realistically choosing to limit their Mac to only MAS titles and thus significantly reducing its utility as a curated app distibution channel.

        They should not be in a hurry to repeat that mistake. At least on the Mac platform, the

        • They're only forcing ATS on apps where it is appropriate. Like where the developer controls their own server. Obviously forcing ATS onto something like say, Chrome browser whose reason for being is to connect to random servers, isn't caught up in this. Apple aren't completely stupid, even though they can be bloody annoying at times.

          • by dgatwood ( 11270 )

            I've seen nothing to indicate that it was ever intended to apply only to content hosted on developers' servers. The original articles all said that ATS exceptions would go away, and that only web views would be able to make noncompliant requests, which breaks as soon as you add NSURLProtocol into the mix. Maybe that wasn't the perception Apple intended to create, but it is the one they created. (Or, more likely, that was the perception they intended to create, but they got so much backlash that they bac

    • by dgatwood ( 11270 )

      . . . .it's not like Apple has a good record on SSL/TLS [theguardian.com]. Heck, other reports are noting that the Apple Store itself re-directs https connects to vanilla http connections. [ycombinator.com]

      This is NOT Rocket Science. . . .

      Indeed, I used to work for a company whose app's downloads got blocked in various countries because the URLs were sent in the clear. My snarky comment was that app developers will care about web security as soon as Apple does.

      But the big reason the ATS mandate was absurd is that lots of apps have to be able to download arbitrary content from arbitrary URLs, and web views aren't necessarily involved. And even when they are, developers often need to work around limitations in iOS WebKit by using custom NSUR

      • Apple have said its only mandatory where it makes sense. Where it is fundamental to the app that be able to connect to random servers, they won't force it.

      • by tepples ( 727027 )

        Why can't an app proxy non-compliant accesses through a server controlled by the developer?

    • My concern on how Apple fucks developers around is that NOW your app has to sell for 99 cents! WTF! But wait! There's More! There is some special secret way, in other words "not published" that allows one to show their app for free!. The dumb ass in charge of a simple store that offers only web apps is the wrong person to run this part of Apple.
    • by tlhIngan ( 30335 )

      Yes, the App Store does use plain HTTP connections - these are for the files downloaded so they can be rapidly and easily cached by CDNs. This is fine since the files are already internally signed and once downloaded, the signatures are verified. About all you can do is replace one app with another, so instead of downloading Pokemon Go, you end up downloading Angry Birds. (But even the IDs can be verified so this doesn't happen). Using HTTPS can hide the details of the app from snoops, but that's all it re

In order to dial out, it is necessary to broaden one's dimension.

Working...