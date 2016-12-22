Apple Delays App Store Security Deadline For Developers 20
Reader Trailrunner7 writes: Apple has pushed back a deadline for developers to support a key transport security technology in apps submitted to the company's app stores. Officials said at the Apple Worldwide Developers Conference earlier this year that developers would have to support Apple Transport Security by the end of 2016. But on Thursday, the company announced that it has decided to extend the deadline indefinitely. ATS is Apple's collection of transport security standards designed to provide attack resistance for data that's sent between iOS and macOS apps and backend servers. It requires apps to support a number of modern transport security technologies, including TLS 1.2, AES-128 or stronger, and certificates must be signed using SHA-2. ATS also requires the use of forward secrecy, a key-exchange method that protects encrypted sessions even if the server certificate is compromised at some point in the future.
.it's not like Apple has a good record on SSL/TLS [theguardian.com]. Heck, other reports are noting that the Apple Store itself re-directs https connects to vanilla http connections. [ycombinator.com]
Obviously, they had significant grumbling from the Dev. community.
But this is like when they pushed-back the Sandboxing requirement a few years ago: It will happen.
How about a little less negativity, and a little more support for Apple at least attempting to drag Devs. into using more robust security?
The sandboxing thing drove a number of very high-profile developers from the MAS, and is widely regarded as a complete failure, both because of that and because it prevented entire categories of apps from being available through the MAS, eliminating any possibility of most users realistically choosing to limit their Mac to only MAS titles and thus significantly reducing its utility as a curated app distibution channel.
They should not be in a hurry to repeat that mistake. At least on the Mac platform, the
They're only forcing ATS on apps where it is appropriate. Like where the developer controls their own server. Obviously forcing ATS onto something like say, Chrome browser whose reason for being is to connect to random servers, isn't caught up in this. Apple aren't completely stupid, even though they can be bloody annoying at times.
Indeed, I used to work for a company whose app's downloads got blocked in various countries because the URLs were sent in the clear. My snarky comment was that app developers will care about web security as soon as Apple does.
But the big reason the ATS mandate was absurd is that lots of apps have to be able to download arbitrary content from arbitrary URLs, and web views aren't necessarily involved. And even when they are, developers often need to work around limitations in iOS WebKit by using custom NSUR
Apple have said its only mandatory where it makes sense. Where it is fundamental to the app that be able to connect to random servers, they won't force it.
Probably a couple decades.
Probably a couple decades.
If the earlier lesson with the "Sandboxing" requirement deadline is any indication, we're talking a few months, not a few years...
Besides breaking a lot of apps, what good would it do to enforce it? It would take all of a day to write a basic emulation layer to pass NSURLRequest objects to libcurl. This already got delayed once by six months, and now it is delayed indefinitely because it breaks major apps by major companies in ways that can't readily be fixed without abandoning Apple's networking stack, which some folks are probably already doing in response. The policy backfired, and chances are good that it will *never* be implem
