iOS app developers take shortcuts on security
Despite Apple mandating developers to build end-to-end encryption into their apps, a high number of apps don't comply, according to a new report.
The study from mobile security company Wandera analyzed more than 30,000 of the iOS apps most commonly used by employees and found that more than two-thirds of apps don't enable App Transport Security (ATS).
ATS is a networking security feature offered by Apple to help developers comply with data privacy requirements to encrypt data. According to the report 67.8 percent of apps disable ATS globally and don't set any granular exceptions for specific functions.
A large percentage (45.7 percent) of paid apps have ATS globally enabled, while the vast majority (68.5 percent) of free apps have ATS completely disabled. More than three quarters of apps with ATS globally disabled (77.3 percent) do not specify any exception domains, therefore the safeguards are completely disabled for all network communication.
The App Review Guidelines currently state that developers need to supply a justification for disabling ATS, but as the report points out this need not be particularly strong. The author's note, "Perhaps the reason many developers disable ATS, despite Apple's efforts, is because they don't actually understand how it works due to its complexity. Or maybe they are taking the easy way out by just submitting all the domains their apps need as exceptions to avoid any potential interruptions to the end-user experience due to incompatibility with servers."
You can get the full report from the Wandera site.