During Apple’s Worldwide Developers’ Conference in June, specifically the ‘What’s New in Security’ session, Apple Engineering Manager Lucia Ballard noted that the App Transport Security measure which was introduced last year will be enforced at the end of 2016. This will have a big impact on mobile operators who were using HTTP Header Enrichment for sharing subscriber profile or identity information, either for their own applications or partner applications. Mobile operators need to start planning now in order to provide business continuity to applications that relied on HTTP Header Enrichment.
What Apple said?
Let’s first review what Apple said. Here is the transcript of what Ms Ballard stated in the context of App Transport Security:
“WELL, NOW IS THE TIME TO REVISIT IT BECAUSE THIS YEAR WE'RE STARTING TO ENFORCE APP TRANSPORT SECURITY AT THE APP STORE. THIS IS GOING TO KICK IN AT THE END OF 2016 AND IT MEANS THAT FOR MOST EXCEPTIONS YOU'LL NEED TO PROVIDE A REASONABLE JUSTIFICATION. SO, FOR ALL OF THESE EXCEPTIONS THAT ACTUALLY TURN OFF APP TRANSPORT SECURITY, OR ITS KEY PROPERTIES LIKE USING TLS 1.2, YOU'LL NEED TO EXPLAIN WHY YOU NEED TO USE THIS EXCEPTION IN THE FIRST PLACE.”
What does it mean?
Starting Jan 1, 2017, Apple will not approve application or application updates which make HTTP requests from application to server. Apple wants developers to use TLS security for all calls made from Application to the server using NSURLSession or NSURLConnection. This requirement will be enforced when application or application updates are submitted to the App store. To be specific, Apple recommends TLS 1.2 connections with strong cryptography like AES-128 or better and certificates signed with SHA-2.
While Ms Ballard did mention ‘You’ll need to provide reasonable justification…’, if a developer cannot comply with this requirement it’s been said that Apple is very strict about this policy and is not approving requests to allow HTTP connections.
How does it impact mobile operators?
Several mobile operators rely on HTTP Header Enrichment technology to pass subscribers’ identity or profile information to their partners or home-grown applications. This HTTP Header Enrichment mechanism allows them to enable Single Sign-On or provide a customized user experience to their users. On average, mobile operators have approximately several hundred URLs configured for Header Enrichment, and some of these URLs are for applications.With Apple’s App Transport Security Mandate, the HTTP calls from application to server will need to be replaced with HTTPS calls. HTTPS is an end-to-end secure protocol which disallows any HTTP header enrichment, and thus it will break the process that operators have relied on for so long. This will result in changes in the user experience for operator-owned or partner applications.
We believe the impact of Apple’s App Transport Security is not limited to iOS Apps. Many developers share the server backend for iOS and Android apps, and as they upgrade their server infrastructure to comply with Apple’s App Transport Security mandate, they will most likely use HTTPS for Android Apps. Also, several developers use cross-platform frameworks to develop multiplatform Apps, and as they use HTTPS URL schemes to comply with Apple’s mandate the HTTPS URL scheme will be carried over to applications on other platforms.
What options do operators have?
New problems need new solutions. While operators cannot do HTTP Header Enrichment for HTTPS secure traffic, there are other ways to meet the goal of sharing subscribers’ identity or profile with partner applications. Our SmartidM solution was built to solve such problems in an innovative manner that works for HTTPS traffic, offering privacy compliance and real-time communication. We are working with several Tier 1 mobile operators globally to solve this problem and help them comply with Apple’s App Transport Security Mandate.
Are you prepared?