Appthority have published research that looks at the impact of Apple’s upcoming App Transport Security data encryption requirements on apps in the enterprise, set to commence on January 1, 2017.
The Appthority Enterprise Mobile Threat Research examined the top 200 iOS apps installed on enterprise devices worldwide to see how many are already using ATS, and how fully those apps have implemented it. Appthority found that only three percent of apps in today’s enterprise have implemented ATS with no exceptions.
“Although Apple’s ATS encryption requirements go into effect in just a few weeks, Appthority researchers found that the majority of apps in the enterprise don’t fully utilise the best practices encryption standard, which should be a concern to enterprises,” said Robbie Forkish, Vice President of Engineering at Appthority.
“The new ATS mandate only applies to new submissions to the App Store, and Apple will be allowing exceptions to ATS, so, while the requirement should strengthen data security there will still be iOS apps not using data encryption in enterprise environments, even after January 1st. For this reason, it’s incredibly important that businesses have visibility into, and management of, the risks related to apps with these exceptions, as they can put enterprise data at risk.”
Additional findings from Appthority’s Enterprise Mobile Threat Research show that:
- More than half of apps (55%) allow use of HTTP, instead of requiring HTTPS
- 83% of apps had ATS disabled for all network connections
- 26% of apps had ATS disabled at a global level, with specific exceptions set up for domains
Existing apps that don’t comply with the ATS mandate won’t be removed from the App Store but new apps and updates to existing apps must implement ATS by January 1 in order to be approved for the App Store. New app versions are typically released six or more times per year but, as the number of non-compliant apps rises, we could see a significant slowdown in feature rollouts and important app security patches. Enterprises will have to be continue to be vigilant about risky apps in their environments.
Appthority’s Mobile Threat Research on ATS was headed by a new member of the Appthority Enterprise Mobile Threat Team, Research Scientist Dr. Su Mon Kywe, a frequent publisher and speaker on mobile security. The report explains the technical requirements of ATS, the mechanisms Apple is providing for acceptable exceptions – those cases where ATS implementation is infeasible or unreasonably impacts performance – the reasons that some developers are not yet embracing ATS for their apps, and what ATS does and doesn’t do to help app security.
Download Appthority’s Enterprise Mobile Threat Research