from Hacker News

Handling App Transport Security in iOS 9

by Kallikrates on 8/27/15, 3:40 PM with 59 comments

  • by alexbock on 8/27/15, 3:51 PM

    Intentionally disabling security settings for your entire application just to allow advertising from companies who haven't upgraded their infrastructure seems quite user-hostile. Google is a big supporter for HTTPS, strong certificates, etc., but apparently only when it doesn't affect their bottom line. If Google told their advertising networks that they need to be using HTTPS or they won't be available for iOS users they would probably get secure connections up and running pretty quickly.

  • by cromwellian on 8/27/15, 4:05 PM

    Seems they're between a rock and a hard place. When Google proposed HTTPS everywhere, a number of people took exception because not all content has sensitive data needing protection.

    I guess the real question is whether an HTTP call to load an ad copy is sensitive content. I think you can make an argument that it is sensitive content, because if I were monitoring your connection, and everything was encrypted, but I suddenly saw lots of ads for Ashley Madison and cheating sites, I might conclude that you had been researching those in the past even if I couldn't see your other traffic.

    A better way would just to let the ad networks fix it. You can bet that after iOS9 ships, if they see a massive drop in ad traffic, they'll be burning the midnight oil to fix it ASAP.

    I mean, iOS9 betas have been out for a long time, so it's not like they haven't had time to prepare.

  • by boo_radley on 8/27/15, 4:21 PM

    This is a gross misinterpretation of what Google wrote which is : 1) Changes are coming 2) Here is best practice for app devs-- use https everywhere. 3) If you can't use https right now, figure it out soon 4) During the tranision, people are going to fuck up. To deal with these fuck ups gracefully, you can enable NSAllowsArbitraryLoads while we get our partners sorted out.

  • by DannyBee on 8/27/15, 4:25 PM

    Ignoring that it seems like the "fix" in this blog post is a really bad idea, I find it immensely funny that folks think this kind of thing is some high level decision somewhere or something deliberate and well thought out, and not "a developer relations person who got asked to make a blog post about the solution he gave some customer"

    Not that you shouldn't hold companies responsible, mind you, but everything everywhere is not some company (no matter who it is Google, Apple, etc) deliberately trying to screw you with some motive and purpose and grand conspiracy for how to achieve it in mind. Most wrong/dumb things are usually just simply random people being wrong or not thinking things through on the internet[1]

    I guess a lot of folks have never worked at any mid-size or large companies :)

    [1] The large company comment also applies to the possible retort that they should know better.A lot of large companies have 100's of "official" blogs. I'm sure corp comm/security/whoever would love to just have 1 they have to watch. But such a thing is not really the world.

  • by MrGando on 8/27/15, 4:23 PM

    I'm pretty sure Google will eventually enforce HTTPs for their third party ad-networks. The problem is that a lot of those guys live in the Paleolithic era regarding security, google needs their inventory, so it's not as simple as just saying: "dude you're going down if you don't do HTTPs now".

    And it's also easy to just say "google should just suck it up and take their losses and just do HTTPS". You have to think that a lot of games rely on Google having a big ad inventory to monetize (and it's their only revenue model).

    I don't work at Google, but do work in ad-tech. The HTTPS only move by Apple is great and will make a lot of things better... But it's going to take a while.

    PS: Check prices of CDNs with SSL... They are also expensive.

  • by st3fan on 8/27/15, 4:38 PM

    It is ok. My guess is that by the time iOS 10 is released, this execption is not temporary anymore.

    Then if you flip NSAllowsArbitraryLoads to true you will have to justify in the app review process why your app is needing that.

    And something tells me that 'making arbitrary insecure connections to ad delivery platforms' is not going to be a valid reason. You may be rejected for that. Or there may at least be a big fat warning on the app store page that says 'beware this app talks to random insecure servers'.

    It is a big win for users and the fight against lawless surveillance. Go Apple!

  • by nevir on 8/27/15, 4:20 PM

    > To ensure ads continue to serve on iOS9 devices for developers transitioning to HTTPS, the recommended ->short term fix<- is to add an exception that allows HTTP requests to succeed and non-secure content to load successfully.

    ---

    I.e. they know it sucks, and are working on something better.

  • by stavros on 8/27/15, 3:48 PM

    Linkbaity title. Google is actually asking developers to add an exception for its third-party ad network, if the developers use Google ads in their apps, since Google can't guarantee all third-party ads will be TLS-enabled.

  • by jakobegger on 8/27/15, 4:01 PM

    I wonder if the App Store Review team will check that setting? I've had a Mac App rejected because sandbox restrictions weren't narrow enough.

    If it was my decision, I'd allow disabling App Transport Security if your app is something like a browser or an RSS client, were you need to connect to servers not under your control.

    If you need to disable it to make ads work, I'd reject it.

  • by gress on 8/27/15, 3:48 PM

    For Google, delivering ads takes priority over security best practices and customer privacy.

    Edit: an unarguably true statement, fully supported by Google's own posting, begins to be downvoted.

    Google could just as easily tell the ad networks to upgrade to HTTPS, but they have chosen to ask developers to reduce the security of their applications instead.

  • by rubyalex on 8/28/15, 6:38 AM

    Google's intent is very straightforward; to disable TLS in the interest of their ad business. The post does not include how to whitelist domains (which should be recommended before you completely disable TLS). I did this today and yesterday to my iOS app and it took 2 minutes of editing Info.plist [0]. You shouldn't compromise app security in the interest of letting ad networks continue to serve unencrypted content to your user's devices.

    [0] http://ste.vn/2015/06/10/configuring-app-transport-security-...

  • by skywhopper on 8/27/15, 4:22 PM

    So, my question is, as a soon-to-be iOS9 user, can I tell that the developers have intentionally disabled security features in their apps? I'd love to be able to set a rule to just hide all non-ATS-compliant apps from my view of the App Store.