Google Is Undermining Apple’s New Security Protections

Sarah Jeong

Sarah Jeong

Google explains to devs how to circumvent a new iOS 9 security feature, because ads.

Image: JD Hancock/Flickr

Apple's iOS 9 is coming soon, and one of the new features in the mobile operating system enhances privacy and security for users by blocking unencrypted traffic for apps. It's called App Transport Security (ATS).

Google's response today was to explain to its developers how to circumvent it, so ads can load.

According to Apple's iOS 9 developer pre-release notes, App Transport Security "enforces best practices in the secure connections between an app and its back end." The notes explicitly tell developers to use HTTPS (a protocol that encrypts web traffic) as much as possible. On top of that, "your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn't follow this requirement, an error is thrown." Developers must manually make an exception for domains that use HTTP (which is insecure) instead of HTTPS.

Preventing or discouraging unencrypted traffic could minimize the possibility of hackers intercepting user data. It would also minimize the risk of a man-in-the-middle attack, in which the flow of data between a user and a site is tampered with by a malicious third party.

Google's blog post about ATS also recommends that developers use HTTPS, saying, "Google remains committed to industry-wide adoption of HTTPS." The post nonetheless goes on to describe in detail how to make an exception for an insecure third party ad network and even provides sample code.

The Electronic Frontier Foundation criticized the move. "Google's done a lot of great work to encourage deployment of HTTPS, and they reiterate that in this post, but their suggested short term fix is over-broad and dangerous," said Jacob Hoffman-Andrews, senior staff technologist. "Apple's App Transport Security ensures that apps make secure connections to servers, but the fix in this post disables that protection on all domains. I think developers who install this quick fix are likely to leave it in indefinitely, leaving their apps open to sniffing."

"I'd recommend that developers not disable ATS, meaning that their apps will refuse to load insecure ads," said Hoffman-Andrews. Based on what he knows about ATS, he thinks that if developers refuse to accommodate insecure ad networks, this will force the networks to finally implement HTTPS.

Google did not respond to a request for comment.

iOS 9 also "enables" content blocking by explicitly defining a usage policy and providing APIs for content blocking extensions for Safari (like ad blockers). In Doc Searls's words, this is "aimed straight at tracking-based advertising, known in the trade as adtech." Like ATS, ad blockers can enhance user security at the expense of advertisers, by blocking malvertising. Both content blocking in Safari and ATS places Apple on a collision course with Google, whose business model is reliant on adtech.

Update: Google has responded with an addendum to its initial blog post:

We've received important feedback about this post and wanted to clarify a few points. We wrote this because developers asked us about resources available to them for the upcoming iOS 9 release, and we wanted to outline some options. To be clear, developers should only consider disabling ATS if other approaches to comply with ATS standards are unsuccessful. Apple has provided a tech note describing different approaches, including the ability to selectively enable ATS for a list of provided HTTPS sites.

We've strongly advocated for HTTPS protection for many years and we continue to roll it out across our products.