FYI.

This story is over 5 years old.

Tech

Apple Wants to Kill the Unencrypted Internet

Cupertino jumps on the "Encrypt all the Things" bandwagon.
Image: jamiga images/Shutterstock

If you're making an app for an an Apple device, Cupertino now wants you to encrypt all the things.

In what is a subtle but significant step to protect its users' privacy and security, Apple is pushing all app developers to use HTTPS, the secure protocol to encrypt internet traffic, in the apps they make for the company's new operating systems.

This way, Apple joins the ever-growing movement that is pushing for wider adoption of encryption everywhere on the web, a movement that now counts the White House as one of its stronger proponents.

Advertisement

"If you're developing a new app, you should use HTTPS exclusively."

Apple didn't announce it on stage at the big Apple-nerd fest that is the developers' conference WWDC15, but it briefly mentioned this new feature, which it calls App Transport Security, it in a post summarizing the the new features for iOS9.

"If you're developing a new app, you should use HTTPS exclusively," Apple wrote. "If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible."

encrypt.jpg

Image: Unknown, popular meme based on this.

What this means is that Apple is essentially starting to deprecate non-encrypted connections in its apps, according to Stefan Arentz, a mobile engineer at Mozilla.

Apple has basically deprecated HTTP in iOS 9 and OS X 10.11. To use unsecured HTTP, you have to ask for an exception in your app manifest.

Stefan Arentz☕️June 9, 2015

App Transport Security allows developers to declare what domains they need secure connections to in a file in their apps, and encourages everyone to use HTTPS exclusively instead of the traditional, non-encrypted protocol HTTP. This is not a requirement yet, but rather a strong encouragement. It shows, however, what Apple wants developers to do in the near future.

"With every major release, Apple hints at where they are heading," Frederic Jacobs, a security researcher and iOS developer who analyzed the most important security updates on iOS9, told Motherboard. "It seems pretty likely to me that they might soon reject applications that are using HTTP APIs."

Apps that only use HTTPS encryption will be safer and more private.

Apps that only use HTTPS encryption will be safer and more private. For example, spy agencies like GCHQ won't be able to harvest and sniff personal data from apps like Angry Birds, and censorship-friendly regimes like Iran will have a harder time blocking certain content without blocking the entire app, Jacobs, who is also the lead developer for the private messaging app Signal, explained.

Since it's not a requirement yet, it won't change things overnight. But "if Apple makes it mandatory in the future," iOS forensics and security researcher Jonathan Zdziarski told Motherboard, "it's a big step toward security and disclosure to the end user."