Apple Delays ATS Compliance – Secure Your Apps Anyway with Crypto-ID SDK

December 27th, 2016 Development Notes

 

ats-twitter-1

Apple was set to begin enforcing App Transport Security in iOS applications and their servers on January 1st, 2017, but extended the deadline at the last minute. According to Apple’s Developer Portal,

“App Transport Security (ATS), introduced in iOS 9 and OS X v10.11, improves user security and privacy by requiring apps to use secure network connections over HTTPS. At WWDC 2016 we announced that apps submitted to the App Store will be required to support ATS at the end of the year. To give you additional time to prepare, this deadline has been extended and we will provide another update when a new deadline is confirmed.”

The company obviously ran the ATS adoption rates and exception rates of App Store programs and decided they simply cannot enforce it right now because too many apps would be non-compliant. Is this sort of what do you do when you learn that 75% of your employees failed a drug test?

Apple had two great ideas with ATS: an attempt to retire the usage of older versions of TLS and specific type of certificate signatures, and enforce the usage of HTTPS.  As a platform developer, it is important for Apple to protect application users and their devices.  So what went wrong?

First of all, compliance with ATS is too difficult for too many developers, even with LetsEncrypt. That’s because you need a public Certification Authority signature so that the iOS device will trust it. Second, doing something with an SSL certificate is like a yearly fire drill for most people, and not worth automating.

ATS should be a prerequisite for any responsible app developer.  However, the basic assumptions here are all wrong. People think that they need an SSL certificate for a meaningful domain name, such as “MyCompany.com.”  Meaningful to whom? A human. Why? So that it can be typed into a browser. In the context of a mobile app, this is simply no longer necessary.

Beame.io has a solution to fit this exact model. All iOS developers will soon be able to take advantage of Beame.io’s easy and cheap way to put a standard SSL certificate on the mobile device with the beame-crypto-ID SDK. 

What you get in the box: a FQDN, a publicly trusted SSL certificate, a private key, blockchain ledger, plus a proxy service which makes the device instantly available through HTTPS.

Won’t latency be a problem if you’re going through a Beame.io proxy? If you don’t want to go through our proxy, that’s even better. There is a new API coming out to let you point your FQDN to a public IP address.

If you have several servers, you can get each one its own certificate. Or, you could load one into a load-balancer. Most importantly, you can get a bunch of hostnames, and a bunch of matching SSL certificates very easily. You won’t have to remember their names or type them in anywhere, just add them to your info.plist and away you go.

iOS developers in the beta can get up to 50 beame-crypto-IDs for free to use with their iOS apps to make them ATS-compliant!

You can start using our tools today with beame-insta-SSL, which gives you a free SSL certificate and secure tunneling from machines. If you like it, you can sign up for the private beta of the beame-crypto-ID SDK.

Recent Posts

Private cloud is easy

PKI based identity on a blockchain

Insta-SSL as a simple way to use RDP / VNC / SSH into LANs

VMs, Docker and Beame.io vs NSA

x.509 based identity, OS level or dedicated application?