barrichello87 - Fotolia

Few iOS apps in enterprises meet Apple’s new security mandate

Most iOS apps in the enterprise pose potential security risks, according to research by Appthority

Only 3% of the top 200 iOS apps installed on enterprise devices worldwide have fully implemented Apple’s coming data encryption requirements, research shows.

In June 2016, Apple announced that App Transport Security (ATS) will become a requirement for new App Store apps from 1 January 2017.

ATS, which was introduced in iOS 9, forces an app to connect to web services over an HTTPS connection rather than HTTP to keep data secure while in transit by encrypting it.

With less than a month to go before ATS becomes a requirement, researchers at enterprise threat protection firm Appthority found just six of the 200 top enterprise iOS apps conform to ATS.

“Appthority researchers found that the majority of apps in the enterprise don’t fully utilise the best practices encryption standard, which should be a concern to enterprises,” said Robbie Forkish, vice-president of engineering at Appthority.

“The new ATS mandate only applies to new submissions to the App Store, and Apple will be allowing exceptions to ATS, so, while the requirement should strengthen data security, there will still be iOS apps not using data encryption in enterprise environments, even after 1 January 2017.

“For this reason, it’s incredibly important that businesses have visibility into, and management of, the risks related to apps with these exceptions, as they can put enterprise data at risk,” he said.

The research also revealed 55% of apps in use by enterprises allow the use of HTTP, instead of requiring HTTPS, while 83% had ATS disabled for all network connections and 26% had ATS disabled at a global level, with specific exceptions set up for domains.

Read more about mobile security

According to Appthority, existing apps that do not comply with the ATS mandate will not be removed from the App Store, which means enterprises will have to continue to be vigilant about apps in their environments.

The research is aimed at explaining the technical requirements of ATS, the mechanisms Apple is providing for acceptable exceptions, and what ATS does and does not do to help app security.

James Lyne, global head of security research at Sophos, has warned that insecure commercial and internal mobile app coding practices leave the door wide open to cyber attackers.

A lot of emphasis is placed on the millions of mobile malware samples being detected, but he said insecure apps could represent an even greater threat.

“Programming practices are pretty bad, despite there being ready-made security functionality available to consumers, but this is just not being used,” he told Computer Weekly in February 2016.

Lyne, who conducted an analysis of 1,000 top apps focusing on encryption, data transmission, authentication and data storage, said it was “quite shocking” how many applications, including large brands, fail to make use of the security features available on mobile devices. 

Read more on Privacy and data protection