Skip to main content

Google, sadly, tells ad developers how to disable Apple's transport security

App Transport Security is Apple's forward-looking way to make sure any communications between an app and a web server are done using TLS 1.2 and SHA256 or better security. That way nobody can eavesdrop on or tamper with your private data. Yesterday Google not only told developers how to disable it, including giving them the code to do it. From the Google Ads Developer Blog:

While Google remains committed to industry-wide adoption of HTTPS, there isn't always full compliance on third party ad networks and custom creative code served via our systems. To ensure ads continue to serve on iOS9 devices for developers transitioning to HTTPS, the recommended short term fix is to add an exception that allows HTTP requests to succeed and non-secure content to load successfully.

Not surprisingly, that caused a backlash in the security community.

What Google could have done, and arguably should have done, was help developers configure things in such a way that app traffic remained secure while working on making the ads secure as well Instead, Google simply told them how to turn it all off. Private data connections and ads, all of it. It's the easiest approach but also the laziest and worst approach for users.

Google updated the article later in the day:

We've received important feedback about this post and wanted to clarify a few points. We wrote this because developers asked us about resources available to them for the upcoming iOS 9 release, and we wanted to outline some options. To be clear, developers should only consider disabling ATS if other approaches to comply with ATS standards are unsuccessful. Apple has provided a tech note{.nofollow} describing different approaches, including the ability to selectively enable ATS for a list of provided HTTPS sites.

Our own Nick Arnott wrote about ATS after Apple announced it at WWDC 2015 and recommended several options, the third of which could be a better solution for developers and users both. From Neglected Potential:

Conversely, you may only want ATS to work on domains you specifically know can support it. For example, if you developer a Twitter client, there will be countless URLs you may want to load that may not be able to support ATS, though you would want things like login calls, and other requests to Twitter to use ATS. In this case you can disable ATS as your default, then specify URL which you do wish to use ATS.In this case you should set NSAllowsArbitraryLoads to true, then define the URLs that you want to be secure in your NSExceptionDomains dictionary. Each domain you wish to be secure should have its own dictionary, and the NSExceptionAllowsInsecureHTTPLoads for that dictionary should be set to false.

App Transport Security is brand new with iOS 9 and there will be some initial pain, especially for people with content like ads. But that doesn't mean the privacy and security baby should be thrown out with the bathwater. Everyone is stressed and rushed leading up to a launch, so if a company like Google recommends an easy out by just shutting security down, that out is more likely going to be taken.

Recode put it this way:

Both companies say they're moving toward the same goalpost on mobile security. The difference: When ads and security clash, Google wants to figure out a compromise, because Google is an advertising company. Apple isn't.

Everyone, platform owners and developers included, can be inclined to punt in the face of impending change. I'm optimistic, however, that Google can get it together and help developers achieve the best results for now, and better ones going forward.

Because once security and privacy is turned off, there's a good chance they'll stay that way.

Nick Arnott contributed to this article.

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • Coincidentally Apple is also releasing a SDK that will let any developer help users block ads. Online ads are the #1 vector for the spread of malware and blocking them is the best way to protect your devices. This story demonstrates that even Google will not commit to guaranteed safe ads.
  • Google may well be indicative of the adage: the fish stinks from the head down.
  • Apple should have code recognition in place to label any apps that bypass this security feature to be marked as such. I don't think they should disallow these apps from the App Store, but I think that users should be able to make informed choices about any given app and the vulnerabilities it represents.
  • AMEN (fking Google)
  • First, I would like to say I absolutely agree with your posts. I want as much data traveling through my devices encrypted as possible. That's one of the reasons that whenever there is a paid version of an app that I use I pay for. Well, that and I hate ads. I just read some information that leaked on the iPhone 6S and 6S Plus. Oh do I hope there is a similar article posted by you Rene come Sept. 9th if Apple officially releases info on the upcoming iPhones and they start at 16 GB. You know, with 4K video recording, $649 starting price, and being 2015 of course. I know it's good for Apple to force up sell users to a higher storage capacity by not beginning with an approitate amount of storage. Which is great for business but "worst approach for users."
  • Pretty sure that will never happen... It will just be an article telling customers not to be so upset about the 16GB starting point because "they aren't forced to buy that model" or "for some users that's enough storage" or "Apple has initiatives to make this a vital option such as near line storage, app thinning, on demand content downloading" or any other countless disingenuous response to legitimate customer concerns and dissatisfaction on a starting storage option that's not good for customers - any customers. When ads and security clashes Google sides with security because they are an ad company first and foremost. When margins and what's best for customers clash, Apple sides with margins because they are a company first and foremost.
  • I don't think Google sides with security. But let be real, every companies in the world is after profits, period. There're only two types of companies, those that succeeded and those that fail. Both of them are after profit margins and that is it. Nobody in their right mind, just form a company and don't expect any profits.
  • If that's the case Rene shouldn't have written this piece. Google makes most of their profit from advertising. So they are doing what's in their best interests as a company. But he has decided to write it because it's Google. The same type of pieces he keeps writing about Samsung. If he's doesn't criticize Apple's choices the same way, he comes off a cheerleader.
  • The issue here isn't just that Google can't yet support ATS in their Google Ads network, it's that the recommendation they initially gave didn't just disable ATS for Google Ads, it disabled ATS for all app traffic. It was a lazy recommendation. There was a better path for them to suggest to developers, which would still allow Google Ads to work without ATS, that they neglected to offer. That's the reason for this article. Google made an irresponsible and unnecessarily bad recommendation to iOS developers.
  • Agreed
  • Well, there is a growing list of "Rene-bashers" that never read his full articles. Case in point, He ends the article with "I'm optimistic, however, that Google can get it together and help developers achieve the best results for now, and better ones going forward." But, yeah, he is bashing Google for no good reason.
  • Sorry for the typo in my first post - I meant to say Google "doesn't side with security" because they are an ad company first and foremost (this site doesn't allow editing comments once posted for a bit)... And that was the correlation to Apple siding with margins first and foremost because they are a company.
    Meaning that companies are all about margins and Apple is no exception contrary to popular beliefs by many who want to defend or justify their choices with examples that aren't an honest representation. So while Google needs no defense because their bottom line is ad revenue so they protect that at all cost, Apple also needs no defense because their bottom line is margins and they will defend that at all cost.
    Giving reasons that Apple is a releasing a 16GB as base instead of 32GB as base contrary to the reality of margins (as often many sites do) is disingenuous to customers.
  • I don't see how the article is faulting a profit-making corporation for making a profit. In some ways the economy is not so far of from the environment in terms of the outcomes of attitudes. It only makes sense that corporations do everything possible to do right and well by their customers for the long term benefit and loyalty of the customer base ... in order to keep the customers coming back.
  • Sorry for the typo I meant to type Google "doesn't side with security" because they are an ad company first and foremost.
  • Ads can be secure. In fact, I trust google the most with my info as it is of utmost importanceto them to keep safe Sent from the iMore App
  • Looks like I've added another reason I never use anything from google.
  • But you already do and have been for a while. Posted via the iMore App for Android
  • How do you figure?
  • you are posting on this site. ever take a look at what imore is collecting from you?
  • Ghostery
  • ghostery is owned by an advertising company.
  • Right, dude, whatever you say....(insert rolling of eyes here)...
  • ignorance is bliss. but hey, privacy may not mean much to you but it does to some.
  • He's referring to google-analytics, emjayes, and unless you're blocking it via NoScript or a similar plug-in, then yes, you are using something from Google.
  • It's not ignorance or a lack of concern for privacy (just the opposite--Duh!), it's the use of the word "use." I do block them as much as possible, but, even if not, it wouldn't contradict my original statement. Now go away or I shall taunt you googlites a second time-ah...
  • insult away oh insecure one, but the fact remains you appear to use google products by just participating here and are too ashamed to admit it. It's quite funny that you refuse to believe the evidence that is on your own browser.
  • Reading comprehension isn't your strong suit is it, ye who insults with impunity?!
  • AMEN
  • just contribute to websites that support Google and their privacy stealing efforts. got it
  • while it's supposed to be a temporary fix, why would ad companies switch back to a secure connection. Seems to me in order to avoid future problems companies would stick with the less secure option.
  • Agreed, but it is really the software developer that makes that choice. Fictitious scenario: I am a developer with several apps in the App Store. I am writing a new app that I am testing against iOS9 beta. Some of my ads don't work properly during testing. I look through the new Apple docs and see that there is a new security feature that is blocking the ads. I search for how to turn it off and find the Google post in question. I turn off the feature and everything works as designed. Done and done. Google should be telling people the work-around that Nick Arnott described instead, but some bright spark at Apple needs to campaign to help the companies that serve up insecure ads to fix their encryption. Developers that write ad-driven apps are unlikely to switch ad methods if there is a published "fix" to the "problem", so the real fix is to address the insecure ad servers.
  • Aaaaaand fighttt!!!!! Sent from the iMore App
  • So if Apple announced this workaround at WWDC, is Google just repeating the workaround?
  • Apple didn't announce the workaround at WWDC. They do cover it in their documentation of App Transport Security, but it is documented along-side all the other available keys for configuring App Transport Security to work with your app.
  • Apple already told developers how to disable this encryption at WWDC way before Google did. Why didn't anyone write an article about that? Heck, it's even in their developer documentation.
  • Because this is iMore, where Apple can do no wrong and anything Google does is automatically wrong.
  • There's a small, but significant difference, From your link;
    "You can specify exceptions to the default behavior in the Info.plist file in your app or extension." From Apple's iOS Developer Library documentation;
    "If your app needs to make a request to an insecure domain, you have to specify this domain in your app's Info.plist file." Google;
    "Publishers can add an exception to their Info.plist to allow *any* insecure connection"
  • The meaning behind both is the same? Both specify a means (exceptions in Info.plist) by which to allow connections to insecure domains without qualification. You're playing a game of semantics.
  • Check the Google dlink in the article. Below the explanation, there a graphic that shows how you can allow whatever non-encrypted connection in with a single line. If there's a setting somewhere that allows for more granular control, then Google didn't do a good job with the documentation (not a crime, any documentation outside OpenBSD man pages are crap anyway) which in turn would obviously lead to articles like this one.
  • Apple is perfect around here.
  • Yah, and given how many reflexive anti-Apple folks and Rene-haters hang out here to spew their OCD analyses, it certainly does attract lots of foreign perfectionists, doesn't it?!
  • If by OCD analyses you mean thought...
  • "If by OCD analyses you mean thought..." Nope.
  • Some of us just think imore, and in particular Rene, should hold Apple to the same standards they hold Apple's competition. I don't hate Apple. I own a lot of their products. And that's why I visit this site regularly. I also don't hate Rene. I subscribe to a lot of his podcasts and read most of his articles on imore. I just believe ethically he does his readers injustice when he's not objective about Apple and its competition. I'm critical because I want to see him, and imore, become a better and more objective source of tech news, as opposed to Apple's PR echo chamber.
  • "...more objective source..." compared to what?! Do you subscribe to the naive notion that news outlets are objective?! This is an Apple-centric, Apple enthusiast site. Rene is "objective" and fair, writing from his perspective as an experienced tech writer, enthusiast, and expert in this industry. I've been reading him for about 4 years and all the complaints I see here are simply ignorant, immature nonsense. If you want to read writing and analysis from a different perspective, go elsewhere. Why keep complaining about what you know is the perspective of iMore and/or Rene?! Stop your whining and go elsewhere! It's getting quite tiring and annoying! And remember: the mainstream, corporate media are hardly "objective." The are as "liberal" as the corporations that own them. This little site is just trying to be entertaining and informative about all things Apple and things related to what they believe their readers are interesting in. Stop making such a big deal about whether or not they're up to your standards of "objective" tech journalism: if you don't like it, find another site that's closer to your perspective (or start your own) and stop wasting our time with your repetitive comments! Thank you.
  • Yes, I subscribe to the notion that good news outlets are objective, and good journalist have integrity. Apparently, that's too much to ask for these days. Rene's job, as a journalist, is to help me reach an informed opinion based on thorough research and objective analysis. His job is not to gloat about how Apple can do no wrong. Or serve as an unofficial arm of Apple's PR department. I come here for Apple-related tech news, not fanboyism, PR fluff, or occult worship. I can read Daring Fireball if I want to get drunk on Apple Kool Aid. If my "whining" is tiring and annoying, you have two options. Deal with it. Or ignore it. Thank You.
  • There y'all go again: "fanboyism, PR fluff, or occult worship....getting drunk on Apple Kool Aid." Exaggeration, cliches, and distortion that, yes, are really getting old. Except for the "occult" worship--we're now going to do some voodoo on you, so watch out!!
  • Wow! Just one week after Rene Ritchie writes an article putting down someone who is "fear-mongering" about the way Apple is handling something, he goes and writes his own fear-mongering article! LOL! Of course, it just goes along with the dozens of other fear-mongering articles he's written in the past. What a low-life... As they say, "Nothing to fear but fear-mongering itself."