During a security session at WWDC 2016, Apple highlighted steps to strengthen the security of iOS and macOS. By the end of 2016, all apps submitted to the App Store must enforce the App Transport Security (ATS) protocol, which transmits communications between an app and a web server over HTTPS.
Furthermore, Safari 10 — which is set to debut on macOS Sierra — will block Adobe Flash, Java, Silverlight, and QuickTime plugins, switching to HTML5 as the default rendering engine. Should you wish to use any of the aforementioned plugins, you will be able to do so.
Enforcing HTTPS connections ensures that all data transmitted from an app to a server is secure. ATS is baked into iOS 9, but Apple allowed developers to revert to HTTP connections. With ATS becoming mandatory by the end of the year, that's set to change:
App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you're creating a new app or updating an existing one.
If you're developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn't follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app's Info.plist file.
On the WebKit blog, Apple developer Ricky Mondello detailed the changes coming to Safari 10:
By default, Safari no longer tells websites that common plug-ins are installed. It does this by not including information about Flash, Java, Silverlight, and QuickTime in navigator.plugins and navigator.mimeTypes. This convinces websites with both plug-in and HTML5-based media implementations to use their HTML5 implementation.
Of these plug-ins, the most widely-used is Flash. Most websites that detect that Flash isn't available, but don't have an HTML5 fallback, display a "Flash isn't installed" message with a link to download Flash from Adobe. If a user clicks on one of those links, Safari will inform them that the plug-in is already installed and offer to activate it just one time or every time the website is visited. The default option is to activate it only once. We have similar handling for the other common plug-ins.
When a website directly embeds a visible plug-in object, Safari instead presents a placeholder element with a "Click to use" button. When that's clicked, Safari offers the user the options of activating the plug-in just one time or every time the user visits that website. Here too, the default option is to activate the plug-in only once.
Safari 10 also includes a menu command to reload a page with installed plug-ins activated; it's in Safari's View menu and the contextual menu for the Smart Search Field's reload button. All of the settings controlling what plug-ins are visible to web pages and which ones are automatically activated can be found in Safari's Security preferences.