New research from enterprise mobile threat protection firm Appthority revealed that only 3 percent of enterprise apps adhere to Apple’s new security mandate.
As the deadline for Apple’s App Transport Security (ATS) data encryption requirements on apps in the enterprise draws near, it’s safe to say that many companies have quite a bit of work to do to boost the security of their mobile apps.
In light of the fast-approaching Jan. 1, 2017 deadline, researchers from Appthority analyzed the top 200 iOS apps installed on enterprise devices worldwide to determine which ones are already using ATS and how fully the security mandate is implemented within the apps.
“Although Apple’s ATS encryption requirements go into effect in just a few weeks, Appthority researchers found that the majority of apps in the enterprise don’t fully utilize the best practices encryption standard, which should be a concern to enterprises,” Robbie Forkish, VP of engineering at Appthority, said in a statement.
“The new ATS mandate only applies to new submissions to the App Store, and Apple will be allowing exceptions to ATS, so while the requirement should strengthen data security, there will still be iOS apps not using data encryption in enterprise environments, even after Jan. 1. For this reason, it’s incredibly important that businesses have visibility into, and management of, the risks related to apps with these exceptions, as they can put enterprise data at risk.”
Appthority’s Enterprise Mobile Threat Research also showed that 83 percent of apps had ATS disabled for all network connections, while 26 percent of apps had ATS disabled at a global level, with specific exceptions set up for domains. More than half (55 percent) of the apps examined allow the use of HTTP, rather than requiring the more secure HTTPS.
According to Appthority, any existing apps that do not comply with ATS will not be removed from Apple’s App Store, but the mandate will be applied to new apps and updates to existing apps.