Google Instructs Advertisers on How to Bypass Apple Security - But There's More

In a note to advertisers on Wednesday, Google appeared to be instructing them how to bypass Apple's new App Transport Security. However, the issue is complicated and won't be resolved for some time. Here' a 30,000 ft view.

_______________________

Website advertising on the Internet has become a complicated affair. By coincidence, our Dave Hamilton had some important things to say about that just today. "iOS 9 Content Blockers - Bring ‘Em On!" This is a good place to start before we go on.

Most website ads to date have been delivered with the familiar http protocol. But this has introduced a modern problem. Because of the cascading hierarchy and complexity of sites and servers involved, some of those ads, more and more often, are found to be delivering malware. See, for example, this article kindly pointed out to me by John McNeely, the CEO of Sword & Shield enterprise security. "Advertising malware rates have tripled in the last year, according to report."

Meanwhile, Apple has been pushing for a more secure Internet by introducing what's called App Transport Security (ATS) in iOS 9. According Nick Arnott:

App Transport Security enforces best practices for secure network connections — notably, TLS 1.2 and forward secrecy. In the future, Apple will also update these best practices to ensure they always reflect the latest security practices that will keep network data secure.

And so, with this background in mind, on Wednesday Google published a note to its advertisers that instructed them on how to bypass ATS in those cases where they weren't ready to support it. Google's Ads Developer Blog said:

While Google remains committed to industry-wide adoption of HTTPS, there isn’t always full compliance on third party ad networks and custom creative code served via our systems. To ensure ads continue to serve on iOS9 devices for developers transitioning to HTTPS, the recommended short term fix is to add an exception that allows HTTP requests to succeed and non-secure content to load successfully.

Needless to say, this post by Google created quite a stir even though the very same post re-emphasized Google's commitment to https and a secure Internet.

The Issues

The problem boils down to the fact that the Internet is huge and the transition to 100 percent secure practices cannot be made overnight. Even so, the prospect of advertisers bypassing secure methods to preserve their ad revenue cuts both ways. Current practices both fuels the payments on the Internet to ad supported websites and also introduces vulnerabilities—for the time being.

The Security Angle

I asked security researcher Frederic Jacobs (@FredericJacobs), who has been part of this discussion, to weigh in. He wrote me:

Ever since the Snowden revelations, Apple has been emphasising privacy a lot in its communication and marketing. Tim Cook has repeatedly made statements about their commitment to privacy as a great differentiation factor from Google. HTTPS won’t stop the tracking of users but it will reduce the scope of who is tracking you. Analytics and advertising networks in Angry Birds and thousands of other applications have been used to track users by the Five Eyes. That kind of mass surveillance without requiring a warrant or collaboration of analytics companies was possible due to the lack of encryption on the wire. These revelations are likely to have triggered Apple’s reaction to push for the adoption of stronger transport encryption. We also know that Intelligence agencies are far from being the only ones to track us online. Carriers have also entered the tracking business. Verizon has been caught adding tracking headers to HTTP requests. Everybody is trying to monetize on your data, and Apple has no incentive to keep that trend rolling.

It's important to note that while a secure transaction doesn't stop the delivery of malware payloads, it does a lot of other good things. Those who apply for security certificates must identify themselves and pay. This makes them easier to track down. It also, generally, prevents things like man-in-the middle attacks. It stops malicious tracking in other ways, as described above. On the other hand, weakening security is always problematic and always seems to allow for imaginative attack methods.

The technical details can be difficult to balance. Mr. Jacobs continued with a critical analysis of the impacts.

It’s important to note that Google is not asking developers to create an App Transport Security (ATS) exemption for their domain but rather to disable ATS for the entire application. I assume that serving ads over HTTPs isn’t an issue for Google but rather third-party providers of Google’s ad network.

Therefore, even though it is technically possible to make a ATS exception for a specific domain using NSExceptionDomains, Google can’t do that because of ads being served from partner’s networks over HTTP. New partners can be added and removed so hardcoding a list of exceptions would not be conceivable. Disabling ATS might lead to intentional or unintentional downgrade attacks. An alternative however, instead of asking developers to completely disable ATS for all domains, would be to whitelist domains known to be compatible with ATS requirements as explained by Nick Arnott on his blog. [Linked to above.]

Google's Response

On Thursday, Google added a clarification to its blog page.

We've received important feedback about this post and wanted to clarify a few points. We wrote this because developers asked us about resources available to them for the upcoming iOS 9 release, and we wanted to outline some options. To be clear, developers should only consider disabling ATS if other approaches to comply with ATS standards are unsuccessful. Apple has provided a tech note describing different approaches, including the ability to selectively enable ATS for a list of provided HTTPS sites.

The Source of the Conflict

While any action that degrades a movement to more secure communications is worrisome, the fact is that many advertisers and their infrastructure are not yet ready to fully comply with the latest security protocols. It's an evolving process. And, of course, without ongoing ad revenues, many sites could not continue to operate.

According to Mr. Jacobs, Apple can't be too draconian here. "Moving large infrastructures and CDNs to HTTPS can take time and I think Apple will leave some more months to developers to make the switch. I would not be surprised however if they required all app developers to adopt ATS by iOS 9.2 or 10." [For a helpful article on Apple's overall security initiatives announced at WWDC in June, See this article by Mr. Jacobs. "Apple iOS 9: Security & Privacy Features."]

What Users Can Do

And so, in the final analysis, as the industry evolves to more secure communication standards, there are conflicting interests to be worked out. Apple is doing its part to propel us in the right direction. Meanwhile, it also remains up to the users to read, be aware of security issues, keep their systems updated, use anti-virus software on Macs & PCs to monitor http and https streams, use helpful crowdsourcing tools, and steer away from questionable websites.