Security firm Wandera scanned over 30,000 iOS apps and found that 67.7% of them disable App Transport Security on purpose.
App Transport Security
App Transport Security (ATS) requires apps to either support best practice HTTPS or declare its security limitations via a property in its info.plist. In 2016 Apple announced that it would make ATS required for all iOS apps by January 2017, but backtracked in December 2016.
App developers may have good reasons for disabling ATS. Apps talk to third-party advertising, market research, analytics and file hosting services and these external services may not support HTTPS connections. Advertising networks such as MoPub and Google AdMob recommend disabling ATS completely to ensure ads are loaded correctly.
Wandera says that the reason why apps don’t use ATS is because of advertising. Ad frameworks often include in their documentation to disable ATS. This prevents iOS from blocking network communication to ad servers if there is an error.
The security firm cautions though that even though apps disable ATS, that doesn’t necessarily mean they aren’t using encrypted HTTPS connections. It just means system safeguards are disabled and there is much more room for errors.