Just a few days ago, a highly anticipated iOS 10 was released to the public. This upgrade included some major changes like the introduction of widgets as well as something slightly less crucial, depending who you are––the improved emoji support. However, what the release of iOS 10 signals for the digital advertising community is the increased prominence of App Transport Security or ATS.
ATS was originally introduced in iOS 9 with the goal of further securing user data. With ATS enabled, all of the connections that are made by the app must be TLS 1.2 compliant with forward secrecy enabled. In layman's terms, all of the network calls from the app must not only use HTTPS but also leverage the latest standards in network security. Currently, Apple provides a way to globally turn off ATS or make a partial exception such as not requiring forward secrecy.
One key part of Apple's announcement was that ATS will be required of all apps starting January 2017. What this actually means is that while the exceptions that were previously available will continue to exist, the App Store review process will require a reasonable justification for using ATS exceptions. Assuming ad serving does not automatically constitute a reasonable justification, there are serious implications for our industry, namely delivery and rendering of creatives.
So now we know this is potentially a big problem, if we did not already. Let's talk about ways overcome this.
There are three main components that need to be secured for ATS. I am going to touch each point briefly and outline any challenges.
- Mobile SDK
- Ad Server
Mobile SDK needs to ensure all of its networks calls are secure with TLS 1.2 and Forward Secrecy Enabled. The challenge will come from making sure calls to and from all of the mediated or partner SDKs are also secure.
The Ad Server that the SDK makes ad requests to needs to be fully compliant with the ATS requirements. This means any entity that the SDK reaches out to, which may be a load-balancer, is required to offer a sufficiently secure connection.
Finally creatives will need to meet the ATS requirements. For creatives that are hosted on the same stack as the Ad Server, enforcing the requirements may be fairly straightforward; however when it comes to third party creatives, additional work will need to be completed.
AppNexus fully understands the importance of ATS and has proactively put in the investment necessary to overcome the problem. The next release of the iOS SDK will feature full HTTPS support, giving developers a choice to use secure connections, while maintaining an option to use standard HTTP connections as well. Additionally, the AppNexus Impression Bus (the backbone for our Ad Server) has begun the migration to fully support TLS 1.2 with forward secrecy enabled, with the full completion scheduled in the coming months. On the creative front, all creatives hosted on AppNexus will be ATS compliant. For third party creatives, a new scanning system is being developed to check for details that will determine ATS compliance; all third party creatives will be scanned before they can be declared ATS compliant; even after the first approval, each creative will continue to be scanned for subsequent compliance.
We are confident that with these efforts combined with education and training geared towards publishers and advertisers, we can help lead a smooth transition into the ATS enabled world.
Shawn Hong is a Product Manager on Mobile at AppNexus.