Developers have shunned features provided in iOS to ensure data privacy, research by mobile security company Wandera showed.

A study of 30,000 iOS apps commonly used by employees found more than two-thirds do not use Apple’s App Transport Security (ATS), which ensures apps and their extensions connect to web services using secure connection protocols.

While ATS is enabled by default and Apple’s app review guidelines state developers must justify disabling it, Wandera said its research showed this process is not onerous.

It noted developers may have good reasons for disabling ATS, for example enabling connection to third-party advertising, market research, analytics and file hosting: advertising networks MoPub and Google AdMob recommend disabling ATS to ensure ads load correctly.

But developers do have the option to set ATS exceptions for specific functions within an app, meaning it is not a straight off/on choice, though this is not a common approach.

With ad networks being one of the reasons for disabling ATS, Wandera noted it is unsurprising its use is significantly higher in paid-for apps: it is enabled in 45.9 per cent of cases, rather than 26.2 per cent for free titles.

Finance is the leading category in terms of ATS compatibility, but Wandera noted that even among the leading apps in the segment, only a third enable it for global use and many still have exception domains.

Causes
Wandera suggested developers may be disabling ATS because “they don’t actually understand how it works due to its complexity”. Another possibility is they are “taking the easy way out” by submitting all domains needed by apps as exceptions to avoid possible disruption to users.

It also noted web service companies can become part of the solution. “They can’t keep supporting unencrypted content when OS vendors like Apple are trying to move toward total encryption”, it said.