Have a great idea for the most effective way to make life easier for cyberthieves, especially those who are focused on ineffective app security. All you have to do is get one of the most powerful brands in computing to publicly declare a security deadline and then have it quietly withdraw that deadline on the eve of it being effective.
For a terrific example of well this can undermine app security, one needs look no further than Apple. After much hoopla when Apple announced its App Transport Security—and even more publicity at WWDC 2016 when it gave a strict end-of-2016 deadline for HTTPS on all apps—Apple last week said "Oh, never mind."
In Apple's statement, not only did it surrender on its own deadline, but Apple didn't even bother to replace it with a new "to be abandoned when we feel like it" deadline.
"App Transport Security (ATS), introduced in iOS 9 and OS X v10.11, improves user security and privacy by requiring apps to use secure network connections over HTTPS. At WWDC 2016 we announced that apps submitted to the App Store will be required to support ATS at the end of the year," Apple said. "To give you additional time to prepare, this deadline has been extended and we will provide another update when a new deadline is confirmed."
It's the absence of a new deadline that truly puts the bright red bow on this gift to cyberthieves, identity thieves and cyberterrorists everywhere.
I wish I could say that Apple is the exception, but December also saw both Visa and Mastercard abruptly abandon their own-deadline on gas stations becoming EMV-compliant. At least those cardbrands had the decency to replace its deadline with a new deadline, albeit one three years in the future. Then again, as Apple, Visa and Mastercard have reminded us when it comes to security deadlines, the brand giveth and the brand can taketh away.
All security measures fall into one of two categories: reality and perception. Both are important. If you have top-notch security but everyone thinks your security is dishwater weak, cyberthieves will still attack, seeing you as a weak target. Hopefully, your security will protect you, but even successfully fending off attacks is expensive and time-consuming. And who knows? Even ideal security can sometimes be circumvented by a creative and persistent attacker.
Deadlines to upgrade security—whether it's Apple's ATS or Visa/Mastercard's EMV efforts—are also expensive and time-consuming for end-users, developers and anyone else directly impacted.
What message does it send out when you proclaim a major deadline and then fold at the last minute? It tells thieves that you're not really serious about security. Even worse, it tells those end-users and developers that they should take a chance and ignore the deadline because you'll probably extend it anyway.
There's a reason deadlines have that threat-oriented word ("death") in them. It's a do-this-or-else message. If a brand wants developers and others to take its deadlines seriously, they must stand by them. If this deadline was too short—and there's a legitimate argument that it might have been—the debate must be made before it's declared. Nothing is worse than declaring and withdrawing.
In a compelling story about this Apple reversal in The Register, the writer suggested a quite likely reason for the about-face. "While ATS was switched on by default in Apple's operating systems, it wasn't widely adopted. Hence the deadline revealed at Apple's developer gabfest," the story noted. "Apple's not saying why it's giving developers extra time. The Register suspects it's because not many developers got around to implementing ATS. And with the iOS and OS X app stores containing many hundreds of thousands of apps, Apple was probably keen to avoid a New Year's Day OutrageStorm if it was forced to remove non-compliant apps."
Put another way, it issued the deadline but didn't want to be bothered enforcing it. Even though any cutting of corners is a bad thing, I'd suggest that keeping the deadline and then quietly being lax about enforcement would be better than completely backing down. Why would companies spend the time and effort to comply with Apple's next security edict?
Yet another fine reason to prioritize an independent app security policy. And do it now. Even if the big brands can't comply with their own deadlines, you can't afford not to.