Improved App Security with ATS

Starting in January 2017, all applications running on iOS and OS X devices will be required to use App Transport Security (ATS).

And at A10 Networks, we’re working to ensure the continued secure delivery of applications on your network by supporting ATS in our products and services.

What is ATS?

ATS, which Apple debuted in iOS 9.0 and OS X 10.11, requires iOS and OS X applications to connect to web services over a secure HTTPS connection rather than over standard HTTP, to encrypt user data in transit to ensure it remains secure using perfect forward secrecy (PFS).

Requiring ATS, Apple said, will improve the security of network communications for Apple applications. 

“Today, I’m proud to say that at the end of 2016, App Transport Security is becoming a requirement for App Store apps,” Ivan Krstic, Apple’s head of security engineering and architecture, said during a WWDC 2016 presentation, according to TechCrunch. “This is going to provide a great deal of real security for our users and the communications that your apps have over the network.”

What A10 Customers Need to Know

As part of our commitment to keeping your application environment and your network secure, A10 supports ATS across our entire line of secure application delivery products. That means if you host Apple applications and services that require ATS on our Thunder ADC platform, you can continue to provide your customers with a secure application experience.

Here is the list of supported ATS ciphers:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Please note that some of the above ciphers are not supported on older versions of ACOS, such as 2.7.1, 2.7.2-P4 or earlier. For the best coverage of ATS ciphers, regardless of form factors (hardware, virtual appliance or bare metal), you may want to upgrade to the latest version of ACOS, e.g. version 4.1.1 or higher. Otherwise, we recommend the latest patched versions of ACOS 4.1.0 (which is the minimum requirement for vThunder ADC) or ACOS  2.7.2.

Next Steps

We recommend that you take stock of your application environment to know and understand whether you’re hosting services that require ATS or if ATS applications are running on your network.

If so, you should make sure your ADC configuration is correct. For example:

  • Ensure your certificate has an RSA key of 2048-bit or greater
  • Configure the application service (VIP) with HTTPS
  • Include the ciphers required for ATS
  • Use TLS version 1.2

Performance Matters

In general, SSL traffic is very CPU-intensive for application servers. ATS specifies the use of forward secrecy ciphers, which are more complex and require additional CPU resources for SSL transactions.

With A10 Thunder ADC, however, leveraging SSL offload capabilities along with application acceleration will allow you to take advantage of added security without jeopardizing performance, meaning you won’t pay the performance tax when leveraging these necessary security services.

Focus on Security

“In requiring developers to use HTTPS, Apple is joining a larger movement to secure data as it travels online,” TechCrunch wrote about ATS. At A10, we want to help ensure that the Internet, applications and the network are safe places to store and transmit data with as little disruption as possible.

Add new comment