back to article Google tells iOS 9 app devs: Switch off HTTPS if you want that sweet sweet ad money from us

Google has told iOS 9 app developers to disable Apple's enforcement of HTTPS-only connections – or their in-app Google ads won't show up on up-to-date iPhones and iPads. Apple has added what it calls App Transport Security (ATS) to iOS 9 and OS X 10.11, which ensures software only uses encrypted connections when talking to …

  1. Anonymous Coward
    Anonymous Coward

    Actually, iOS developers: DON'T!!!

    We need to give them an incentive to pull their finger out! Use an alternate ad network or charge a fee if you have to.

    1. mafoo
      Coat

      Irony

      the great irony / hypocracy here is they say they will down rank website that dont use https.

      /sigh

      1. Destroy All Monsters Silver badge

        Re: Irony

        "hypocracy" is something else though. Government by the bottom maybe?

        1. Chris King

          Re: Irony

          Other people do "Hypocrisy". We do "Policy"

          Isn't that the standard corporate mantra these days ?

    2. Anonymous Coward
      Anonymous Coward

      Call to all iOS developers and Apple

      Dear developers: if you decide to degrade to HTTP, kindly mention this in the app description so I can avoid it.

      Dear Apple: this is worth screening apps for. It would be EXTREMELY good if the App Store could flag apps that use this degradation of security as mandated by Google. While you're at it, I would appreciate a generic requirement for Apps to mention that they are ad-supported in the first place. I understand the desire for developers to create revenue that way, but as a user I should be able to see this "feature" before I download an app.

      Now, I'm the first to admit that I'm no fan of ads on apps because they eat bandwidth and screen real estate, both precious resources on a handheld device (and I deem it offensive that I should pay for that), I tend to pay for apps instead. However, there are people who have no problem with that, but I think someone ought to be able to make that decision upfront.

      As for Google: FY. Really, FY. This is another example where a company has no problem with degrading your rights because it suits them, and Google has been pretty much carrying that banner from the day it started doing more than the search engine.

    3. Richard Jones 1
      Coat

      Re: Actually, iOS developers: DON'T!!!

      The real 'sufferers' are the developers who rely on rubbish adverts for their bread and butter. Google have noticed the issue and brought a quick solution to the table, arguably it is not the best solution, though it should only affect those too tight to buy the games they play. It would be useful for those developers who rely on ads to put some pressure on the advert slingers to get their acts together and 'upgrade' to HTTPS in the interests of most parties.

      I said most parties since ad supported apps do appeal to some though frankly if I cannot afford the app then I would rather suffer the silence.

      Come to think of it I do. I have zero interest in apps and zero apps on my phone, ad supported or ad free.

      1. Mike Flugennock

        Re: Actually, iOS developers: DON'T!!!

        Join the club. I have a grand total of two third-party apps on my 4S: Twitter, and an ad-supported free flashlight app which I rarely use except to read menus in dimly-lit restaurants. That's it -- no games, no bullshit. I do fine with the apps that came with the phone.

        My wife's 4S, on the other hand -- don't get me started...

  2. Warm Braw

    The problem, if any...

    ... isn't that ads are being served over HTTP - who cares that someone else might eavesdrop on the ads that are being pushed to you. The problem would be the information that is being sent to the advertisers - and encryption isn't going to fix that.

    1. Adam 1

      Re: The problem, if any...

      Nope, sorry.

      It means that any man in the middle attack can change the resource you are sending to the browser. I can replace your ad with mine and you will still be the one to get the bill. I can redirect the URLs you embed to my dodgy phishing version of your site. I can inject some malicious JavaScript and you will be fingered and blacklisted very quickly but the major ad networks.

      At least with https, unsavoury folk need to pwn your server to emulate you. Https everywhere. Google, stop being dicks. You understand the risks. Most app developers don't. I will happily criticise Apple on many things, but what they are doing here is completely right. (Although no doubt they enjoy the collateral damage to their competitor)

      1. Warm Braw

        Re: The problem, if any...

        MITM is only really relevant if you control at least one of the end points. In the case of ads, the end user is not choosing which URL to visit - that's being determined by someone else paying money to yet another someone who controls the platform, possibly through a series of intermediaries. An an end user, I have no idea what site the advertising platform will make my device visit and the fact that TLS gives some third party the assurance that my device is fully in their control does not make a material difference to my security as far as I'm concerned...

  3. CrazyCanuck

    Personally I would to see google die off as a company. i don't care if they can't display ads. Besides apple users are the minority of users not the majority. i wish amazon was all https.

    1. Anonymous Coward
      Anonymous Coward

      Reading that post made my eyes bleed. Please, someone buy the guy a shift key.

      1. Anonymous Coward
        Anonymous Coward

        Reading that post made my eyes bleed. Please, someone buy the guy a shift key.

        GiVe ThE GuY A brEak, its' fRidAy. i rEfraNEd fRom, cOmmeNTinG oN HiS puNct-uAtIon tOO, aNd he MadE at laets noa SPElinK mizTaekes.

        Yes, it's Friday. Why?

  4. Tromos

    "custom creative code"

    Otherwise known as 'malware'.

  5. Your alien overlord - fear me

    Is it just paranoid me but Google's code snippet to allow unsecure transmission starts with (the) NSA. Twice.

  6. Dan 55 Silver badge

    Look, it's a story about Google

    Let's read it and see how they've managed to screw up security yet again.

  7. cd

    The question I come up with; how to edit my Android so it doesn't work either.

  8. Mark 85
    Thumb Down

    Use Google's version of encryption instead of Apple's?

    I'm more than suspicious. Apple doesn't push ads so I would mostly trust their encryption. Google does and they also want your info for more ad pushing. I'd have to assume that they can break their encryption for whenever they want? For whatever reason they want? I smell a fox in the henhouse...

    1. Ralph B

      Re: Use Google's version of encryption instead of Apple's?

      > Apple doesn't push ads

      Of course they do. It's just not their main source of revenue, unlike Google.

      Apple's new content blocking tech is a gun pointed directly at Google. Meanwhile, Google are busy shooting themselves in the foot by doing nothing to prevent malvertising pushed over their infrastructure.

  9. Steve Knox
    Mushroom

    You keep on using that word...

    "While Google remains committed to industry-wide adoption of HTTPS, there isn’t always full compliance on third party ad networks and custom creative code served via our systems," blogged Googler Tristan Emrich.

    Sorry, Tristan, but you clearly don't know what "committed" means.

    Here's a hint: it doesn't mean you'll do it only if it doesn't cost you money. It doesn't mean you'll take the easy way out. It doesn't mean you'll recommend that people compromise security so you can continue to make money.

    1. Robert Helpmann??
      Childcatcher

      Re: You keep on using that word...

      Sorry, Tristan, but you clearly don't know what "committed" means. Here's a hint: it doesn't mean...

      No, it means "locked away due to mental issues." My overall impression is that Google truly wish to encourage use of HTTPS. Perhaps they might put a bit of effort into developing tools to vet 3rd party ads for security issues (assuming they don't already). They are in a great position to do so and can think of it as securing their revenue stream. Right now, they seem to be in a position of advocating one thing and being dependent on its opposite.

      1. Anonymous Coward
        Anonymous Coward

        Re: You keep on using that word...

        My overall impression is that Google truly wish to encourage use of HTTPS

        .. when it suits THEM. The main reason Google started with https was to make it difficult for 3rd parties to analyse just what sort of traffic was heading for Google, it had NOTHING to do with protecting you (although, of course, that was their spin on it). If you want to have an indication of just how much Google cares for your safety, just look at how easy it is to search for exploits, how long it took before Gmail logons became https only and today's discussion.

        When I see a hasty clawback by a Google dude of a serious issue, I know publicity must have struck a nerve. Otherwise such news would get the same treatment as any lawmaker in the world gets when they warn Google that they're breaking the law: total silence, unless legal proceedings are started.

  10. TeleC
    FAIL

    How convenient of them

    Funny how Google themselves removed Chrome's ability to handle mixed HTTP/HTTPS content as of version 44, thus breaking a bunch of websites that most other browsers still handle just fine, and yet they have the audacity of not getting their own act together for this.

  11. Frank N. Stein

    Screw Google. I block ads on the desktop. iOS 9 will be blocking ads? Great. I'll be updating to that as soon as it's available. Compromise security to fill Google's pockets? I don't think so. So much for that consideration to switch to Android. my security is far more important.

  12. Ian Michael Gumby
    Pirate

    "Google has told iOS 9 app developers to disable Apple's enforcement of HTTPS-only connections – or their in-app Google ads won't show up on up-to-date iPhones and iPads."

    works for me.

    no more ads...

    1. Pascal Monett Silver badge
      Thumb Up

      Absolutely

      Thanks Google !

      Best shot to the foot I have ever seen !

  13. Destroy All Monsters Silver badge

    By not showing these ads, the programmers lose out on vital revenue.

    I have witnessed the rise of the vital revenue on the net. I will be glad when it's dead and done.

    1. Ken Hagan Gold badge

      Sadly that won't happen. What *will* happen is that advertisers (not programmers) will make the switch because advertisers will notice that they aren't reaching the audience that kept HTTPS on and so they'll upgrade their content delivery.

      This isn't Google's problem. This is the advertisers problem, and the fix is easy.

  14. R Soles

    Apple could

    Simply refuse to accept any app into their app store that uses Google's trick

    and so force the issue, like they did with Flash.

    1. gnasher729 Silver badge

      Re: Apple could

      As an iOS developer: It's not a trick. Apple has a documented feature that allows an app to allow http connections anywhere, or to allow http connections to certain servers, or to allow https connections with known vulnerable https versions to certain servers.

      However, I strongly believe that this is done to allow developers to continue working to get their apps working on iOS 9 while someone is sorting out the http problems. When you submit an app to the app store, this will flash up on the reviewers screen, and then they will ask you why you need that exception. "I connect to this third party server, and I can't make them fix their server" is a reasonable excuse. "I turned off all protection because Google said so" isn't. I would bet that any such app will be rejected.

      Google is an advertising company. Advertising is how they make their money. If they can't deliver safe advertisements, then they should close down and let someone else provide advertisements and make money.

  15. Anonymous Coward
    Anonymous Coward

    Google are only concerned with the $$$$ of revenue

    so the old 'do no evil'

    should become 'Do everything possible to maximise our income no matter how many people we piss off'.

    so Google is no different from any other company then.

    There is an article on /. about Google offering you a job based upon your search history.

    http://developers.slashdot.org/story/15/08/27/2140221/google-may-try-to-recruit-you-for-a-job-based-on-your-search-queries

    So there are three simple questions to ask

    1) So how much do they really know about you?

    2) And how much of that would embarass you if the sold it to the wrong people?

    3) Have you Google'd yourself recently?

    That result set is only the tip of the iceberg of what they have on you.

    Shits

  16. smartypants

    Glass houses

    I was just prompted to log in to write this, and the form was using http not https...

    1. This post has been deleted by its author

  17. heyrick Silver badge

    Nice, Google, nice

    So Google would want to downgrade my website for being http (no login, no controversial information, no justifiable reason to require encryption) yet they can't get their own act together on this? Bloody hypocrites...

    1. dajames

      Re: Nice, Google, nice

      ... Google would want to downgrade my website for being http (no login, no controversial information, no justifiable reason to require encryption) ...

      The benefit that SSL would bring in your case is not so much that the site would be encrypted, but that the encryption key certificate needed to establsh an SSL connection would identity you as the site's owner, and this would enable users of your site to ensure that they were viewing the site they thought they were.

      .... not that anyone ever checks ...

      1. heyrick Silver badge
        Happy

        Re: Nice, Google, nice

        No need for SSL to verify my site is mine. Firstly, it would be hard to write the same sort of crap as on my blog. And if it wasn't me...they'll just be reading somebody else's crap.

    2. Anonymous Coward
      Anonymous Coward

      Re: Nice, Google, nice

      Yes, just as they'd like MS and Apple to fix flaws in double time, while they can't get their own act together round Droid.

      To echo an earlier posters somewhat pithy insight- Shits.

  18. Neil Barnes Silver badge

    "the website visitor’s experience is impacted"

    By the absence of adverts. This is a problem for the visitor how?

  19. Old Handle
    Thumb Down

    There's nothing "unsafe" about embedding HTTP content in an HTTPS page (at least compared to a pure HTTP page) but in another shining example of their stupidity, some browsers don't allow it. You hear that, Mozilla (and anyone else doing this crap)? Your silly decision is actually stopping websites from using encryption.

    1. Destroy All Monsters Silver badge
      FAIL

      I don't agree at all about the "nothing unsafe".

      The user likely expects the whole page to be crypted (indeed, he may well expect the whole page to be same-origined). Leaving half of it in a bizarro eavesdropper state (from where JavaScript may be injected to render the rest of the page a festering mass of unsecurity) is NOT a good idea.

  20. Alan Denman

    Third party involvement

    That is the problem , 'its my party' we shout, but developersrely on 3rd party ads to get a sometimes meagre income.

    Solution, buy their paid version.

  21. TeeCee Gold badge
    WTF?

    FFS!

    Ads over HTTPS as a "must have"?

    For the love of god, WHY?

    First rule of security: Horses for courses.

  22. Anonymous Coward
    Anonymous Coward

    By not showing these ads, the programmers lose out on vital revenue.

    By showing these ads, the programmers lose out on vital revenue from me. I won't buy any apps that force ads on me. If I pay for and download one and it doesn't mention the ads in the description, I seek a refund.

  23. Anonymous Coward
    Anonymous Coward

    Why all the fuss???

    If you block all ads, and JS, and trackers, who gives a fuck? Yer not getting ad $$$ from me anyway.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like