Skip to content

Insecure App Transport Security (ATS) Settings

Insecure App Transport Security (ATS) Settings

Description

App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. Therefore, you should adopt ATS as soon as possible, regardless of whether you're creating a new app or updating an existing one.

  • NSAllowsArbitraryLoads: If set to YES, disables all ATS restrictions for all network connections, apart from the connections to domains you configure individually in the optional NSExceptionDomains dictionary. The default value is NO.
  • NSAllowsArbitraryLoadsForMedia: If set to YES, disables all ATS restrictions for media your app loads using the AV Foundation framework. Employ this key only for loading already encrypted media, such as files protected by FairPlay or by secure HLS, that do not contain personalized information. The default value is NO.
  • NSAllowsArbitraryLoadsInWebContent: If set to YES, disables all ATS restrictions for requests made from web views. This lets your app use an embedded browser that can display arbitrary content without disabling ATS for the rest of your app. The default value is NO.
  • NSExceptionAllowsInsecureHTTPLoads: If set to YES, it allows insecure HTTP loads for the named domain but does not change Transport Layer Security (TLS) requirements and does not affect HTTPS loads for the named domain. The default value is NO.
  • NSExceptionMinimumTLSVersion: Specifies the minimum TLS version for network connections for the named domain, allowing connection using an older, less secure version of Transport Layer Security.

Recommendation

Below are the recommended ATS settings:

  • NSAllowsArbitraryLoads: Set to NO to enforce ATS restrictions, enhancing overall network security by limiting arbitrary network connections.
  • NSAllowsArbitraryLoadsForMedia: Set to NO unless necessary for loading specifically encrypted media, ensuring that only secure connections are permitted for media content.
  • NSAllowsArbitraryLoadsInWebContent: Set to NO unless required for specific functionality, as enabling it may compromise ATS protections within web views.
  • NSExceptionAllowsInsecureHTTPLoads: Set to NO to enforce HTTPS connections and maintain secure communication standards, minimizing the risk of data interception.
  • NSExceptionMinimumTLSVersion: Set to the latest TLS version supported by your app and server infrastructure, ensuring optimal security standards and protection against vulnerabilities associated with older TLS versions.

Standards

  • OWASP_MASVS_L1:
    • MSTG_NETWORK_2
  • OWASP_MASVS_L2:
    • MSTG_NETWORK_2
  • GDPR:
    • ART_5
    • ART_32
  • PCI_STANDARDS:
    • REQ_2_2
    • REQ_3_6
    • REQ_3_7
    • REQ_4_2
    • REQ_6_2
  • OWASP_MASVS_v2_1:
    • MASVS_NETWORK_1
  • SOC2_CONTROLS:
    • CC_2_1
    • CC_4_1
    • CC_6_7
    • CC_7_1
    • CC_7_2
    • CC_7_4
    • CC_7_5