Insecure App Transport Security (ATS) Settings

Insecure App Transport Security (ATS) Settings

Risk: medium

Description

App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. Therefore, you should adopt ATS as soon as possible, regardless of whether you're creating a new app or updating an existing one.

• NSAllowsArbitraryLoads: If set to YES, disables all ATS restrictions for all network connections, apart from the connections to domains you configure individually in the optional NSExceptionDomains dictionary. The default value is NO.
• NSAllowsArbitraryLoadsForMedia: If set to YES, disables all ATS restrictions for media your app loads using the AV Foundation framework. Employ this key only for loading already encrypted media, such as files protected by FairPlay or by secure HLS, that do not contain personalized information. The default value is NO.
• NSAllowsArbitraryLoadsInWebContent: If set to YES, disables all ATS restrictions for requests made from web views. This lets your app use an embedded browser that can display arbitrary content without disabling ATS for the rest of your app. The default value is NO.
• NSExceptionAllowsInsecureHTTPLoads: If set to YES, it allows insecure HTTP loads for the named domain but does not change Transport Layer Security (TLS) requirements and does not affect HTTPS loads for the named domain. The default value is NO.
• NSExceptionMinimumTLSVersion: Specifies the minimum TLS version for network connections for the named domain, allowing connection using an older, less secure version of Transport Layer Security.

Recommendation

If you're developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forwarding secrecy. An error is thrown if you try to make a connection that doesn't follow this requirement. Finally, if your app needs to request an insecure domain, you have to specify this domain in your app's Info.plist file.

Links

• Preventing Insecure Network Connections
• Announcement of App Transport Security in iOS 9
• Cocoa Keys (Apple Developer)

Standards

• OWASP_MASVS_L1:
  • MSTG_NETWORK_2
• OWASP_MASVS_L2:
  • MSTG_NETWORK_2
• GDPR:
  • ART_5
  • ART_32
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_3_6
  • REQ_3_7
  • REQ_4_2
  • REQ_6_2