MASTG-KNOW-0072: Server Trust Evaluation

ATS imposes extended security checks that supplement the default server trust evaluation prescribed by the Transport Layer Security (TLS) protocol. Loosening ATS restrictions reduces the security of the app. Apps should prefer alternative ways to improve server security before adding ATS exceptions.

The Apple Developer Documentation explains that an app can use URLSession to automatically handle server trust evaluation. However, apps are also able to customize that process, for example they can:

• bypass or customize certificate expiry.
• loosen/extend trust: accept server credentials that would otherwise be rejected by the system, e.g. to make secure connections to a development server using self-signed certificates embedded in the app.
• tighten trust: reject credentials that would otherwise be accepted by the system.
• etc.

References:

• Preventing Insecure Network Connections
• Performing Manual Server Trust Authentication
• Certificate, Key, and Trust Services