MASTG-TECH-0155: Analyzing the ATS Configuration

App Transport Security (ATS) settings are declared under the NSAppTransportSecurity key in the Info.plist file. ATS controls the security requirements for network connections made through the URL Loading System (for example, via URLSession). By default, ATS requires HTTPS with TLS 1.2 or higher and enforces forward secrecy. Apps can weaken or disable these defaults through exceptions in Info.plist.

After retrieving the Info.plist with Retrieving Info.plist Files, use Analyzing Info.plist Files to analyze its contents and look for the keys below. See iOS App Transport Security for more details on ATS configuration and exceptions.

Using plutil and jq

Convert the Info.plist to JSON and extract the full ATS configuration:

plutil -convert json -o Info.json MyApp.app/Info.plist
cat Info.json | jq '.NSAppTransportSecurity'

Example output for an app with several exceptions configured:

{
  "NSAllowsArbitraryLoads": false,
  "NSExceptionDomains": {
    "example.com": {
      "NSExceptionAllowsInsecureHTTPLoads": true,
      "NSIncludesSubdomains": true
    },
    "legacy.example.com": {
      "NSExceptionMinimumTLSVersion": "TLSv1.0",
      "NSExceptionRequiresForwardSecrecy": false
    }
  }
}

To check for any domain that disables forward secrecy:

cat Info.json | jq '.NSAppTransportSecurity.NSExceptionDomains | to_entries[] | select(.value.NSExceptionRequiresForwardSecrecy == false) | .key'

To check for the global NSAllowsArbitraryLoads flag:

cat Info.json | jq '.NSAppTransportSecurity.NSAllowsArbitraryLoads'

Using PlistBuddy

Use the built-in PlistBuddy tool to print only the ATS subtree:

/usr/libexec/PlistBuddy -c "Print :NSAppTransportSecurity" MyApp.app/Info.plist

Tests

MASTG-TEST-0322: App Transport Security Configurations Allowing Cleartext Traffic MASTG-TEST-0342: References to Weak ATS TLS Policy Exceptions in Info.plist