MASTG-TEST-0321: Hardcoded HTTP URLs
Overview¶
An iOS app may have hardcoded HTTP URLs embedded in the app binary, library binaries, or other resources within the IPA. These URLs may indicate potential locations where the app communicates with servers over an unencrypted connection.
Steps¶
- Use Reverse Engineering iOS Apps to reverse engineer the app.
- Use Retrieving Strings to search for any
http://URLs.
Observation¶
The output should contain a list of URLs and their locations within the app.
Evaluation¶
The test case fails if any HTTP URLs are confirmed to be used for communication.
Warning
The presence of HTTP URLs alone does not necessarily mean they are actively used for communication. Their usage may depend on runtime conditions, such as how the URLs are invoked and whether cleartext traffic is allowed in the app's ATS configuration. For example, HTTP requests may fail if App Transport Security (ATS) is enabled and no exceptions are configured (see App Transport Security Configurations Allowing Cleartext Traffic) or may succeed if the app uses low-level APIs that bypass ATS (see App Transport Security Configurations Allowing Cleartext Traffic).
Additionally, complement this static inspection with dynamic testing methods. For example, capture and analyze network traffic to confirm whether the app connects to the identified HTTP URLs during real-world usage. See Cleartext Traffic Observed on the Network.