Skip to content

MASTG-TEST-0322: App Transport Security Configurations Allowing Cleartext Traffic

Overview

Since iOS 9 App Transport Security (ATS) blocks cleartext HTTP traffic by default for connections using the URL Loading System (typically via URLSession). However, an app can still send cleartext traffic through several ATS exceptions configured in the Info.plist file under the NSAppTransportSecurity key.

The following configurations allow cleartext traffic:

  • NSAllowsArbitraryLoads: When set to true, disables ATS restrictions globally except for individual domains specified under NSExceptionDomains. This allows all HTTP connections.
  • NSAllowsArbitraryLoadsInWebContent: When set to true, disables ATS restrictions for all connections made from WebViews.
  • NSAllowsArbitraryLoadsForMedia: When set to true, disables all ATS restrictions for media loaded through the AV Foundations framework.
  • NSExceptionAllowsInsecureHTTPLoads: When set to true for a specific domain under NSExceptionDomains, allows HTTP connections to that domain.

For more information on ATS configuration, see iOS App Transport Security.

Warning

ATS only applies to connections made via the URL Loading System. Lower-level APIs such as the Network framework or CFNetwork are not affected by ATS settings and may still allow cleartext traffic regardless of the configuration. See Uses of Low-Level Networking APIs for Cleartext Traffic for more details.

Steps

  1. Extract the app ( Exploring the App Package).
  2. Obtain the Info.plist file from the app bundle.
  3. Use Convert Plist Files to JSON to convert the Info.plist to a readable format (if necessary).
  4. Examine the NSAppTransportSecurity dictionary for cleartext traffic exceptions.

Observation

The output should contain the ATS configuration, if present, including any exceptions that allow cleartext traffic.

Evaluation

The test case fails if cleartext traffic is permitted. This can happen if any of the following conditions are met:

  1. NSAllowsArbitraryLoads = true only when none of the fine-grained keys (2-4 below) are present (because on iOS 10+ they cause NSAllowsArbitraryLoads to be ignored).
  2. NSAllowsArbitraryLoadsInWebContent = true.
  3. NSAllowsArbitraryLoadsForMedia = true.
  4. NSAllowsLocalNetworking = true.
  5. Any domain under NSExceptionDomains sets NSExceptionAllowsInsecureHTTPLoads = true.

Context Considerations:

Note that ATS exceptions should be examined taking the app's context into consideration. The app may have to define ATS exceptions to fulfill its intended purpose. For example, a browser app must connect to arbitrary websites, including those using HTTP. In such cases, the exception may be acceptable if a proper justification string is provided. However, Apple recommends preferring server-side fixes over client-side ATS exceptions whenever possible.

Demos

MASTG-DEMO-0083: Insecure ATS Configuration Allowing Cleartext Traffic