Skip to content

MASTG-TEST-0322: App Transport Security Configurations Allowing Cleartext Traffic

Overview

Since iOS 9 App Transport Security (ATS) blocks cleartext HTTP traffic by default for connections using the URL Loading System (typically via URLSession). However, an app can still send cleartext traffic through several ATS exceptions configured in the Info.plist file under the NSAppTransportSecurity key.

The following configurations allow cleartext traffic:

  • NSAllowsArbitraryLoads: When set to true, disables ATS restrictions globally except for individual domains specified under NSExceptionDomains. This allows all HTTP connections.
  • NSAllowsArbitraryLoadsInWebContent: When set to true, disables ATS restrictions for all connections made from WebViews.
  • NSAllowsArbitraryLoadsForMedia: When set to true, disables all ATS restrictions for media loaded through the AV Foundations framework.
  • NSExceptionAllowsInsecureHTTPLoads: When set to true for a specific domain under NSExceptionDomains, allows HTTP connections to that domain.

For more information on ATS configuration, see iOS App Transport Security.

Warning

ATS only applies to connections made via the URL Loading System. Lower-level APIs such as the Network framework or CFNetwork are not affected by ATS settings and may still allow cleartext traffic regardless of the configuration. See Uses of Low-Level Networking APIs for Cleartext Traffic for more details.

Steps

  1. Use Exploring the App Package to unzip the app package.
  2. Use Retrieving Info.plist Files to retrieve the Info.plist file.
  3. Use Analyzing the ATS Configuration to analyze the ATS configuration for cleartext traffic exceptions.

Observation

The output should contain the ATS configuration, if present, including any exceptions that allow cleartext traffic.

Evaluation

The test case fails if cleartext traffic is permitted. This can happen if any of the following conditions are met:

  1. NSAllowsArbitraryLoads = true only when none of the fine-grained keys (2-4 below) are present (because on iOS 10+ they cause NSAllowsArbitraryLoads to be ignored).
  2. NSAllowsArbitraryLoadsInWebContent = true.
  3. NSAllowsArbitraryLoadsForMedia = true.
  4. NSAllowsLocalNetworking = true.
  5. Any domain under NSExceptionDomains sets NSExceptionAllowsInsecureHTTPLoads = true.

Further Validation Required:

Inspect the identified ATS exceptions to determine whether they are justified for the app's intended purpose:

  • Determine whether the exception is required for the app to fulfill its core functionality (for example, a browser app must connect to arbitrary websites, including those using HTTP).
  • If possible, verify that a proper justification string has been provided. This would be only possible if you have contact with the developers, as this information is not included in the app binary.

Demos

MASTG-DEMO-0083: Insecure ATS Configuration Allowing Cleartext Traffic