MASTG-TEST-0323: Uses of Low-Level Networking APIs for Cleartext Traffic
Overview¶
App Transport Security (ATS) only applies to connections made via the URL Loading System (typically URLSession). Lower-level networking APIs bypass ATS entirely, meaning they can establish cleartext HTTP connections regardless of the app's ATS configuration.
The following low-level APIs are not affected by ATS:
Networkframework: A modern low-level networking API for socket-level communication using TCP and UDP.CFNetwork: Core Foundation-based networking APIs includingCFSocketStream,CFHTTPStream, and related functions.- BSD Sockets: Low-level POSIX socket APIs accessed through functions like
socket(),connect(),send(), andrecv().
Apple recommends preferring high-level frameworks: "ATS doesn't apply to calls your app makes to lower-level networking interfaces like the Network framework or CFNetwork. In these cases, you take responsibility for ensuring the security of the connection. You can construct a secure connection this way, but mistakes are both easy to make and costly. It's typically safest to rely on the URL Loading System instead."
For more information on when ATS applies, see iOS App Transport Security.
Steps¶
- Use Reverse Engineering iOS Apps to reverse engineer the app.
- Use Retrieving Cross References to look for uses of low-level networking APIs in the app binary.
- Use Reviewing Disassembled Objective-C and Swift Code to analyze the relevant code paths and determine if they could establish cleartext connections. For example, if using
Networkframework, verify that TLS is properly configured using.tlsparameter inNWParameters.
Observation¶
The output should contain a list of low-level networking API usages and their locations within the app binary.
Evaluation¶
The test case fails if the app uses low-level networking APIs to establish cleartext connections.
Demos¶
MASTG-DEMO-0086: Uses of BSD Sockets Bypassing ATS MASTG-DEMO-0085: Uses of Network Framework Bypassing ATS