Skip to content

MASTG-TEST-0323: Uses of Low-Level Networking APIs for Cleartext Traffic

Overview

App Transport Security (ATS) only applies to connections made via the URL Loading System (typically URLSession). Lower-level networking APIs bypass ATS entirely, meaning they can establish cleartext HTTP connections regardless of the app's ATS configuration.

The following low-level APIs are not affected by ATS:

  • Network framework: A modern low-level networking API for socket-level communication using TCP and UDP.
  • CFNetwork: Core Foundation-based networking APIs including CFSocketStream, CFHTTPStream, and related functions.
  • BSD Sockets: Low-level POSIX socket APIs accessed through functions like socket(), connect(), send(), and recv().

Apple recommends preferring high-level frameworks: "ATS doesn't apply to calls your app makes to lower-level networking interfaces like the Network framework or CFNetwork. In these cases, you take responsibility for ensuring the security of the connection. You can construct a secure connection this way, but mistakes are both easy to make and costly. It's typically safest to rely on the URL Loading System instead."

For more information on when ATS applies, see iOS App Transport Security.

Steps

  1. Use Exploring the App Package to extract the relevant binaries from app package.
  2. Use Static Analysis on iOS to look for the relevant APIs in the app binaries.

Observation

The output should contain a list of low-level networking API usages and their locations within the app binary.

Evaluation

The test case fails if the app uses low-level networking APIs to establish cleartext connections.

Further Validation Required:

Inspect each reported code location using Reviewing Disassembled Objective-C and Swift Code to determine whether cleartext connections are established:

  • Determine whether TLS is configured for Network framework connections, for example by checking whether .tls is included in NWParameters.
  • Determine whether CFNetwork or BSD socket connections use any TLS wrapping.

Demos

MASTG-DEMO-0085: Uses of Network Framework Bypassing ATS MASTG-DEMO-0086: Uses of BSD Sockets Bypassing ATS