MASTG-TEST-0342: References to Weak ATS TLS Policy Exceptions in Info.plist

Overview

Apps can weaken ATS TLS enforcement through NSAppTransportSecurity exceptions in Info.plist. In particular:

• NSExceptionMinimumTLSVersion allows connections to servers with TLS versions below 1.2, including the deprecated TLS 1.0 and TLS 1.1.
• NSExceptionRequiresForwardSecrecy set to false disables the ATS requirement for Perfect Forward Secrecy (PFS), weakening the confidentiality of the connection even when TLS itself is otherwise required.

These exceptions are applied per domain under NSExceptionDomains. When broadly scoped (especially with NSIncludesSubdomains = true), they may affect many hosts and increase the attack surface for Machine-in-the-Middle (MITM) attacks. Apple requires a justification for these exceptions when submitting to the App Store. See iOS App Transport Security for more details on ATS configuration and exceptions.

Apps can also globally disable ATS by setting NSAllowsArbitraryLoads to true. This disables ATS protections for connections made through the URL Loading System, including ATS requirements such as minimum TLS version and forward secrecy, and permits plaintext HTTP communication. It may also relax ATS-specific certificate requirements. Baseline TLS/X.509 certificate chain validation and server trust evaluation performed by the URL Loading System still apply. Per-domain entries under NSExceptionDomains override the global setting. For example, if NSAllowsArbitraryLoads is true but tls-v1-2.example.com has NSExceptionMinimumTLSVersion = "TLSv1.2", that domain still requires TLS 1.2 or higher, while all other domains have ATS disabled. This includes the ability of all other domains to use plaintext HTTP.

Steps

1. Extract the app ( Exploring the App Package).
2. Locate the Info.plist in the app bundle.
3. Use Convert Plist Files to JSON to convert the Info.plist to a readable format if necessary.
4. Examine the NSAppTransportSecurity dictionary for TLS policy exceptions, specifically NSExceptionMinimumTLSVersion, NSExceptionRequiresForwardSecrecy and NSAllowsArbitraryLoads.

Observation

The output should contain any TLS policy exceptions configured under NSAppTransportSecurity, if present.

Evaluation

The test case fails if any of the following conditions are met:

1. NSAllowsArbitraryLoads is set to true. This disables ATS for all connections to domains not listed in NSExceptionDomains. Per-domain exceptions in NSExceptionDomains still apply to their respective domains, but all other domains have no ATS restrictions.
2. Any domain, IP address, or IP address range sets NSExceptionMinimumTLSVersion to TLSv1.0 or TLSv1.1.
3. Any domain, IP address, or IP address range sets NSExceptionRequiresForwardSecrecy to false, NO, or 0.

App Store Submission Context

Apple may require justification for ATS exceptions during App Store submission. If available, record that evidence in the report as contextual information only.

Best Practices

MASTG-BEST-0042: Use Strong TLS Settings in ATS Configuration

Demos

MASTG-DEMO-0109: ATS TLS Policy Exceptions in Info.plist