Skip to content

MASTG-TEST-0343: URLSession TLS Protocol Configuration

Overview

URLSessionConfiguration allows apps to customize TLS behavior for individual URLSession instances. The tlsMinimumSupportedProtocolVersion property (or the deprecated tlsMinimumSupportedProtocol) controls the minimum TLS version for a session.

Setting this property to .TLSv10 or .TLSv11 is a bad practice and should be flagged, even though ATS still applies to the URL Loading System and may block the connection at runtime unless a matching Info.plist exception is also present. Unlike Network.framework, URLSession does not bypass ATS.

Note that tlsMinimumSupportedProtocol is deprecated in favor of tlsMinimumSupportedProtocolVersion. Using either to set an insecure minimum TLS version weakens the intended TLS protection for that session.

Steps

  1. Use Reverse Engineering iOS Apps to reverse engineer the app.
  2. Use Static Analysis on iOS to look for uses of URLSessionConfiguration properties that set TLS protocol versions (tlsMinimumSupportedProtocol and tlsMinimumSupportedProtocolVersion).
  3. Use Reviewing Disassembled Objective-C and Swift Code to analyze the relevant code paths and determine the TLS version values being set.

Observation

The output should contain the URLSessionConfiguration API calls that configure TLS protocol versions, if any.

Evaluation

The test case fails if the app sets:

  • tlsMinimumSupportedProtocolVersion to tls_protocol_version_TLSv10 (value 0x0301) or tls_protocol_version_TLSv11 (value 0x0302), or
  • tlsMinimumSupportedProtocol (deprecated) to a value corresponding to TLS 1.0 (kTLSProtocol1) or TLS 1.1 (kTLSProtocol11).

Note on ATS Interaction

ATS may still enforce minimum TLS version requirements for connections using the URL Loading System, depending on the ATS configuration in Info.plist. However, if the app has also configured broad ATS exceptions (see References to Weak ATS TLS Policy Exceptions in Info.plist), the effective TLS minimum may be lower than expected for those domains.

Best Practices

MASTG-BEST-0042: Use Strong TLS Settings in ATS Configuration

Demos

MASTG-DEMO-0110: URLSession Minimum TLS Version Lowered in Code