Skip to content

MASTG-TEST-0344: Network.framework TLS Protocol Configuration

Overview

The Network framework operates entirely outside of ATS. Apps using NWConnection with NWProtocolTLS.Options can configure TLS settings directly via the Security framework, including minimum and maximum supported TLS versions through sec_protocol_options_set_min_tls_protocol_version and sec_protocol_options_set_max_tls_protocol_version.

Since ATS does not apply to Network.framework connections, any weak TLS configuration here is not mitigated by ATS. Setting a minimum TLS version below 1.2 creates the risk of connection downgrade attacks without any ATS-level safety net. Apple's documentation notes that "ATS doesn't apply to calls your app makes to lower-level networking interfaces like the Network framework or CFNetwork. In these cases, you take responsibility for ensuring the security of the connection." See Preventing Insecure Network Connections.

For more information on iOS network APIs and when ATS applies, see iOS App Transport Security and iOS Network APIs.

Steps

  1. Use Reverse Engineering iOS Apps to reverse engineer the app.
  2. Use Static Analysis on iOS to look for uses of sec_protocol_options_set_min_tls_protocol_version and sec_protocol_options_set_max_tls_protocol_version in the app binary.
  3. Use Reviewing Disassembled Objective-C and Swift Code to analyze the relevant code paths and determine the TLS version values passed to those functions.

Observation

The output should contain any calls to TLS protocol version configuration functions in the Network.framework, if found.

Evaluation

The test case fails if the app calls:

  • sec_protocol_options_set_min_tls_protocol_version with a value of tls_protocol_version_TLSv10 (0x0301) or tls_protocol_version_TLSv11 (0x0302), or
  • sec_protocol_options_set_max_tls_protocol_version with a value of tls_protocol_version_TLSv10 (0x0301) or tls_protocol_version_TLSv11 (0x0302).

Because Network.framework operates entirely outside of ATS, a connection configured this way will succeed against a server that supports the deprecated TLS version, bypassing ATS.

Best Practices

MASTG-BEST-0043: Enforce Strong TLS Settings When ATS Doesn't Apply

Demos

MASTG-DEMO-0111: Network.framework TLS Minimum Version Lowered via sec_protocol_options