Closed marcostaehli-bit closed 6 months ago
makunterry
commented
7 months ago @marcostaehli-bit About the ATS disabling, it was added for allowing HTTP request based on some other cutomer's requirement. Can I ask what is your requirement exactly to enable the ATS? About those permissions you mentiond such as FaceID, that is used by some SDK such as CTXMAMLocalAuth, MAMSDK provided the capability to perform local challenge with biometric authentication.
marcostaehli-bit
commented
7 months ago @makunterry By turning off ATS, our app could resort to using less secure connections, like HTTP instead of the safer HTTPS. HTTPS ensures that the data sent and received by our app is encrypted and secure. Without ATS, we're missing out on essential security checks, including verifying that we use the most up-to-date and secure communication protocols. Enabling ATS is best practice and turning it off for all connections exposes the application to risks, such as unauthorized access to or tampering with our data. This vulnerability could lead to significant security breaches, compromising our users' privacy and trust in our services.
How we understand the reason for disabling ATS by the integration of the MAM-SDK, http is not absolutely necessary by the MDM system architecture but was rahter a request by a customer to allow http? Disabling ATS couldn’t then have been done on app level (customer’s development) and not as part of the MAM-SDK?
Therefore we would appreciate not to disable ATS as part of the MAM-SDK. However, recognizing that clients have diverse needs, we suggest making ATS settings configurable at least within the MAM SDK provided by Citrix or let it just up to the app-level setting. This flexibility would allow us to adhere to the highest security standards while Citrix catering to the specific requirements of diverse client base. Configuring also other permissions such as FaceID would be desirable since these permissions are not always required but depending on the MAM app configuration/policies. Adding permissions and settings which are not necessary for the functionality of the app is not best practice. This has been highlighted also as a critical issue with our application's current setup by our security experts.
makunterry
commented
7 months ago @marcostaehli-bit Thanks for your detailed information. We have planned an enhancement to give developer an option to enable ATS when wrap app and generate MDX file, will be included this fix in next release. And about the FaceID permission, since MAMSDK provided the capability to do biometric authentication, we have to declare it in app level. But the permission grant request alert will only be loaded when first time FaceID use during app lifecycle.
marcostaehli-bit
commented
7 months ago @makunterry Thanks for your fast reaction. This possibility to configure ATS should work, thanks. But I have to mention here, that ATS is enabled by default and not disabled. It requires an explicit configuration to disable ATS. Therefore I would like to see an option in the MAM-SDK which DISABLES the ATS rather than enabling it. The default when nothing is configured explicitely should be ATS enabled.
makunterry
commented
6 months ago @marcostaehli-bit I know your point exactly, but we need to consider those existing integrated app that won't be affected, and they don't need to make any configuration change on this. The iOS MAMSDK 24.5.0 includes the fixed CGAppCLPrepTool, please have try: https://github.com/citrix/citrix-mam-sdks/releases/tag/24.5.0
With integrated MAM-SDK in an iOS application, the App Transport Security gets disabled:
Info.plist
Since nothing documented about this can be found, it would be appreciated if you could please provide some information:
NSFaceIDUsageDescriptionget introduced even not necessary for the app itself. Can this be avoided or configured as well?Context: Security auditors criticize ATS is disabled and permissions like for FaceID are requested/included even not used in the application.