The application has globally disabled App Transport Security (ATS).
ATS helps ensure secure connections between an app and the back end server(s) and is a client side protection that should be used on all apps. It is widely used to enforce best practice network security standards. Disabling the ATS functionality globally will allow a connection regardless of HTTP or HTTPS configuration, allow connections to servers with lower TLS versions and allow connections using cipher suites that do not support forward secrecy.
ATS is on by default when an app is linked to iOS 9.0 SDK or later. With ATS enabled, HTTP connections are forced to use HTTPS (TLS v1.2), and any attempts to connect using insecure HTTP will fail. Options for implementing ATS include:
ATS can be enabled globally (by linking to iOS 9.0 or later SDK) and the developer can choose to decrease ATS restrictions on a specific server using an exception key.
ATS can be disabled globally (by setting the NSAllowsArbitraryLoads key to YES). An exception could then allow the developer to increase ATS restrictions on a specific server. Use of weak ciphers and old versions of TLS, along with only accepting valid self-signed certificates are all processes that can lead to man-in-the-middle attacks, but can be prevented through the use of App Transport Security.
Recommendation
For apps running on iOS 9.0 or higher, ATS must be
enabled globally by linking to the iOS 9.0 or later SDK, and avoid
setting the "NSAllowsArbitraryLoads" key to "Yes" or "True". For any
existing apps which communicate to servers inside HTTP, an exception must
be set using either the "NSExceptionAllowsInsecureHTTPLoads" or
"NSThirdPartyExceptionAllowsInsecureHTTPLoads" key.
Summary
The application has globally disabled App Transport Security (ATS).
ATS helps ensure secure connections between an app and the back end server(s) and is a client side protection that should be used on all apps. It is widely used to enforce best practice network security standards. Disabling the ATS functionality globally will allow a connection regardless of HTTP or HTTPS configuration, allow connections to servers with lower TLS versions and allow connections using cipher suites that do not support forward secrecy.
ATS is on by default when an app is linked to iOS 9.0 SDK or later. With ATS enabled, HTTP connections are forced to use HTTPS (TLS v1.2), and any attempts to connect using insecure HTTP will fail. Options for implementing ATS include:
Recommendation
For apps running on iOS 9.0 or higher, ATS must be enabled globally by linking to the iOS 9.0 or later SDK, and avoid setting the "NSAllowsArbitraryLoads" key to "Yes" or "True". For any existing apps which communicate to servers inside HTTP, an exception must be set using either the "NSExceptionAllowsInsecureHTTPLoads" or "NSThirdPartyExceptionAllowsInsecureHTTPLoads" key.
Instructions for Cordova can be found at https://cordova.apache.org/docs/en/9.x/guide/appdev/whitelist/index.html#ios-whitelisting
Risk and Regulatory Information
Severity: medium CVSS: 5.3
Application
See more detail in the NowSecure Report