The application has globally disabled App Transport Security (ATS).
ATS helps ensure secure connections between an app and the back end server(s) and is a client side protection that should be used on all apps. It is widely used to enforce best practice network security standards. Disabling the ATS functionality globally will allow a connection regardless of HTTP or HTTPS configuration, allow connections to servers with lower TLS versions and allow connections using cipher suites that do not support forward secrecy.
ATS is on by default when an app is linked to iOS 9.0 SDK or later. With ATS enabled, HTTP connections are forced to use HTTPS (TLS v1.2), and any attempts to connect using insecure HTTP will fail. Options for implementing ATS include:
ATS can be enabled globally (by linking to iOS 9.0 or later SDK) and the developer can choose to decrease ATS restrictions on a specific server using an exception key.
ATS can be disabled globally (by setting the NSAllowsArbitraryLoads key to YES). An exception could then allow the developer to increase ATS restrictions on a specific server. Use of weak ciphers and old versions of TLS, along with only accepting valid self-signed certificates are all processes that can lead to man-in-the-middle attacks, but can be prevented through the use of App Transport Security.
Steps to Reproduce
Examine the app's information properties file to evaluate whether ATS is disabled.
Business Impact
ATS significantly increases the security of an app's communication. If an app is not using ATS it could potentially expose sensitive information, such as personal information or intellectual property, from the app to the Internet. Disabling ATS enables the possible use of HTTP or other weak protocols for network communications which may affect the organizations compliance requirements and confidentiality goals.
Remediation Resources
Recommended Fix
For apps running on iOS 9.0 or higher, ATS must be enabled globally by linking to the iOS 9.0 or later SDK, and avoid setting the "NSAllowsArbitraryLoads" key to "Yes" or "True". For any existing apps which communicate to servers inside HTTP, an exception must be set using either the "NSExceptionAllowsInsecureHTTPLoads" or "NSThirdPartyExceptionAllowsInsecureHTTPLoads" key.
// Inside the app's information properties file,
// You can configure ATS exceptions with this dictionary,
// where all keys are optional
NsAppTransportSecurity : Dictionary {
NSAllowsArbitraryLoads : YES
}
// Setting any of the arbitrary load bools to YES completely disables ATS for the respective component.
Good Code Sample (.plist)
// Exceptions should only be configured when absolutely needed
// You should first try to fix the security of the server
NsAppTransportSecurity : Dictionary {
NSAllowsArbitraryLoads : NO // ATS enabled
}
// If needed for a particular domain, specify exception for a single domain
NsAppTransportSecurity : Dictionary {
NSAllowsArbitraryLoads : NO
NSExceptionDomains : Dictionary {
"example.com" : Dictionary {
NSExceptionAllowsInsecureHTTPLoads : true;
NSExceptionRequiresForwardSecrecy : false;
};
};
}
Finding Description
The application has globally disabled App Transport Security (ATS).
ATS helps ensure secure connections between an app and the back end server(s) and is a client side protection that should be used on all apps. It is widely used to enforce best practice network security standards. Disabling the ATS functionality globally will allow a connection regardless of HTTP or HTTPS configuration, allow connections to servers with lower TLS versions and allow connections using cipher suites that do not support forward secrecy.
ATS is on by default when an app is linked to iOS 9.0 SDK or later. With ATS enabled, HTTP connections are forced to use HTTPS (TLS v1.2), and any attempts to connect using insecure HTTP will fail. Options for implementing ATS include:
Steps to Reproduce
Examine the app's information properties file to evaluate whether ATS is disabled.
Business Impact
ATS significantly increases the security of an app's communication. If an app is not using ATS it could potentially expose sensitive information, such as personal information or intellectual property, from the app to the Internet. Disabling ATS enables the possible use of HTTP or other weak protocols for network communications which may affect the organizations compliance requirements and confidentiality goals.
Remediation Resources
Recommended Fix
For apps running on iOS 9.0 or higher, ATS must be enabled globally by linking to the iOS 9.0 or later SDK, and avoid setting the "NSAllowsArbitraryLoads" key to "Yes" or "True". For any existing apps which communicate to servers inside HTTP, an exception must be set using either the "NSExceptionAllowsInsecureHTTPLoads" or "NSThirdPartyExceptionAllowsInsecureHTTPLoads" key.
Instructions for Cordova can be found at https://cordova.apache.org/docs/en/9.x/guide/appdev/whitelist/index.html#ios-whitelisting
Code Samples
Bad Code Sample (.plist)
Good Code Sample (.plist)
Additional Guidance
Risk and Regulatory Information
Severity: medium CVSS: 5.3
Application
See more detail in the NowSecure Report