Open lcimeni opened 3 years ago
Update: The risk severity (CVSS score) of this finding has been modified from 5.3 to 10 by Lorenz Cimeni.
Powered by NowSecure Platform
Update: The risk severity (CVSS score) of this finding has been modified from 10 to 5.3 by Lorenz Cimeni.
Powered by NowSecure Platform
Finding Description
The application has globally disabled App Transport Security (ATS).
ATS helps ensure secure connections between an app and the back end server(s) and is a client side protection that should be used on all apps. It is widely used to enforce best practice network security standards. Disabling the ATS functionality globally will allow a connection regardless of HTTP or HTTPS configuration, allow connections to servers with lower TLS versions and allow connections using cipher suites that do not support forward secrecy.
ATS is on by default when an app is linked to iOS 9.0 SDK or later. With ATS enabled, HTTP connections are forced to use HTTPS (TLS v1.2), and any attempts to connect using insecure HTTP will fail. Options for implementing ATS include:
Steps to Reproduce
Examine the app's information properties file to evaluate whether ATS is disabled.
Business Impact
ATS significantly increases the security of an app's communication. If an app is not using ATS it could potentially expose sensitive information, such as personal information or intellectual property, from the app to the Internet. Disabling ATS enables the possible use of HTTP or other weak protocols for network communications which may affect the organizations compliance requirements and confidentiality goals.
Remediation Resources
Recommended Fix
For apps running on iOS 9.0 or higher, ATS must be enabled globally by linking to the iOS 9.0 or later SDK, and avoid setting the "NSAllowsArbitraryLoads" key to "Yes" or "True". For any existing apps which communicate to servers inside HTTP, an exception must be set using either the "NSExceptionAllowsInsecureHTTPLoads" or "NSThirdPartyExceptionAllowsInsecureHTTPLoads" key.
Instructions for Cordova can be found at https://cordova.apache.org/docs/en/9.x/guide/appdev/whitelist/index.html#ios-whitelisting
Code Samples
Bad Code Sample (.plist)
Good Code Sample (.plist)
Additional Guidance
Risk and Regulatory Information
Severity: medium CVSS: 5.3
Application
See more detail in the NowSecure Report