Implement App Transport Security (ATS)

Details

New in iOS 9, App Transport Security (ATS) helps ensure secure connections between an app and any back-end server(s). It is enabled by default when an app is linked against the iOS 9.0 SDK or later. With ATS enabled, HTTP connections are forced to use HTTPS (TLS v1.2) and any attempts to connect using insecure HTTP will fail.

Implementing ATS includes a couple of options:

  • A developer can enable ATS globally (by linking to iOS 9.0 or later SDK) and then choose to decrease ATS restrictions on a specific server using an exception key
  • A developer can disable ATS globally (by setting the NSAllowsArbitraryLoads key to YES) and then use an exception to increase ATS restrictions on a specific server

Remediation

For apps running on iOS 9.0 or higher, best practice is to enable ATS globally by linking to the iOS 9.0 or later SDK and NOT setting the NSAllowsArbitraryLoads key to Yes or True. Apple currently allows developers to include exceptions for any domains for which TLS cannot be enforced. Exceptions can be made using the NSExceptionAllowsInsecureHTTPLoads or NSThirdPartyExceptionAllowsInsecureHTTPLoads keys. Apple originally planned to require that all apps submitted to the App Store support ATS in January 2017, however, they have extended the deadline but have not yet announced a date.

Apple introduced the subkeys NSAllowsArbitraryLoadsInWebContent, NSAllowsLocalNetworking, and more in iOS 10. Developers can use these subkeys to disable only certain restrictions rather than overriding all ATS restrictions. For more information, see Apple documentation about NSAppTransportSecurity and ATS configuration basics on the Apple Developer website.

References

CWE/OWASP