Wiki
  • Introduction
  • 👾Penetration Testing
    • Application Security
      • Mobile App Security
        • Android Application Testing
          • Security Checklist
          • SSL Pinning Bypasses
          • Non-Proxy Aware Applications
            • Setting up VPN Server
            • Bypasses
          • Common Proxying Issues
          • Android Local Storage Checks
          • Android Task Hijacking
          • Kiosk Mode / Breakout Testing
          • Magisk on GenyMotion
        • iOS Application Testing
          • iOS Testing Using Objection
          • IPA Analysis Using MobSF
          • iOS Jailbreak Bypass
          • Decrypting iOS Apps
          • iOS Reverse Engineering
          • Jailbreak Detection Bypasses
          • iOS Local Storage Checks
          • Installing IPA
          • ATS Auditing
          • iOS Jailbreaking
          • Frida Pinning Bypasses
          • iOS Jailbreaking
        • Code Security
        • Frida on Windows
      • Web Application Security
        • Web Shells
        • CSV Injection
        • Measure Response Time using CURL
        • OSINT
          • EyeWitness
        • GraphQL Hacking
      • API Security
        • Security Checklist
        • Postman and Burp
        • CURL via BurpSuite
        • SOAP API Pentesting
    • Infrastructure Security
      • Network Infrastructure
        • Red Team Powershell Scripts
        • Mounting NFS Shares
        • Password Cracking/Auditing
        • Remote Access Sheet
        • Password Cracking Using Hashcat
        • Calculate IP Addresses from CIDR
        • Grep IP addresses or IP Ranges from a File
        • Default Credentials Checking
        • Check SSL/TLS Certificates
        • Log a terminal session
        • Unauthenticated Mongo DB
        • Microsoft SQL Server (MSSQL)
        • NTP Mode 6 Vulnerabilities
        • BloodHound
        • AD Offensive Testing
        • CrackMapExec
        • Select all IP addresses in Sublime Text
        • Convert CIDRs to an IP address list
        • Microsoft Exchange Client Access Server Information Disclosure
        • Web Server HTTP Header Internal IP Disclosure
        • smbclient.py
        • GetUserSPNs.py
        • Get-GPPPassword.py
        • SMBMap
        • Mounting Shares
        • mitm6
        • AD Attacks
        • Weak IKE Security Configurations
        • Locked BIOS Password Bypass
      • Wireless Security
        • Cached Wireless Keys
        • Aircrack Suite
    • SSL/TLS Security
    • Secure Code Review
      • Python
      • Semgrep
        • Semgrep to HTML Report
    • Cloud Security
      • Cloud Penetration Testing
    • Social Engineering
      • Simulated Phishing
        • GoPhish
    • Tool Usage
      • Docker
      • Split
      • PhantomJS
      • Aquatone
      • Tmux
      • Ipainstaller
      • Public IP From Command Line
      • Wifite
      • IKE Scan
      • Grep
      • Pulling APKs
      • Bitsadmin
      • Drozer
      • Iptables
      • Python Web Server
      • Crackmapexec
      • Impacket
      • Nessus
      • Adding SUDO User
      • Nmap
      • Metasploit Payloads
      • SMTP Open Relay
      • SQLMap
      • Screen
      • Remove All After Colon
      • Remove Old Linux Kernels
      • CURL
      • Hashcat
      • Secure Copy Protocol (SCP)
      • SSH & PGP Tools
      • IP Calculator
      • BloodHound
      • Netcat File Transfer
      • OpenVAS
      • BurpSuite
      • Exiftool
      • Python Virtual Environments
    • Errors and Solutions
      • Kill Process On Specific Port
      • Kill SSH Port Forwarding
      • SSH Key
      • Expanding Disk on Kali VM
    • Scoping
      • Scoping Questionnaires
        • Mobile App Testing
    • OSINT
      • Dark Web OSINT
      • Certificate Chain Check
      • EyeWitness - Web Service Screenshot
      • Tor to Browse Onion Links
      • DarkDump - Scan Dark Web for Onion Links
      • Domain related File Search
      • Google Dorking
      • IP / Network Blocks owned by a Company
  • ⌨️Programming
    • Automation
      • Running a Service at Boot
      • Network Connectivity Cron
    • Python
      • Adding Columns in Pandas
      • Copy Entire Column Data To New Column Pandas
      • Loading Progress Bar
      • Reorder Columns in Pandas
      • Filename with Date/Time Stamp
      • Command Line Arguments
      • Changing Date Format
      • Removing Index Column Pandas
      • Regex - Remove HTML Tags
      • Column Header Mapping
  • 🌐Miscellaneous
    • Scripts
      • Clickjacking Checker
      • Bulk WHOIS
      • SMB Signing Check
      • FDQN to IP Address
      • Grep IP Addresses
      • Nessus Parser
      • Build Review Audit
      • Nessus Merger
      • Nmap2CSV
      • Remove Audio From Videos
    • Favourite Reads/Links
    • Hacking Posters
    • Windows Developer VMs
    • Windows Workspaces
    • GitHub Pages
    • Interview Prep
      • Senior Penetration Tester
    • CVSS Formula
    • Android Rooting
      • Lineage OS 18.1 on OnePlus X
      • TWRP Recover on OnePlus X
      • Magisk Rooting
    • Presentation Slides
      • BlackHat - USA [2022]
  • 🐞Vulnerability Wiki
    • 🌐APPLICATION LEVEL
      • 🔒AUTHENTICATION
        • Authentication Bypass
        • Lack of Password Confirmation
        • 2FA Code Brute-forceable
        • Lack of Verification
        • Lack of Throttling on Form Submissions
        • Lack of Rate Limiting on Login
        • Weak Password Complexity Rules
        • 🖥️SESSION MANAGEMENT
        • 🔑ACCESS CONTROL
      • 🔢INPUT VALIDATION
      • ➗CRYPTOGRAPHY
      • 📉LOGGING
      • 📕DATA PROTECTION
      • 📲COMMUNICATION
      • 👨‍💻MALICIOUS CODE
      • 💡LOGIC
      • 🗄️FILE UPLOAD
      • ⚙️API ISSUES
      • 🔍CONFIGURATIONS
    • 💾INFRASTRUCTURE LEVEL
      • ICMP Timestamp Request Remote Date Disclosure (CVE-1999-0524)
      • ASP.NET Debug Mode Validation
Powered by GitBook
On this page
  • NSAppTransportSecurity configuration keys, subkeys, and exceptions
  • NSExceptionDomains and subkeys

Was this helpful?

  1. Penetration Testing
  2. Application Security
  3. Mobile App Security
  4. iOS Application Testing

ATS Auditing

PreviousInstalling IPANextiOS Jailbreaking

Last updated 2 years ago

Was this helpful?

Content taken from

The .ipa is now unzipped and the Info.plist file is converted into a readable format and opened. Now, locate the “App Transport Security Settings,” and there you will find the current ATS configuration which will look something like this:

NSAppTransportSecurity : Dictionary {
    NSAllowsArbitraryLoads : Boolean
    NSAllowsArbitraryLoadsForMedia : Boolean
    NSAllowsArbitraryLoadsInWebContent : Boolean
    NSAllowsLocalNetworking : Boolean
    NSExceptionDomains : Dictionary {
        <domain-name-string> : Dictionary {
            NSIncludesSubdomains : Boolean
            NSExceptionAllowsInsecureHTTPLoads : Boolean
            NSExceptionMinimumTLSVersion : String
            NSExceptionRequiresForwardSecrecy : Boolean   
            NSRequiresCertificateTransparency : Boolean
        }
    }
}

There you’ll see the app’s ATS primary and subkeys. Each key helps developers configure the app’s ATS implementation and make exceptions for domains that can’t support ATS.

NSAppTransportSecurity configuration keys, subkeys, and exceptions

To help security analysts understand the various ATS exceptions and how they affect the security posture of an iOS app, I’ve described them below.

NSAllowArbitraryLoads

The NSAllowArbitraryLoads key is set to NO by default. Setting the key to YES will opt-out of ATS and its associated security benefits. If in testing an app you find this key set to YES, verify why the developers decided to opt out. In addition, check into the NSExceptionDomains exception and whether any domains are listed there. We’ve encountered a number of cases where developers have opted out of ATS globally, but then opted in only for certain domains by listing an exception domain. A better approach is to enable ATS globally, and only opt out for certain domains if absolutely necessary (more on that in the NSExceptionDomains section below).

If they key is set to YES, spend time verifying:

  • The ciphers used for the app’s backend connections (and that they’re strong)

  • The protocols used to send and retrieve data (and that they’re secure)

  • Whether the app has any downgrade vulnerabilities

  • Whether the app validates certificates used for TLS connections

While you should perform testing in these areas regardless of the ATS configuration, a developer setting this key to YES increases risks in these areas.

NSAllowsLoadsForMedia

NSAllowsArbitraryLoadsInWebContent

By default, NSAllowsArbitraryLoadsInWebContent is set to NO. When the key is set to YES, ATS is disabled for webview requests. You would usually see this exception if a webview is used within the app. In that case, you’ll want to assess whether the webview sends sensitive data. That’s because with the key enabled, data can be sent over HTTP or other insecure protocols or connections.

NSAllowsLocalNetworking

NSAllowsLocalNetworking is set to NO by default. Setting it to YES will disable ATS for connections over a local network. Typical use cases for this exception might be apps that connect to a local hardware device in an Internet-of-Things (IoT) scenario. Apps that facilitate local peer-to-peer connections may also use this exception. If you run into this exception when testing an app, replicate the environment within which this local connection would take place to check for sensitive data sent over the local network in an insecure method. Even if an app connects to a local device, a best security practice is to use a TLS connection between those endpoints.

NSExceptionDomains and subkeys

NSExceptionDomains

Using the NSExceptionDomains key, developers can configure ATS exceptions on a domain-by-domain basis. Security analysts should note that ATS subkeys within NSExceptionDomains supersede other primary keys. For example, if an app loads media from a specific domain and both the NSAllowsLoadsForMedia exception and a NSExceptionDomains configuration is used for that particular domain, the NSExceptionDomains subkey parameters supersede the NSAllowsLoadsForMedia key parameters.

Security analysts should also note that without additional configuration using the subkeys underneath the primary NSExceptionDomain key, connections between the app and a listed domain will enforce ATS on the connection (even with NSAllowsArbitraryLoads set to YES). Put another way — if an exception domain is listed without any configuration of the subkeys, that domain will receive full ATS protection, even if the NSAllowsArbitraryLoads is set to YES. This can complicate analysis because a developer can shut off ATS globally but turn it on for specific domains by listing them within the NSExceptionDomains key.

Some developers are tempted to opt-out globally and opt-in for specific domains. However, a better practice is to leave ATS globally enabled for better protection coverage and only exempt domains your organization doesn’t control (the intended use case for the NSExceptionDomain key). And even then, only if necessary. Explain to your development team that coding logical ATS subkey exceptions will simplify the justification used for each exception and make life easier in the long run when Apple enforces a deadline. ATS should be enabled globally, and exceptions to ATS created through the NSExceptionDomains subkeys.

If an app you’re testing uses NSExceptionDomains and sets NSAllowsArbitraryLoads to YES, make sure you’re auditing the connections between the app and back-end services. Ideally, the app is only connecting to domains listed in the top-level NSExceptionDomains key, without any further configuration in the subkeys (again, effectively opting-into ATS for specific domains). If there are connections to other domains not in that list, ATS will not be enforced for those domains.

NSIncludesSubdomains

By default this key is set to NO. When it’s set to YES, any ATS configuration enabled for a particular domain will carry through for all subdomains of the exception domain. And, if you set an exception domain, but don’t configure any additional subkeys beyond the NSIncludesSubdomains key, the exception domain and its subdomains will use ATS. If you’re testing an app that has this key enabled, approach any subdomains in the same way you would the main domain. In addition, if ATS is globally disabled, and this key is set to NO, confirm that the subdomains are not in use in the app.

NSExceptionAllowsInsecureHTTPLoads

By default this key is set to NO. When this key is set to YES, the app will be allowed to send HTTP traffic to that domain. If you see this key set to YES, make sure to take a look at what information is being sent over the network. It may be sent insecurely over HTTP. If information must be sent over HTTP, at least make sure the information sent isn’t sensitive and that all connections are secure.

NSExceptionMinimumTLSVersion

This key allows developers to lower the minimum accepted version of TLS. By default, TLS 1.2 and higher are the accepted versions. If you see this exception in place, you will want to verify the TLS configuration of that endpoint, the reason why it needed to be lowered, and that it doesn’t violate your own organization’s compliance requirements.

NSExceptionRequiresForwardSecrecy

By default this key is set to YES. If this key is set to NO it will disable perfect forward secrecy. Similar to theNSExceptionMinimumTLSVersion key, if you encounter this key in an app you’re testing, verify the TLS configuration of the endpoint, the reason why it needs to be lowered, and your own organization’s compliance requirements.

NSRequiresCertificateTransparency

This exception is for media content protected by digital rights management (DRM) or encryption. When the NSAllowsLoadsForMedia key is set to YES, ATS is disabled for content sent using the (typically the case with apps that include audiovisual recording, editing, or playback functionality). If making sure your app’s media content is sent securely over the network is important to you and this key is enabled, confirm that media sent by the app is free of sensitive content and protected using DRM or encryption. While it’s best practice to implement these protections even if content is transmitted over HTTPS, capturing the transmitted content over HTTP or other insecure protocols is trivial.

Using webviews can introduce vulnerabilities into an app, so it’s crucial to verify their security. For example, webviews can be vulnerable to a number of common web-based vulnerabilities such as SQL injection, cross-site request forgery, and cross-site scripting attacks. For additional security information about using webviews, check out our .

By default this key is set to NO. If the key is set to YES, it will require a Certificate Transparency timestamp on the domain’s certificate. is a Google project aimed at making the SSL certificate system more secure. If your organization or the domain in question supports Certificate Transparency, you’ll want to enable this. Certificate Transparency helps audit against rogue Certificate Authorities (CAs) and malicious certificates, and it can help prevent man-in-the-middle attacks by notifying DevOps teams if their certificate has been compromised. When this key is enabled, the certificate checks associated with Certificate Transparency will be performed before a connection is made.

👾
https://www.nowsecure.com/blog/2017/08/31/security-analysts-guide-nsapptransportsecurity-nsallowsarbitraryloads-app-transport-security-ats-exceptions/
AVFoundation framework
webviews best practices
Certificate Transparency