Insecure service configuration - App Transport Security
Need
Enforce secure connections (HTTPS) for all communication between the application and external servers
Context
- Usage of Swift for iOS and macOS app development
- Usage of UIKit for building modern and responsive user interfaces
Description
Non compliant code
import UIKit
@UIApplicationMain
class AppDelegate: UIResponder, UIApplicationDelegate {
func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?) -> Bool {
// Override point for customization after application launch.
return true
}
func applicationWillResignActive(_ application: UIApplication) {
}
func applicationDidEnterBackground(_ application: UIApplication) {
}
func applicationWillEnterForeground(_ application: UIApplication) {
}
func applicationDidBecomeActive(_ application: UIApplication) {
}
func applicationWillTerminate(_ application: UIApplication) {
}
}
In the code above, the info.plist file contains a dictionary with a key NSAppTransportSecurity. This key is used to specify how the app interacts with the servers over a network. The dictionary contains another key NSAllowsArbitraryLoads which is set to true. This means that the app is allowed to make insecure connections to servers.
The NSAllowsArbitraryLoads key is a part of the App Transport Security (ATS) settings. When set to true, it allows the app to bypass the secure connections that are usually enforced by the ATS. This means that the app can make connections over HTTP, which is not secure, instead of HTTPS, which is secure. This can lead to various security issues such as data interception and manipulation by attackers.
Good security practices recommend that all connections made by the app to servers should be secure. This means that the NSAllowsArbitraryLoads key should be set to false or should be removed entirely to enforce the use of secure connections.
Steps
- Disable NSAllowsArbitraryLoads option in the NSAppTransportSecurity function
- Configure NSExceptionDomains to allow specific insecure connections if necessary
- Use HTTPS connections for all external servers in the application
Compliant code
import UIKit
@UIApplicationMain
class AppDelegate: UIResponder, UIApplicationDelegate {
func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?) -> Bool {
// Override point for customization after application launch.
return true
}
func applicationWillResignActive(_ application: UIApplication) {
}
func applicationDidEnterBackground(_ application: UIApplication) {
}
func applicationWillEnterForeground(_ application: UIApplication) {
}
func applicationDidBecomeActive(_ application: UIApplication) {
}
func applicationWillTerminate(_ application: UIApplication) {
}
}
The above code is a standard AppDelegate.swift file in a Swift iOS application. However, it has a security vulnerability related to the App Transport Security (ATS) settings. The NSAppTransportSecurity function has the NSAllowsArbitraryLoads option enabled, which allows insecure HTTP connections to the application. This is a security risk as it exposes the application to potential man-in-the-middle attacks.
To fix this vulnerability, we need to disable the NSAllowsArbitraryLoads option in the NSAppTransportSecurity function. This can be done by modifying the application's Info.plist file.
Here is the fixed code:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSExceptionDomains</key>
<dict>
<key>yourserver.com</key>
<dict>
<key>NSIncludesSubdomains</key>
<true/>
<key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>
<true/>
<key>NSTemporaryExceptionMinimumTLSVersion</key>
<string>TLSv1.2</string>
</dict>
</dict>
</dict>
In the above code, we have set NSAllowsArbitraryLoads to false, which means the application will not allow any insecure HTTP connections. However, if there are specific servers that need to be accessed over HTTP, we can add them to the NSExceptionDomains list. In this case, we have added "yourserver.com" as an exception.
Please replace "yourserver.com" with the actual server domain that your application needs to access over HTTP. Also, ensure that all other external servers that your application connects to use HTTPS.