High Insecure App Transport Security (ATS) Settings

Description

App Transport Security (ATS) enforces best practices in the secure connections between an app and its back end. ATS prevents accidental disclosure, provides secure default behavior, and is easy to adopt; it is also on by default in iOS 9 and OS X v10.11. You should adopt ATS as soon as possible, regardless of whether you're creating a new app or updating an existing one.

  • NSAllowsArbitraryLoads: If set to YES, disables all ATS restrictions for all network connections, apart from the connections to domains that you configure individually in the optional NSExceptionDomains dictionary. Default value is NO.
  • NSAllowsArbitraryLoadsForMedia: If set to YES, disables all ATS restrictions for media that your app loads using the AV Foundation framework. Employ this key only for loading media that are already encrypted, such as files protected by FairPlay or by secure HLS, and that do not contain personalized information. Default value is NO.
  • NSAllowsArbitraryLoadsInWebContent: If set to YES, disables all ATS restrictions for requests made from web views. This lets your app use an embedded browser that can display arbitrary content, without disabling ATS for the rest of your app. Default value is NO.
  • NSExceptionAllowsInsecureHTTPLoads: If set to YES, allows insecure HTTP loads for the named domain, but does not change Transport Layer Security (TLS) requirements and does not affect HTTPS loads for the named domain. Default value is NO.
  • NSExceptionMinimumTLSVersion: Specifies the minimum TLS version for network connections for the named domain, allowing connection using an older, less secure version of Transport Layer Security.

Recommendation

If you're developing a new app, you should use HTTPS exclusively. If you have an existing app, you should use HTTPS as much as you can right now, and create a plan for migrating the rest of your app as soon as possible. In addition, your communication through higher-level APIs needs to be encrypted using TLS version 1.2 with forward secrecy. If you try to make a connection that doesn't follow this requirement, an error is thrown. If your app needs to make a request to an insecure domain, you have to specify this domain in your app's Info.plist file.

Technical details

NSAllowsArbitraryLoads is set to True.

{
    "BuildMachineOSBuild": "17G4015",
    "CFBundleDevelopmentRegion": "English",
    "CFBundleDisplayName": "CBK MOBILE",
    "CFBundleExecutable": "cbkmobiletest",
    "CFBundleIcons": {
        "CFBundlePrimaryIcon": {
            "CFBundleIconFiles": [
                "AppIcon-120x20",
                "AppIcon-129x29",
                "AppIcon-140x40",
                "AppIcon-157x57",
                "AppIcon-160x60"
            ],
            "CFBundleIconName": "AppIcon-1",
            "UIPrerenderedIcon": true
        }
    },
    "CFBundleIcons~ipad": {
        "CFBundlePrimaryIcon": {
            "CFBundleIconFiles": [
                "AppIcon-120x20",
                "AppIcon-129x29",
                "AppIcon-140x40",
                "AppIcon-157x57",
                "AppIcon-160x60",
                "AppIcon-150x50",
                "AppIcon-172x72",
                "AppIcon-176x76",
                "AppIcon-183.5x83.5"
            ],
            "CFBundleIconName": "AppIcon-1",
            "UIPrerenderedIcon": true
        }
    },
    "CFBundleIdentifier": "com.cbk.mobilebanking",
    "CFBundleInfoDictionaryVersion": "6.0",
    "CFBundleName": "cbkmobiletest",
    "CFBundlePackageType": "APPL",
    "CFBundleShortVersionString": "6.1",
    "CFBundleSupportedPlatforms": [
        "iPhoneOS"
    ],
    "CFBundleURLTypes": [
        {
            "CFBundleTypeRole": "Viewer",
            "CFBundleURLName": "com.cbk.mobilebanking",
            "CFBundleURLSchemes": [
                "cbkmobile"
            ]
        }
    ],
    "CFBundleVersion": "28",
    "DTAppStoreToolsBuild": "10B63",
    "DTCompiler": "com.apple.compilers.llvm.clang.1_0",
    "DTPlatformBuild": "16B91",
    "DTPlatformName": "iphoneos",
    "DTPlatformVersion": "12.1",
    "DTSDKBuild": "16B91",
    "DTSDKName": "iphoneos12.1",
    "DTXcode": "1010",
    "DTXcodeBuild": "10B61",
    "Fabric": {
        "APIKey": "1d81636310e778714b5fc6e4e01a82f9d06276cc",
        "Kits": [
            {
                "KitInfo": {},
                "KitName": "Crashlytics"
            }
        ]
    },
    "LSRequiresIPhoneOS": true,
    "MinimumOSVersion": "9.3",
    "NSAppTransportSecurity": {
        "NSAllowsArbitraryLoads": true
    },
    "NSCameraUsageDescription": "cbkmobiletest use camera for Qr scan and chat",
    "NSContactsUsageDescription": "Save CBK Contact",
    "NSFaceIDUsageDescription": "cbkmobiletest use Face ID for Login and Transactions",
    "NSLocationAlwaysAndWhenInUseUsageDescription": "Your location will use for drive to destination location ",
    "NSLocationAlwaysUsageDescription": "Your location will use for drive to destination location ",
    "NSLocationWhenInUseUsageDescription": "Your location will use for drive to destination location ",
    "NSMicrophoneUsageDescription": "cbkmobiletest use microphone for voice chat",
    "NSPhotoLibraryAddUsageDescription": "cbkmobiletest  will save QR Code to your Photo Library",
    "NSPhotoLibraryUsageDescription": "cbkmobiletest send photo/video to agent",
    "UIBackgroundModes": [
        "fetch",
        "remote-notification"
    ],
    "UIDeviceFamily": [
        1,
        2
    ],
    "UILaunchStoryboardName": "LaunchScreen",
    "UIMainStoryboardFile": "Main",
    "UIRequiredDeviceCapabilities": [
        "armv7"
    ],
    "UIRequiresFullScreen": true,
    "UISupportedInterfaceOrientations": [
        "UIInterfaceOrientationPortrait"
    ],
    "UIViewControllerBasedStatusBarAppearance": true
}