Network Communication / Insecure App Transport Security (ATS) settings
Insecure App Transport Security (ATS) Settings is a vulnerability in the network communication of iOS and Mobile Apps. According to the Common Weakness Enumeration (CWE) directory, this vulnerability is classified as CWE-319. This vulnerability occurs when an application does not properly configure the secure connection between the client and the server. As a result, the application allows attackers to intercept insecure traffic and gain access to sensitive information. The OWASP Testing Guide also provides useful resources for testing and detecting these vulnerabilities.
This vulnerability poses a significant security risk to organizations that have mobile applications. If an application does not properly configure the secure connection between the client and the server, attackers can gain access to sensitive data and potentially cause a breach. Organizations must assess the risk of this vulnerability and ensure they have proper security protocols in place to protect their applications.
Organizations can address this vulnerability by properly configuring ATS settings in their mobile applications. This can be done by configuring the ATS settings to require secure connections, and by disabling all insecure connections. Additionally, organizations should ensure that their applications are regularly tested for vulnerabilities using automated security tools.
The following example is from CVE-2017-2359, which is an example of an insecure ATS setting.
The above code snippet shows how an insecure ATS setting can be configured. This code allows all HTTP requests to be loaded regardless of their security credentials. By setting this value to false, organizations can ensure that all requests are secure.