Hello all


From times to times in penetration reports there is a usual flag that shows up as a potential vulnerability threat in iOS Applications, this is known as the NSAppTransportSecurity key which is used to define the behavior of the App Transport Security (ATS)


According to the documentation of Apple, ATS describes your application intended HTTP connection behavior, meaning, how you want your app to establish connections HTTP and/or HTTPS or only by HTTPS. Of course, there are other additional settings but I will not explain it here but to have a basic notion the behavior is the one described before. And Apple enables the ATS by default in their applications.


We all know that the mobile applications in OutSystems enforces the HTTPS  

  • HTTP requests are always secure in mobile apps, therefore this configuration does not apply to mobile scenarios. (documentation: Secure HTTP Requests)
  • All HTTP requests in Mobile Applications are served via HTTPS regardless of the settings above. (documentation: Enforced HTTPS Security)


If OutSystems already does this and I can use the Content Security Policies, then why should I care? That's a good question and to be honest I don't know :) but if you know please explain to the community and educate me as well!! The only thing I could find closer to an explanation, ironically, was an article of Microsoft, aside from that disabling the ATS, it triggers App Store review and requires justification


Regardless of the explanation, let us continue, all iOS applications generated by MABS will be generated with the ATS disabled. But, but why..? That goes against Apple decision and behavior! Well guess what the world is not perfect, the rationale for that is a simple justification: the underlying technology is Cordova and the default configuration of Cordova also disables the ATS by default! 


There is one fun fact here, to enable/disable the ATS, you need to configure the key NSAllowsArbitraryLoads in the Plist:

  • Enable = NSAllowsArbitraryLoads = False
  • Disable = NSAllowsArbitraryLoads = True

 

Jeezzzzzzzzzzz, can't this become more complicated??? Ok, stop and let us recap: 

  • In Apple, the ATS default is enabled and NSAllowsArbitraryLoads is False
  • OutSystems/Cordova, the ATS default is disabled and NSAllowsArbitraryLoads is True


Since we are in OutSystems and MABS generates our iOS Application, the default is exactly what is defined in the Cordova, from the Cordova Whitelist Guide

<access origin="*" />
// This is the default value for newly created CLI projects.

It means exactly as in OutSystems Configure Accessible Domains

// No configuration in the extensibility provided
// Or 
{
    "access": [{
        "origin": "*"
    }]
}

In other words, by default, all domains are accessible, regardless of the exact protocol (HTTP or HTTPS) and domain name. Keep in mind ATS describes your application intended HTTP and by default, it enforces the HTTPS

Basically, the Cordova code is this (and is the only reference to 'NSAllowsArbitraryLoads'):


How can we enable again the ATS and comply with Apple

You can follow the recommendation in the documentation (Blocking HTTP Connections) or configure the extensibility configuration of your mobile application to use the specific domain(s) required by your app


....

Still...

What if I use a Cordova Plugin (for example the Edit Plist File Plugin)? 

Well from my trials you can't solve this by using the Cordova Plugin.xml configuration, basically, Cordova Whitelist will overlap any configuration you did inside the plugin

  • Config-file in Plugin.xml are overwritten by Cordova Whitelist
  • Edit-config in Plugin.xml are overwritten by Cordova Whitelist (tried with both modes: overwrite and merge)
  • Possible alternative (not tested): create a script and add it as a hook in the Cordova Plugin to change in the filesystem or give up and use the OutSystems Accessible Domains :D

Please note: Cordova Whitelist overlaps the key NSAppTransportSecurity but you can still use a Cordova Plugin to manipulate other keys as long you don't have a conflict with other plugins 


As a conclusion, I'm not an expert in mobile and above all, in iOS. This is just to share some knowledge of the findings in a tough challenge 


If you want to share any thoughts or you have other findings or best practices please share with the community!


All tests were done in MABS 4.2 for iOS which is the same as testing for MABS 5.0, check the release versions


Thanks!