PTKDMobile App Security
Knowledge base / PTKD-NET-ATS
high M5 MASVS-NETWORK-1 static analysis PTKD-NET-ATS

App Transport Security disabled (NSAllowsArbitraryLoads)

ATS is globally disabled, so the app may load arbitrary cleartext HTTP and weak-TLS endpoints.

How it's exploited

NSAllowsArbitraryLoads=true switches off App Transport Security for the whole app, so any request can silently use HTTP or broken TLS. A network attacker downgrades and intercepts at will.

Why it matters

The iOS app loses its platform-enforced TLS baseline; every connection is only as safe as each call site remembered to be.

How to fix it

  1. Delete NSAllowsArbitraryLoads from Info.plist.
  2. If one legacy host truly needs an exception, scope it with NSExceptionDomains for that host only.
  3. Re-test: ATS failures name the offending host in the device log.
Scoped exception instead of a global opt-out
<key>NSAppTransportSecurity</key>
<dict>
  <key>NSExceptionDomains</key>
  <dict>
    <key>legacy.example.com</key>
    <dict><key>NSExceptionAllowsInsecureHTTPLoads</key><true/></dict>
  </dict>
</dict>

References