PTKDMobile App Security
Knowledge base / PTKD-NET-ATS-EXCEPTION
low M5 MASVS-NETWORK-1 static analysis PTKD-NET-ATS-EXCEPTION

App Transport Security insecure exception domains

Specific domains are allowed to use insecure HTTP via an ATS exception.

How it's exploited

Per-domain ATS exceptions (insecure loads, TLS 1.0/1.1, no forward secrecy) quietly re-open the exact downgrade paths ATS exists to block, for the named domains.

Why it matters

Traffic to excepted domains is interceptable even though "ATS is on", which routinely surprises security reviews.

How to fix it

  1. Audit each NSExceptionDomains entry; delete the ones added for long-fixed server issues.
  2. Upgrade the remaining hosts to TLS 1.2+ and remove the exception rather than keeping it.

References