PTKDMobile App Security
Knowledge base / PTKD-NET-ATS-WEB
low M5 MASVS-NETWORK-1 static analysis PTKD-NET-ATS-WEB

App Transport Security disabled in web content

NSAllowsArbitraryLoadsInWebContent lets WebViews load arbitrary cleartext content.

How it's exploited

NSAllowsArbitraryLoadsInWebContent lets any page inside your WebViews load over HTTP. Injected script in that plaintext page runs inside your app's web context.

Why it matters

In-app web content becomes attacker-controllable on hostile networks, enabling credential phishing with your app's chrome around it.

How to fix it

  1. Serve all in-app web content over HTTPS and drop the exception.
  2. Validate and pin the origins your WebViews are allowed to load.

References