Task #12990
Support #12933: [SCP ID :##6249##] : Mobile Pentest Remediation
[IOS] - Pentest - L13 - App Transport Security (ATS) Exception Found
Status: | User Acceptance Test | Start date: | May 12, 2022 | |
---|---|---|---|---|
Priority: | Normal | Due date: | May 13, 2022 | |
Assignee: | Binti Marobi Athirah Umairah | % Done: | 100% | |
Category: | PCI DSS - Pentest | Spent time: | - | |
Target version: | - |
Description
On Apple platforms, a networking security feature called App Transport Security (ATS) is available to apps and app extensions, and is enabled by default. It improves privacy and data integrity by ensuring the app’s network connections employ only industry-standard protocols and ciphers without known weaknesses. This helps instill user trust that the app does not accidentally leak transmitted data to malicious parties.
However, disabling ATS can allow insecure communication with particular servers or allow insecure loads for web views or for media.
App Transport Security (ATS) is disabled by the following keys:
NSTemporaryExceptionRequiresForwardSecrecy: false
NSTemporaryThirdPartyExceptionRequiresForwardSecrecy: false
App Transport Security (ATS) is disabled on following domains:
www.bsnebiz.com.my
cdb.bsn.com.my
Action Plan:
History
#1 Updated by Susanto Felix Brilliant over 2 years ago
- Status changed from New - Begin Life Cycle to Development / Work In Progress
- Start date changed from May 11, 2022 to May 12, 2022
#2 Updated by Susanto Felix Brilliant over 2 years ago
- Due date set to May 13, 2022
- % Done changed from 0 to 100
#3 Updated by Susanto Felix Brilliant about 2 years ago
- Status changed from Development / Work In Progress to Finished Development
#4 Updated by Susanto Felix Brilliant about 2 years ago
- File BeforeRemoval.jpg added
- File AfterRemoval.jpg added
Removing the NSAppTransportSecurity tag in info.plist to enable ATS globally
#5 Updated by Susanto Felix Brilliant about 2 years ago
- Status changed from Finished Development to Internal Testing
- Assignee changed from Susanto Felix Brilliant to Nurul Athira Abdul Rahim
#6 Updated by Nurul Athira Abdul Rahim about 2 years ago
- File Internal Test Results_SCPID #6249_Pentest_L13 - Overly Permissive Permission.docx added
- Subject changed from [IOS] - Pentest - L13 - Overly Permissive Permission to [IOS] - Pentest - L13 - App Transport Security (ATS) Exception Found
- Status changed from Internal Testing to System Integration Test
Test and passed by IOS developer
#7 Updated by Norhaidah Md Dasuki over 1 year ago
Athira, update this task. tq.
#8 Updated by Nurul Athira Abdul Rahim over 1 year ago
- Status changed from System Integration Test to Pending UAT Deployment
- Assignee changed from Nurul Athira Abdul Rahim to Susanto Felix Brilliant
Please deploy this fixes to UAT.
Thanks
#9 Updated by Susanto Felix Brilliant over 1 year ago
- Status changed from Pending UAT Deployment to User Acceptance Test
Done deployed to UAT and provided link to download.
version 3.3.1 build 341 Internal BSN
https://testflight.apple.com/join/GVdD3RT2
version 3.3.1 build 340 VPN Penril
https://testflight.apple.com/join/CdjMcH3f
#10 Updated by Susanto Felix Brilliant over 1 year ago
- Assignee changed from Susanto Felix Brilliant to Binti Marobi Athirah Umairah