Port MASTG-TEST-0067: Testing Endpoint Identity Verification (iOS) to v2

best-practices/MASTG-BEST-0025.md

@@ -0,0 +1,86 @@
+---
+title: Properly Configure App Transport Security
+alias: properly-configure-app-transport-security
+id: MASTG-BEST-0025
+platform: ios
+available_since: 9
+---
+
+App Transport Security (ATS) is a security feature introduced in iOS 9 that enforces secure network connections. By default, ATS requires all HTTP connections to use HTTPS with TLS 1.2 or higher, and it validates that certificates are properly signed and that hostnames match.
+
+## Always Rely on ATS for Network Security
+
+ATS provides strong default security for apps using the URL Loading System (such as `URLSession`). You should:
+
+- **Use `URLSession` for all HTTP/HTTPS connections** rather than lower-level APIs like CFStream or BSD Sockets, as these bypass ATS protections.
+- **Let ATS handle certificate validation** by default rather than implementing custom validation logic, which is error-prone.
+- **Avoid disabling ATS globally** using `NSAllowsArbitraryLoads`, as this removes security protections for all network connections.
+
+## Minimize ATS Exceptions
+
+If you must configure ATS exceptions (for example, to connect to a legacy server), follow these guidelines:
+
+- **Use domain-specific exceptions** rather than global exceptions. Configure exceptions only for the specific domains that require them using `NSExceptionDomains`.
+- **Document the business justification** for each exception. Apple requires justification for ATS exceptions during app review.
+- **Set the most restrictive exceptions possible**. For example, if a server supports TLS 1.2 but not forward secrecy, disable only forward secrecy for that domain rather than disabling all ATS checks.
+- **Plan to remove exceptions**. Work with backend teams to upgrade servers to meet ATS requirements, then remove the exceptions.
+
+## Example of Proper Domain-Specific Configuration
+
+If you must connect to a legacy server at `legacy.example.com` that supports TLS 1.2 but not forward secrecy, configure a minimal exception:
+
+```xml
+<key>NSAppTransportSecurity</key>
+<dict>
+    <key>NSExceptionDomains</key>
+    <dict>
+        <key>legacy.example.com</key>
+        <dict>
+            <key>NSExceptionRequiresForwardSecrecy</key>
+            <false/>
+        </dict>
+    </dict>
+</dict>
+```
+
+This configuration:
+
+- Maintains all other ATS protections (TLS 1.2+, certificate validation, hostname verification).
+- Only affects `legacy.example.com`, not other domains.
+- Still requires HTTPS (not HTTP).
+
+## What to Avoid
+
+**Never disable ATS globally:**
+
+```xml
+<!-- INSECURE - Do not use -->
+<key>NSAppTransportSecurity</key>
+<dict>
+    <key>NSAllowsArbitraryLoads</key>
+    <true/>
+</dict>
+```
+
+**Never allow insecure HTTP connections for production servers:**
+
+```xml
+<!-- INSECURE - Do not use for production -->
+<key>NSAppTransportSecurity</key>
+<dict>
+    <key>NSExceptionDomains</key>
+    <dict>
+        <key>api.example.com</key>
+        <dict>
+            <key>NSExceptionAllowsInsecureHTTPLoads</key>
+            <true/>
+        </dict>
+    </dict>
+</dict>
+```
+
+## References
+
+- [Apple Developer Documentation: Preventing Insecure Network Connections](https://developer.apple.com/documentation/security/preventing_insecure_network_connections)
+- [Apple Developer Documentation: NSAppTransportSecurity](https://developer.apple.com/documentation/bundleresources/information_property_list/nsapptransportsecurity)
+- [Apple Security Updates: App Transport Security](https://developer.apple.com/news/?id=jxky8h89)

demos/ios/MASVS-NETWORK/MASTG-DEMO-0068/Info.plist

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>CFBundleExecutable</key>
+    <string>MASTestApp</string>
+    <key>CFBundleIdentifier</key>
+    <string>org.owasp.mastestapp</string>
+    <key>CFBundleName</key>
+    <string>MASTestApp</string>
+    <key>CFBundlePackageType</key>
+    <string>APPL</string>
+    <key>CFBundleShortVersionString</key>
+    <string>1.0</string>
+    <key>CFBundleVersion</key>
+    <string>1</string>
+
+    <!-- FAIL: [MASTG-TEST-0067] ATS is globally disabled, removing all certificate validation -->
+    <key>NSAppTransportSecurity</key>
+    <dict>
+        <key>NSAllowsArbitraryLoads</key>
+        <true/>
+    </dict>
+</dict>
+</plist>

demos/ios/MASVS-NETWORK/MASTG-DEMO-0068/MASTG-DEMO-0068.md

@@ -0,0 +1,40 @@
+---
+platform: ios
+title: Insecure App Transport Security Configuration
+code: [xml]
+id: MASTG-DEMO-0068
+test: MASTG-TEST-0067
+---
+
+### Sample
+
+The code snippet below shows an `Info.plist` configuration that disables App Transport Security (ATS) globally, allowing the app to make insecure HTTP connections and accept any certificate without proper validation.
+
+{{ Info.plist }}
+
+### Steps
+
+1. Extract the app's `Info.plist` file from the IPA package as explained in @MASTG-TECH-0092.
+2. Review the `NSAppTransportSecurity` configuration using the following command:
+
+{{ run.sh }}
+
+### Observation
+
+The output shows the complete ATS configuration from the `Info.plist` file.
+
+{{ output.txt }}
+
+### Evaluation
+
+The test fails because:
+
+- **`NSAllowsArbitraryLoads` is set to `true`**, which globally disables ATS for all network connections. This allows the app to:
+  - Make HTTP connections instead of requiring HTTPS
+  - Accept any certificate without validation
+  - Use weak TLS versions below 1.2
+  - Bypass hostname verification
+
+This configuration completely removes the security protections that ATS provides, making the app vulnerable to Machine-in-the-Middle (MITM) attacks.
+
+**Best Practice**: Remove `NSAllowsArbitraryLoads` and use domain-specific exceptions only when absolutely necessary (@MASTG-BEST-0025). If you must connect to legacy servers, configure minimal exceptions for specific domains rather than disabling ATS globally.

demos/ios/MASVS-NETWORK/MASTG-DEMO-0068/output.txt

@@ -0,0 +1,7 @@
+    <key>NSAppTransportSecurity</key>
+    <dict>
+        <key>NSAllowsArbitraryLoads</key>
+        <true/>
+    </dict>
+</dict>
+</plist>

demos/ios/MASVS-NETWORK/MASTG-DEMO-0068/run.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Extract the NSAppTransportSecurity configuration from Info.plist
+# Using grep and sed to extract the relevant section
+grep -A 10 "NSAppTransportSecurity" Info.plist > output.txt
+
+# Show the result
+cat output.txt

tests-beta/ios/MASVS-NETWORK/MASTG-TEST-0067.md

@@ -0,0 +1,57 @@
+---
+title: Endpoint Identity Verification Not Enforced
+platform: ios
+id: MASTG-TEST-0067
+type: [static, dynamic]
+weakness: MASWE-0052
+best-practices: [MASTG-BEST-0025]
+profiles: [L1, L2]
+---
+
+## Overview
+
+This test evaluates whether an iOS app properly validates the server's certificate and hostname during TLS connections. Improper or disabled certificate validation allows attackers to perform [Machine-in-the-Middle (MITM)](../../../Document/0x04f-Testing-Network-Communication.md#intercepting-network-traffic-through-mitm) attacks using self-signed or invalid certificates, compromising the confidentiality and integrity of network communications.
+
+iOS apps that use the [URL Loading System](https://developer.apple.com/documentation/foundation/url_loading_system) (typically via `URLSession`) benefit from [App Transport Security (ATS)](https://developer.apple.com/documentation/bundleresources/information_property_list/nsapptransportsecurity) (@MASTG-KNOW-0071), which enforces proper certificate validation by default. However, apps may:
+
+- Disable ATS entirely or for specific domains using configuration exceptions in `Info.plist`.
+- Use lower-level networking APIs (e.g., BSD Sockets, `Network` framework) that are not protected by ATS.
+- Implement custom certificate validation logic that may be insecure.
+
+**Note:** If custom certificate pinning or custom trust evaluation is implemented but insecurely, it may also fall under @MASTG-TEST-0068. This test focuses on whether basic certificate and hostname validation is performed at all.
+
+## Steps
+
+1. Review the app's `Info.plist` file (@MASTG-TECH-0092) and check for ATS exceptions under the `NSAppTransportSecurity` key:
+    - Global exceptions like `NSAllowsArbitraryLoads` which disable ATS for all connections.
+    - Domain-specific exceptions such as `NSExceptionAllowsInsecureHTTPLoads` or lowered TLS requirements.
+2. Reverse engineer the app (@MASTG-TECH-0058) and run a static analysis tool such as @MASTG-TOOL-0073 on the app binary, or use a dynamic analysis tool like @MASTG-TOOL-0039, and look for:
+    - Use of lower-level networking APIs (`CFStream`, BSD Sockets, `Network` framework) that bypass ATS.
+    - Custom implementations of `URLSessionDelegate` methods that override certificate validation.
+    - Methods like `urlSession(_:didReceive:completionHandler:)` that may accept invalid certificates.
+3. Intercept the app's network traffic using @MASTG-TECH-0062:
+    - First, try to intercept traffic **without** installing a proxy certificate on the device. If traffic is visible, the app accepts any certificate.
+    - If that fails, install the proxy's CA certificate on the device and mark it as trusted. If traffic is now visible, the app validates certificates against the system trust store but does not implement certificate pinning.
+
+## Observation
+
+The output should contain:
+
+- Any ATS exceptions found in the `Info.plist` file.
+- Code locations where certificate validation may be bypassed or improperly implemented.
+- Network traffic capture results showing whether the app accepts:
+    - Untrusted certificates (without installing the proxy CA).
+    - Proxy certificates (after installing and trusting the proxy CA).
+
+## Evaluation
+
+The test fails if any of the following conditions are met:
+
+- **ATS is globally disabled** using `NSAllowsArbitraryLoads` without proper justification or specific domain exceptions.
+- **Insecure domain exceptions** are configured (e.g., `NSExceptionAllowsInsecureHTTPLoads: true`, `NSExceptionMinimumTLSVersion` set below TLS 1.2, or `NSExceptionRequiresForwardSecrecy: false`) for domains handling sensitive data.
+- The app **uses lower-level networking APIs** without implementing proper certificate validation.
+- The app **accepts any certificate** without validation, as evidenced by successful traffic interception without installing a trusted CA certificate.
+- Custom certificate validation logic **unconditionally accepts** all certificates or hostnames.
+- Custom `URLSessionDelegate` methods like `urlSession(_:didReceive:completionHandler:)` **bypass proper certificate checks** by always calling the completion handler with `.useCredential` or `.performDefaultHandling` without validating the server trust.
+
+When evaluating, consider whether the insecure configuration or implementation is limited to development/testing scenarios or affects production connections to sensitive endpoints.

tests/ios/MASVS-NETWORK/MASTG-TEST-0067.md

@@ -9,6 +9,9 @@ masvs_v1_levels:
 - L1
 - L2
 profiles: [L1, L2]
+status: deprecated
+covered_by: [MASTG-TEST-0067]
+deprecation_note: "New version available in MASTG v2"
 ---
 
 ## Overview