URLSessionclass provide methods to load network and URL requests asynchronously and synchronously. Older iOS versions can utilize the Sockets API.
URLSessionwas built upon the Network framework and utilizes the same transport services. The class also uses TLS 1.3 by default, if the endpoint is HTTPS.
URLSessionshould be used for HTTP and HTTPS connections, instead of utilizing the Network framework directly. The class natively supports both URL schemes and is optimized for such connections. It requires less boilerplate code, reducing the propensity for errors and ensuring secure connections by default. The Network framework should only be used when there are low-level and/or advanced networking requirements.
NSAppTransportSecuritykey. These exceptions can be applied to:
Info.plistfile in the application bundle directory and look for any exceptions that the application developer has configured. This file should be examined taking the applications context into consideration.
Info.plistfile should be either obtained from a jailbroken device or by extracting the application IPA file. Convert it to a human readable format if needed (e.g.
plutil -convert xml1 Info.plist) as explained in the chapter "iOS Basic Security Testing", section "The Info.plist File".
nscurlis available to check the same. The command can be used as follows:
If there are any fails in the nscurl output, please change the server side configuration of TLS to make the serverside more secure, instead of weakening the configuration in ATS on the client.
example.comis owned by the application owner and ATS is enabled for that domain.
NSAllowsArbitraryLoadsInWebContentcan be used to disable ATS restrictions for the content loaded in web views
Info.plistfile under App Transport Security Settings. You can find an example in their article Identity Pinning: How to configure server certificates for your app.
connection:willSendRequest ForAuthenticationChallenge:method of
NSURLConnectionDelegateto check if the certificate provided by the server is valid and matches the certificate stored in the app. You can find more details in the HTTPS Server Trust Evaluation technical note.