Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FVP-02-004 WP4: ATS policy unnecessarily weakened #799

Closed
bakulf opened this issue Apr 7, 2021 · 0 comments
Closed

FVP-02-004 WP4: ATS policy unnecessarily weakened #799

bakulf opened this issue Apr 7, 2021 · 0 comments
Assignees
Labels
p3 Low Criticality Issues

Comments

@bakulf
Copy link
Collaborator

bakulf commented Apr 7, 2021

The iOS Mozilla VPN app was checked for property settings which weaken the security
of the application. It was discovered that NSAllowsArbitraryLoads is set. This means it
disables the default App Transport Security restrictions and permits the app to utilize
plain-text HTTP requests.
Affected File:
Info.plist
Affected Code:

<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<true/>
</dict>

As neither the source code nor the runtime assessment indicated that the iOS app
actually requires plain-text HTTP, it should be taken into consideration to remove this
property. This would ensure that the default ATS restrictions are enforced.

┆Issue is synchronized with this Jira Task

@bakulf bakulf added p3 Low Criticality Issues audit-issue labels Apr 7, 2021
@bakulf bakulf modified the milestone: v2.2 Apr 9, 2021
@bakulf bakulf added this to To Do in v2.2 🚀 Apr 12, 2021
@bakulf bakulf self-assigned this Apr 12, 2021
@bakulf bakulf moved this from To Do to In Progress in v2.2 🚀 Apr 12, 2021
@bakulf bakulf closed this as completed in 458135d Apr 12, 2021
bakulf added a commit that referenced this issue Apr 12, 2021
FVP-02-004 WP4: ATS policy unnecessarily weakened - closes #799
v2.2 🚀 automation moved this from In Progress to Merged Apr 12, 2021
@jess-cook03 jess-cook03 added this to the Release v2.2 🚀 milestone Apr 14, 2021
@jess-cook03 jess-cook03 added this to Triage parking lot in Mozilla VPN Product Board via automation Apr 14, 2021
@jess-cook03 jess-cook03 moved this from Triage parking lot to Done/Merged in Mozilla VPN Product Board Apr 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
p3 Low Criticality Issues
Projects
Development

No branches or pull requests

2 participants