All network requests use HTTPS and App Transport Security is not disabled

App Transport Security (ATS) is Apple's network security framework — disabling it with NSAllowsArbitraryLoads: true in Info.plist allows all HTTP traffic, exposing users to man-in-the-middle attacks (CWE-319, OWASP A02 Cryptographic Failures). Apple requires a written justification for any ATS exception, and blanket disabling is frequently rejected without a compelling reason. HTTP API calls transmit auth tokens, personal data, and session information in cleartext — on public Wi-Fi, any observer on the network can read them. On Android, android:usesCleartextTraffic="true" in AndroidManifest.xml has the same effect.

Remove NSAllowsArbitraryLoads from Info.plist and migrate all API URLs to HTTPS.

// app.json — disable ATS exceptions
"ios": {
  "infoPlist": {
    "NSAppTransportSecurity": {
      "NSAllowsArbitraryLoads": false
    }
  }
}

For Android, add res/xml/network_security_config.xml:

<network-security-config>
  <base-config cleartextTrafficPermitted="false" />
</network-security-config>

If a specific third-party domain still requires HTTP (e.g., a local dev proxy), scope the exception to that domain only using NSExceptionDomains — never disable ATS globally. Update your backend's load balancer or CDN to enforce HTTPS if any production endpoint still accepts HTTP.

• ID: ats-https-enforced
• Severity: critical
• What to look for: Count all relevant instances and enumerate each. Check ios/[AppName]/Info.plist and app.json's ios.infoPlist section for NSAppTransportSecurity. The presence of NSAllowsArbitraryLoads: true means ALL HTTP traffic is allowed — this is a major red flag and requires a written justification for App Store approval. Also look for NSExceptionDomains entries with NSAllowsInsecureHTTPLoads: true. Search all source files for http:// URLs in API calls, fetch requests, and Axios base URLs (excluding localhost/development URLs). In android/app/src/main/AndroidManifest.xml, check for android:usesCleartextTraffic="true" on the <application> tag, or network_security_config allowing cleartext traffic to specific domains.
• Pass criteria: No NSAllowsArbitraryLoads: true in Info. At least 1 implementation must be verified.plist; no android:usesCleartextTraffic="true" in AndroidManifest.xml without a <domain-config> restriction; all production API base URLs use https://.
• Fail criteria: NSAllowsArbitraryLoads: true in Info.plist; android:usesCleartextTraffic="true" in AndroidManifest with no domain restriction; http:// URLs in production API configuration.
• Skip (N/A) when: App is Android-only (ATS is an iOS-specific requirement, though HTTPS is still required on Android).
• Detail on fail: "Info.plist has NSAllowsArbitraryLoads=true — ATS is completely disabled" or "API base URL uses http:// in src/config/api.ts: 'http://api.example.com'" or "AndroidManifest.xml has android:usesCleartextTraffic='true' with no domain restriction"
• Remediation: ATS-disabled apps are frequently rejected or required to submit a justification. Fix immediately.
  1. Remove NSAllowsArbitraryLoads from Info.plist entirely or set to false
  2. Ensure all API endpoints use https:// — update your backend if necessary
  3. If you need HTTP for a specific domain (e.g., local dev server), use NSExceptionDomains scoped to that domain — never disable globally
  4. For Android, remove android:usesCleartextTraffic="true" or restrict via network_security_config.xml:

     <network-security-config>
       <base-config cleartextTrafficPermitted="false" />
     </network-security-config>
     

  5. In React Native/Expo, set in app.json:

     "ios": { "infoPlist": { "NSAppTransportSecurity": { "NSAllowsArbitraryLoads": false } } }