Skip to main content

D003: Insecure HTTP Connections

AdminStudio 2025 | 29.0 | Application Manager

D003 scans the app to determine if the app allows insecure HTTP connections to any of the domains.

Starting in OS X v10.11, a new security feature called App Transport Security (ATS) is available to apps and is enabled by default. It improves the privacy and data integrity of connections between an app and web services by enforcing additional security requirements for HTTP-based networking requests. Specifically, with ATS enabled, HTTP connections must use HTTPS (RFC 2818). Attempts to connect using insecure HTTP fail. Furthermore, HTTPS requests must use best practices for secure communications.

AdminStudio examines the application’s metadata to determine if the feature is part of the application’s primary functionality, and whether it calls the feature’s APIs.

Test Group/Test Category

Risk Assessment/Desktop Risk Assessment/macOS Risk Assessment

Severity

  • If the application requires the feature as part of the application’s primary functionality, an Error is generated.

  • If the application calls the feature’s APIs, a Warning is generated.

See Also

NSAppTransportSecurity