Only Allow TLS 1.3
| Plan | Platforms | MASVS |
|---|---|---|
| Team | Android API 29+, iOS 13+ | MASVS-NETWORK-1 |
Overview
Only Allow TLS 1.3 (TLS13OnlyPrevention) enforces the exclusive use of TLS 1.3 for all HTTPS connections made through the platform's standard networking APIs. When enabled, any server that does not support TLS 1.3 will fail to connect, ensuring that all encrypted communications use the most modern and secure version of the TLS protocol.
Critical: Enabling this control will break connectivity to any backend, CDN, analytics service, or third-party SDK endpoint that does not negotiate TLS 1.3. You must verify that all remote services your application depends on support TLS 1.3 before deployment.
How It Works
iOS Implementation
On iOS 13 and later, the control uses method swizzling to intercept calls to NSURLSessionConfiguration factory methods:
defaultSessionConfigurationephemeralSessionConfigurationbackgroundSessionConfigurationWithIdentifier:
Each intercepted configuration object has its TLSMinimumSupportedProtocolVersion and TLSMaximumSupportedProtocolVersion properties set to tls_protocol_version_TLSv13, effectively pinning all NSURLSession traffic to TLS 1.3 only.
Android Implementation
On Android 10 (API 29) and later, the control creates an SSLContext instance initialized with the "TLSv1.3" protocol and installs its SSLSocketFactory as the global default via HttpsURLConnection.setDefaultSSLSocketFactory(). All subsequent HTTPS connections made through HttpsURLConnection will enforce TLS 1.3 as the only acceptable protocol version.
Coverage and Limitations
iOS
Covered:
- All
NSURLSession-based networking (URLSession, URLRequest, URLConnection)
NOT Covered:
CFNetworkstreams (CFReadStream,CFWriteStream)Network.framework(NWConnection,NWParameters)WKWebViewnetwork requests- Third-party networking libraries bundled in your app or its dependencies (e.g., Alamofire, gRPC, custom networking stacks)
Android
Covered:
- All
HttpsURLConnection-based networking
NOT Covered:
- OkHttp / Retrofit / Volley / other third-party HTTP clients
- WebView network requests
- Native networking libraries (Cronet, gRPC, custom C/C++ stacks)
Threats Mitigated
- Protocol Downgrade Attacks: Prevents attackers from forcing connections to negotiate older, weaker TLS versions (1.0, 1.1, 1.2) that may have known vulnerabilities
- Man-in-the-Middle (MITM) Exploits: Eliminates exposure to CBC cipher suite attacks, BEAST, POODLE, and other legacy TLS flaws
- Compliance: Enforces alignment with modern security standards that mandate TLS 1.3 or newer
Caveats
Deployment Risk
HIGH: This control will cause immediate connection failures for any server that does not support TLS 1.3. Before enabling in production:
- Audit all backend APIs, analytics endpoints, CDNs, and third-party SDKs
- Verify TLS 1.3 support on staging infrastructure
- Test exhaustively in a non-production environment with the actual app build
MessagePrompt Notification
When enforcement is activated, the SDK issues a MessagePrompt callback to notify the host application. This notification is informational and always fires, even if all servers support TLS 1.3. Configure an appropriate user-facing message or handle the callback silently if no user notification is desired.
Library Coverage
The control only affects the platform's default HTTPS client. If your app or its dependencies use third-party networking libraries, you must configure TLS 1.3 enforcement separately in those libraries (e.g., via OkHttp ConnectionSpec, Alamofire ServerTrustManager, etc.).
iOS 12 and Earlier, Android 9 and Earlier
On platforms below the minimum version, the control logs a warning and does not enforce TLS 1.3. Connections will proceed with the platform's default TLS negotiation behavior.
Support Matrix
| Platform | Minimum Version | Status |
|---|---|---|
| iOS | 13.0+ | ✅ Supported |
| Android | API 29+ (10.0) | ✅ Supported |
| iOS | 12.x and older | ⚠️ No-op (logs warning) |
| Android | API 28 and older | ⚠️ No-op (logs warning) |
How to Enable the Control
Navigate to Connection Settings from the AppTego portal, and expand the Transport Security section. Under this section you will find the Require TLS 1.3 control. Click Enable to enable it for the next build or for it to be applied with a live push (if enabled).
API Configuration Example
{
"TLS13OnlyPrevention": {
"protection": true,
"detection": false,
"action": "none",
"title": "Security Update",
"message": "Your app has been configured to use TLS 1.3 for all secure connections.",
"buttons": ["OK"],
"actions": ["close"],
"redirects": [""]
}
}protection: true— Enable TLS 1.3 enforcementdetection: false— No detection logic implemented; leave asfalseaction,title,message,buttons,actions,redirects— Configure the MessagePrompt that fires when enforcement is activated
Set protection: false to disable enforcement (connections will use platform-default TLS negotiation).
Deployment Checklist
- ✅ Verify all backend services support TLS 1.3
- ✅ Test with real production endpoints in staging
- ✅ Confirm third-party SDKs (analytics, crash reporting, etc.) support TLS 1.3
- ✅ Configure appropriate MessagePrompt text or handle silently
- ✅ Plan rollback strategy if connection failures occur post-deployment
- ✅ Monitor backend logs for TLS handshake failures after enabling