Kingdom: Security Features
Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Authentication Bad Practice: Ignored Authentication Method
Abstract
Implementing the
NSURLConnectionDelegate.connection(_:willSendRequestFor:) delegate callback method will make the system ignore the NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:) and NSURLConnectionDelegate.connection(_:didReceive:) methods.Explanation
The
NSURLConnectionDelegate.connection(_:willSendRequestFor:) delegate method allows the delegate to make an informed decision about connection authentication at once. If the delegate implements this method, it has no need to implement NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:) or NSURLConnectionDelegate.connection(_:didReceive:). In fact, these methods are not invoked, so any security checks on them will be ignored.References
[1] connection(_:willSendRequestFor:) API documentation Apple
[2] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[3] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[4] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[5] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
desc.structural.objc.authentication_bad_practice_ignored_authentication_method
Abstract
Implementing the
NSURLConnectionDelegate.connection(_:willSendRequestFor:) delegate callback method will make the system ignore the NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:) and NSURLConnectionDelegate.connection(_:didReceive:) methods.Explanation
The
NSURLConnectionDelegate.connection(_:willSendRequestFor:) delegate method allows the delegate to make an informed decision about connection authentication at once. If the delegate implements this method, it has no need to implement NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:) or NSURLConnectionDelegate.connection(_:didReceive:). In fact, these methods are not invoked, so any security checks on them will be ignored.References
[1] connection(_:willSendRequestFor:) API documentation Apple
[2] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[3] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[4] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[5] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
desc.structural.swift.authentication_bad_practice_ignored_authentication_method