Kingdom: Encapsulation

Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not.

Insecure IPC: Missing Content Validation

Objective-C
Swift

Abstract

The extension view controller fails to validate the data sent from the host app.

Explanation

The extension receives data from the host app in its view controller and fails to implement the SLComposeServiceViewController isContentValid to validate the untrusted data received before using it.

Example 1: The following extension view controller receives data from the host app but fails to implement a callback method to validate it:


    #import <MobileCoreServices/MobileCoreServices.h>

    @interface ShareViewController : SLComposeServiceViewController
        ...
    @end

    @interface ShareViewController ()
        ...
    @end

    @implementation ShareViewController

    - (void)didSelectPost {
        NSExtensionItem *item = self.extensionContext.inputItems.firstObject;
        NSItemProvider *itemProvider = item.attachments.firstObject;
        ...
        // Use the received items
        ...
        [self.extensionContext completeRequestReturningItems:@[] completionHandler:nil];
    }

    ...

    @end

References

[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press

[2] SLComposeServiceViewController Apple

[3] Standards Mapping - Common Weakness Enumeration CWE ID 501

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001084, CCI-002754

[5] Standards Mapping - FIPS200 SI

[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-3 Security Function Isolation (P1), SI-10 Information Input Validation (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-3 Security Function Isolation, SI-10 Information Input Validation

[9] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs

[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1

[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[13] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1

[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[23] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[24] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[25] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[26] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[27] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[28] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[29] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[38] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.structural.objc.insecure_ipc_missing_content_validation

Abstract

The extension view controller fails to validate the data sent from the host app.

Explanation


    import MobileCoreServices

    class ShareViewController: SLComposeServiceViewController {
        
        ... 

        override func didSelectPost() {
            let extensionItem = extensionContext?.inputItems.first as! NSExtensionItem
            let itemProvider = extensionItem.attachments?.first as! NSItemProvider
            ...
            // Use the received items
            ...
            self.extensionContext?.completeRequestReturningItems([], completionHandler:nil)
        }

        ...
    }