Kingdom: Encapsulation
Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not.
Insecure IPC: Missing URL Validation
Abstract
The application fails to validate the calling URL in a URL-based Inter-Procedure Communication (IPC) call.
Explanation
When a third party application or
Example 1: The following implementation of the
webview uses a URL to communicate with your application, the receiving application should validate the calling URL before proceeding with further actions. The receiving application has the option to verify that it wants to open the calling URL using the UIApplicationDelegate application:didFinishLaunchingWithOptions: or UIApplicationDelegate application:willFinishLaunchingWithOptions: delegate methods.Example 1: The following implementation of the
UIApplicationDelegate application:didFinishLaunchingWithOptions: delegate method fails to validate the calling URL and always processes the untrusted URL:
- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NS Dictionary *)launchOptions {
return YES;
}
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Standards Mapping - Common Weakness Enumeration CWE ID 501
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001084, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-3 Security Function Isolation (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-3 Security Function Isolation, SI-10 Information Input Validation
[8] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[15] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[16] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.objc.insecure_ipc_missing_url_validation
Abstract
The application fails to validate the calling URL in a URL-based Inter-Procedure Communication (IPC) call.
Explanation
When a third party application or
Example 1: The following implementation of the
webview uses a URL to communicate with your application, the receiving application should validate the calling URL before proceeding with further actions. The receiving application has the option to verify that it wants to open the calling URL using the UIApplicationDelegate application:didFinishLaunchingWithOptions: or UIApplicationDelegate application:willFinishLaunchingWithOptions: delegate methods.Example 1: The following implementation of the
UIApplicationDelegate application:didFinishLaunchingWithOptions: delegate method fails to validate the calling URL and always processes the untrusted URL:
func application(application: UIApplication, didFinishLaunchingWithOptions launchOptions: [NSObject: AnyObject]?) -> Bool {
return true
}
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] UIApplicationDelegate Apple
[3] Standards Mapping - Common Weakness Enumeration CWE ID 501
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001084, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-3 Security Function Isolation (P1), SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-3 Security Function Isolation, SI-10 Information Input Validation
[9] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[13] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.swift.insecure_ipc_missing_url_validation