Kingdom: Encapsulation
Encapsulation is about drawing strong boundaries. In a web browser that might mean ensuring that your mobile code cannot be abused by other mobile code. On the server it might mean differentiation between validated data and unvalidated data, between one user's data and another's, or between data users are allowed to see and data that they are not.
Insecure IPC: URL Scheme Hijacking
Abstract
The application uses custom URL schemes for Inter-Procedure Communication (IPC) which is subject to "URL Scheme Hijacking".
Explanation
Applications may register custom URL schemes for third party applications to communicate with them. Although this is a simple IPC channel, it may expose your application to "URL Scheme Hijacking". Since any application can register a URL scheme as long as it is not reserved by Apple, a malicious application may register the same scheme used by your application which results in an undefined behavior. According to Apple's documentation: "If more than one third party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme". If the malicious application is installed before your application, it may register the scheme and prevent your application from installing successfully. Alternatively, if the malicious application is installed after your application and it succeeds in the scheme registration, it may hijack it from your application.
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Standards Mapping - Common Weakness Enumeration CWE ID 939
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [11] CWE ID 862
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [9] CWE ID 862
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-1
[11] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
desc.structural.objc.insecure_ipc_url_scheme_hijacking
Abstract
The application uses custom URL schemes for Inter-Procedure Communication (IPC) which is subject to "URL Scheme Hijacking".
Explanation
Applications may register custom URL schemes for third party applications to communicate with them. Although this is a simple IPC channel, it may expose your application to "URL Scheme Hijacking". Since any application can register a URL scheme as long as it is not reserved by Apple, a malicious application may register the same scheme used by your application which results in an undefined behavior. According to Apple's documentation: "If more than one third party app registers to handle the same URL scheme, there is currently no process for determining which app will be given that scheme". If the malicious application is installed before your application, it may register the scheme and prevent your application from installing successfully. Alternatively, if the malicious application is installed after your application and it succeeds in the scheme registration, it may hijack it from your application.
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Standards Mapping - Common Weakness Enumeration CWE ID 939
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [11] CWE ID 862
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [9] CWE ID 862
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-1
[11] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
desc.structural.swift.insecure_ipc_url_scheme_hijacking