Kingdom: Security Features
Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Authentication Bad Practice: Missing Host Check
Abstract
The authentication handling callback for
NSURLConnection or NSURLSession fails to check what host it is sending the credentials to.Explanation
The application implements the
Example 1: The following application sends user credentials to any host asking for authentication:
NSURLConnection or NSURLSession callbacks to handle authentication requests. Forgetting to ensure that the authentication request comes from the expected host would result in credentials being sent to every URL the application loads. In addition, failing to check that the credentials can be sent securely would result in credentials being stolen.Example 1: The following application sends user credentials to any host asking for authentication:
- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NS URLAuthenticationChallenge *)challenge completionHandler:(void (^)(NS URLSessionAuthChallengeDisposition, NSURLCredential *))completionHandler {
NSString *user = [self getUser];
NSString *pass = [self getPassword];
NSURLCredential *cred = [NSURLCredential credentialWithUser:user
password:pass persistence:NSURLCredentialPersistenceForSession];
completionHandler(NSURLSessionAuthChallengeUseCredential, credential);
}
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[9] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
desc.structural.objc.authentication_bad_practice_missing_host_check
Abstract
The authentication handling callback for
NSURLConnection or NSURLSession fails to check what host it is sending the credentials to.Explanation
The application implements the
Example 1: The following application sends user credentials to any host asking for authentication:
NSURLConnection or NSURLSession callbacks to handle authentication requests. Forgetting to ensure that the authentication request comes from the expected host would result in credentials being sent to every URL the application loads. In addition, failing to check that the credentials can be sent securely would result in credentials being stolen.Example 1: The following application sends user credentials to any host asking for authentication:
func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
let user = getUser()
let pass = getPassword()
let credential = URLCredential(user: user, password: pass, persistence: .none)
completionHandler(Foundation.URLSession.AuthChallengeDisposition.useCredential, credential)
}
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[9] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
desc.structural.swift.authentication_bad_practice_missing_host_check