Reino: Encapsulation

La encapsulación consiste en crear límites fuertes. En un explorador web esto puede suponer la seguridad de que tu codificación móvil no se vea comprometido por otro código móvil. En el servidor puede significar la diferenciación entre los datos validados y los que no lo están, entre los datos de un usuario y los de otro, o entre los diferentes usuarios, los datos que pueden ver y los que no.

Insecure IPC: Missing URL Validation

Objective-C
Swift

Abstract

La aplicación no puede validar la URL de llamada en una llamada de comunicación entre procedimientos (IPC) basada en URL.

Explanation

Cuando una aplicación de terceros o webview usa una URL para comunicarse con su aplicación, la aplicación receptora debe validar la URL que efectúa la llamada antes de realizar más acciones. La aplicación receptora tiene la opción de verificar si desea abrir la URL de llamada mediante los métodos de delegación UIApplicationDelegate application:didFinishLaunchingWithOptions: o UIApplicationDelegate application:willFinishLaunchingWithOptions:.

Ejemplo 1: la siguiente implementación del método de delegación UIApplicationDelegate application:didFinishLaunchingWithOptions: no valida la URL de llamada y siempre procesa la URL que no es de confianza:


    - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NS Dictionary *)launchOptions {
        return YES;
    }

References

[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press

[2] Standards Mapping - Common Weakness Enumeration CWE ID 501

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001084, CCI-002754

[4] Standards Mapping - FIPS200 SI

[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-3 Security Function Isolation (P1), SI-10 Information Input Validation (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-3 Security Function Isolation, SI-10 Information Input Validation

[8] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs

[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1

[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[12] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1

[15] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[16] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[17] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[18] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[19] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[20] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[21] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[22] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[23] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[24] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[25] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[26] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[27] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[28] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[29] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[38] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.structural.objc.insecure_ipc_missing_url_validation

Abstract

La aplicación no puede validar la URL de llamada en una llamada de comunicación entre procedimientos (IPC) basada en URL.

Explanation


    func application(application: UIApplication, didFinishLaunchingWithOptions launchOptions: [NSObject: AnyObject]?) -> Bool {
        return true
    }

References

[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press

[2] UIApplicationDelegate Apple

[3] Standards Mapping - Common Weakness Enumeration CWE ID 501

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001084, CCI-002754

[5] Standards Mapping - FIPS200 SI

[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-3 Security Function Isolation (P1), SI-10 Information Input Validation (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-3 Security Function Isolation, SI-10 Information Input Validation

[9] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs

[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1

[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[13] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1

[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[23] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[24] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[25] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[26] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[27] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[28] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[29] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I

[39] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.structural.swift.insecure_ipc_missing_url_validation