139 elementos encontrados
Debilidades
Abstract
Si se permite que la entrada de usuario modifique directamente los permisos de archivo, un atacante podr铆a acceder a los recursos del sistema protegidos de otra forma.
Explanation
Se producen errores File Permission Manipulation cuando se cumplen algunas de las siguientes condiciones:

1. Un atacante puede especificar una ruta de acceso utilizada en una operaci贸n que modifica los permisos del sistema de archivos.

2. Un atacante puede especificar los permisos asignados por una operaci贸n en el sistema de archivos.

Ejemplo 1: El siguiente c贸digo utiliza la entrada de las variables de entorno del sistema para establecer los permisos de archivo. Si los atacantes pueden modificar las variables de entorno del sistema, pueden utilizar el programa para obtener acceso a los archivos que el programa ha manipulado. Si el programa tambi茅n es vulnerable a Path Manipulation, un atacante puede utilizar esta vulnerabilidad para obtener acceso a archivos arbitrarios del sistema.


permissions := strconv.Atoi(os.Getenv("filePermissions"));
fMode := os.FileMode(permissions)
os.chmod(filePath, fMode);
...
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 264, CWE ID 732
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[13] Standards Mapping - FIPS200 AC
[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[17] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[18] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 7.3.3 Log Protection Requirements (L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732
[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732
[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.golang.file_permission_manipulation
Abstract
Si se permite que la entrada de usuario modifique directamente los permisos de archivo, un atacante puede acceder a los recursos del sistema protegidos de otra forma.
Explanation
Se producen errores de File Permission Manipulation cuando se cumplen algunas de las siguientes condiciones:

1. Un atacante puede especificar una ruta de acceso utilizada en una operaci贸n que modifica los permisos del sistema de archivos.

2. Un atacante puede especificar los permisos asignados por una operaci贸n en el sistema de archivos.

Ejemplo 1: el siguiente c贸digo utiliza la entrada desde las propiedades del sistema para establecer la m谩scara de permisos predeterminada. Si los atacantes pueden modificar las propiedades del sistema, pueden utilizar el programa para obtener acceso a los archivos que el programa ha manipulado. Si el programa tambi茅n es vulnerable a la manipulaci贸n de rutas de acceso, un usuario malintencionado puede utilizar esta vulnerabilidad para obtener acceso a archivos arbitrarios del sistema.


String permissionMask = System.getProperty("defaultFileMask");
Path filePath = userFile.toPath();
...
Set<PosixFilePermission> perms = PosixFilePermissions.fromString(permissionMask);
Files.setPosixFilePermissions(filePath, perms);
...
References
[1] FIO01-J. Create files with appropriate access permissions CERT
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 264, CWE ID 732
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[14] Standards Mapping - FIPS200 AC
[15] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[18] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[19] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 7.3.3 Log Protection Requirements (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[22] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.java.file_permission_manipulation
Abstract
Si se permite que la entrada de usuario modifique directamente los permisos de archivo, un atacante puede acceder a los recursos del sistema protegidos de otra forma.
Explanation
Se producen errores de manipulaci贸n de permisos de archivo cuando se cumplen algunas de las siguientes condiciones:

1. Un atacante puede especificar una ruta de acceso utilizada en una operaci贸n que modifica los permisos del sistema de archivos.

2. Un atacante puede especificar los permisos asignados por una operaci贸n en el sistema de archivos.

Ejemplo: el siguiente c贸digo se ha dise帽ado para establecer los permisos de archivo adecuados para los usuarios que cargan las p谩ginas web a trav茅s de FTP. Utiliza la entrada de una solicitud HTTP para marcar un archivo como visible para los usuarios externos.


$rName = $_GET['publicReport'];
chmod("/home/". authenticateUser . "/public_html/" . rName,"0755");
...


Sin embargo, si un usuario malintencionado proporciona un valor malicioso para publicReport como, por ejemplo, "../../localuser/public_html/.htpasswd", la aplicaci贸n har谩 que el archivo especificado sea legible para el usuario malintencionado.

Ejemplo 2: el siguiente c贸digo utiliza la entrada desde un archivo de configuraci贸n para establecer la m谩scara de permisos predeterminada. Si los usuarios malintencionados pueden modificar el archivo de configuraci贸n, pueden utilizar el programa para obtener acceso a los archivos que el programa ha manipulado. Si el programa tambi茅n es vulnerable a la manipulaci贸n de rutas de acceso, un usuario malintencionado puede utilizar esta vulnerabilidad para obtener acceso a archivos arbitrarios del sistema.


...
$mask = $CONFIG_TXT['perms'];
chmod($filename,$mask);
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 264, CWE ID 732
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[14] Standards Mapping - FIPS200 AC
[15] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[18] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[19] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 7.3.3 Log Protection Requirements (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[22] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.php.file_permission_manipulation
Abstract
Si se permite que la entrada de usuario modifique directamente los permisos de archivo, un atacante puede acceder a los recursos del sistema protegidos de otra forma.
Explanation
Se producen errores de File Permission Manipulation cuando se cumplen algunas de las siguientes condiciones:

1. Un atacante puede especificar una ruta de acceso utilizada en una operaci贸n que modifica los permisos del sistema de archivos.

2. Un atacante puede especificar los permisos asignados por una operaci贸n en el sistema de archivos.

Ejemplo 1: El siguiente c贸digo utiliza la entrada de las variables de entorno del sistema para establecer los permisos de archivo. Si los atacantes pueden modificar las variables de entorno del sistema, pueden utilizar el programa para obtener acceso a los archivos que el programa ha manipulado. Si el programa tambi茅n es vulnerable a Path Manipulation, un atacante puede utilizar esta vulnerabilidad para obtener acceso a archivos arbitrarios del sistema.


permissions = os.getenv("filePermissions");
os.chmod(filePath, permissions);
...
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[5] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 264, CWE ID 732
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[13] Standards Mapping - FIPS200 AC
[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[17] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[18] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 7.3.3 Log Protection Requirements (L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732
[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732
[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.python.file_permission_manipulation
Abstract
Si se permite que la entrada de usuario modifique directamente los permisos de archivo, un atacante puede acceder a los recursos del sistema protegidos de otra forma.
Explanation
Se producen errores de manipulaci贸n de permisos de archivo cuando se cumplen algunas de las siguientes condiciones:

1. Un atacante puede especificar una ruta de acceso utilizada en una operaci贸n que modifica los permisos del sistema de archivos.

2. Un atacante puede especificar los permisos asignados por una operaci贸n en el sistema de archivos.

Ejemplo: el siguiente c贸digo se ha dise帽ado para establecer los permisos de archivo adecuados para los usuarios que cargan las p谩ginas web a trav茅s de FTP. Utiliza la entrada de una solicitud HTTP para marcar un archivo como visible para los usuarios externos.


...
rName = req['publicReport']
File.chmod("/home/#{authenticatedUser}/public_html/#{rName}", "0755")
...


Sin embargo, si un usuario malintencionado proporciona un valor malicioso para publicReport como, por ejemplo, "../../localuser/public_html/.htpasswd", la aplicaci贸n har谩 que el archivo especificado sea legible para el usuario malintencionado.

Ejemplo 2: el siguiente c贸digo utiliza la entrada desde un archivo de configuraci贸n para establecer la m谩scara de permisos predeterminada. Si los atacantes pueden modificar el archivo de configuraci贸n, podr铆an utilizar el programa para obtener acceso a los archivos que el programa ha manipulado. Si el programa tambi茅n es vulnerable a la manipulaci贸n de rutas de acceso, un usuario malintencionado puede utilizar esta vulnerabilidad para obtener acceso a archivos arbitrarios del sistema.


...
mask = config_params['perms']
File.chmod(filename, mask)
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Cloud Computing Platform Benchmark complete
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 264, CWE ID 732
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[14] Standards Mapping - FIPS200 AC
[15] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[18] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[19] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 4.3.3 Other Access Control Considerations (L2 L3), 7.3.3 Log Protection Requirements (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[22] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.ruby.file_permission_manipulation
Abstract
La informaci贸n de depuraci贸n ayuda a los atacantes a conocer el sistema y planificar una forma de ataque.
Explanation
Si est谩 utilizando Blaze DS para llevar a cabo el registro de eventos inesperados, el archivo del descriptor services-config.xml especifica un elemento XML "Logging" (Registro) para describir los diferentes aspectos del registro. Tiene un formato similar al siguiente:

Ejemplo:

<logging>
<target class="flex.messaging.log.ConsoleTarget" level="Debug">
<properties>
<prefix>[BlazeDS]</prefix>
<includeDate>false</includeDate>
<includeTime>false</includeTime>
<includeLevel>false</includeLevel>
<includeCategory>false</includeCategory>
</properties>
<filters>
<pattern>Endpoint.*</pattern>
<pattern>Service.*</pattern>
<pattern>Configuration</pattern>
</filters>
</target>
</logging>


Esta etiqueta target toma un atributo opcional que se llama level, el cual indica el nivel de registro. Si el nivel de depuraci贸n se establece en un nivel demasiado detallado, su aplicaci贸n puede escribir datos confidenciales en el archivo de registro.
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark complete
[6] Standards Mapping - Common Weakness Enumeration CWE ID 11
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SA-15 Development Process and Standards and Tools (P2), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SA-15 Development Process and Standards and Tools, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.1.3 Build (L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II, APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II, APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II, APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II, APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II, APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II, APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II, APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.config.java.flex_misconfiguration_debug_information
Abstract
Si se incluye un script de otro dominio, la seguridad de esta p谩gina web depender谩 de la seguridad del otro dominio.
Explanation
Incluir contenido ejecutable de otro sitio web es una proposici贸n arriesgada. Vincula la seguridad de nuestro sitio con la seguridad del otro sitio.

Ejemplo: Observe la siguiente etiqueta script.

<script src="http://www.example.com/js/fancyWidget.js"></script>


Si esta etiqueta aparece en otro sitio web distinto de www.example.com, este sitio depender谩 de www.example.com para suministrar c贸digo v谩lido y malintencionado. Si los atacantes consiguen comprometer www.example.com, podr谩n alterar el contenido de fancyWidget.js para trastornar la seguridad del sitio. Podr铆an, por ejemplo, a帽adir c贸digo a fancyWidget.js para robar los datos confidenciales de un usuario.
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 494, CWE ID 829
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 5.3.9 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 12.3.6 File Execution Requirements (L2 L3), 14.2.3 Dependency (L1 L2 L3), 14.2.4 Dependency (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[13] Standards Mapping - OWASP Mobile 2024 M7 Insufficient Binary Protections
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-2
[15] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[16] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[30] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Process Validation (WASC-40)
[31] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Process Validation
desc.content.html.hardcoded_domain
Abstract
La aplicaci贸n permite la instalaci贸n de extensiones de teclado de terceros.
Explanation
Se permite que las extensiones de teclado lean cada tecla que pulsa el usuario. Por lo general, los teclados de terceros se usan para facilitar la introducci贸n de texto o para agregar emojis adicionales y pueden registrar lo que el usuario pulsa o incluso enviarlo a un servidor remoto para su procesamiento. Los teclados malintencionados tambi茅n pueden distribuirse para actuar como un registrador de pulsaciones de teclas y leer todas las teclas pulsadas por el usuario para robar datos confidenciales como credenciales o n煤meros de tarjetas de cr茅dito.
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] UIApplicationDelegate Apple
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 522, CWE ID 829
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[13] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 5.3.9 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 12.3.6 File Execution Requirements (L2 L3), 14.2.4 Dependency (L2 L3)
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-3
desc.structural.objc.input_interception_keyboard_extensions_allowed
Abstract
La aplicaci贸n permite la instalaci贸n de extensiones de teclado de terceros.
Explanation
Se permite que las extensiones de teclado lean cada tecla que pulsa el usuario. Por lo general, los teclados de terceros se usan para facilitar la introducci贸n de texto o para agregar emojis adicionales y pueden registrar lo que el usuario pulsa o incluso enviarlo a un servidor remoto para su procesamiento. Los teclados malintencionados tambi茅n pueden distribuirse para actuar como un registrador de pulsaciones de teclas y leer todas las teclas pulsadas por el usuario para robar datos confidenciales como credenciales o n煤meros de tarjetas de cr茅dito.
References
[1] UIApplicationDelegate Apple
[2] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 522, CWE ID 829
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[13] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 5.3.9 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 12.3.6 File Execution Requirements (L2 L3), 14.2.4 Dependency (L2 L3)
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-3
desc.structural.swift.input_interception_keyboard_extensions_allowed
Abstract
El programa utiliza el servicio de copia de seguridad de Android para guardar datos de aplicaciones persistentes en un almacenamiento en la nube remoto.
Explanation
El servicio de copia de seguridad de Android permite que la aplicaci贸n guarde los datos persistentes en un almacenamiento en la nube remoto para proporcionar un punto de restauraci贸n para los datos de la aplicaci贸n en el futuro.

Para configurar las aplicaciones para Android con este servicio de copia de seguridad, establezca el atributo allowBackup en true (el valor predeterminado) y defina el atributo backupAgent en la etiqueta <application>.

Sin embargo, Android no garantiza la seguridad de sus datos mientras utiliza la copia de seguridad, ya que el almacenamiento y el transporte en la nube var铆an de un dispositivo a otro.
References
[1] JavaDoc for Android Android
[2] Android Developers API Guide: Data Backup Android
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 312, CWE ID 359, CWE ID 921
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[13] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[23] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.config.java.insecure_storage_android_backup_storage
Abstract
El programa escribe datos en el almacenamiento externo del dispositivo Android.
Explanation
Los datos guardados en el almacenamiento externo permiten un acceso de lectura general y solo los puede modificar el usuario cuando se habilite el almacenamiento masivo USB para transferir archivos en un equipo. Adem谩s, los archivos de la tarjeta de almacenamiento masivo permanecer谩n en esa ubicaci贸n, aunque se desinstale la aplicaci贸n que escribi贸 estos. Estas limitaciones pueden poner en peligro la informaci贸n confidencial escrita en el almacenamiento y permitir a los usuarios malintencionados introducir datos en el programa modificando un archivo externo que utilice.

Ejemplo 1: en el c贸digo siguiente, Environment.getExternalStorageDirectory() devuelve una referencia al almacenamiento externo del dispositivo Android.

 private void WriteToFile(String what_to_write) {
try{
File root = Environment.getExternalStorageDirectory();
if(root.canWrite()) {
File dir = new File(root + "write_to_the_SDcard");
File datafile = new File(dir, number + ".extension");
FileWriter datawriter = new FileWriter(datafile);
BufferedWriter out = new BufferedWriter(datawriter);
out.write(what_to_write);
out.close();
}
}
}
References
[1] Data Storage
[2] Paul McNamara Latest 'lost' laptop holds treasure-trove of unencrypted ATT payroll data Network World
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 276, CWE ID 313, CWE ID 359, CWE ID 921
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [19] CWE ID 276, [20] CWE ID 200
[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [20] CWE ID 276
[13] Standards Mapping - Common Weakness Enumeration Top 25 2023 [25] CWE ID 276
[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[15] Standards Mapping - FIPS200 MP
[16] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[24] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.semantic.java.insecure_storage_android_external_storage
Abstract
La aplicaci贸n facilita el acceso a los datos a todas las aplicaciones del dispositivo Android.
Explanation
Los datos guardados en el almacenamiento interno de Android mediante MODE_WORLD_READBLE o MODE_WORLD_WRITEABLE est谩n accesibles para todas las aplicaciones en el dispositivo. Esto no solo impide la protecci贸n frente al da帽o de datos, pero en el caso de informaci贸n confidencial, infringe la privacidad del usuario y plantea riesgos de seguridad.
References
[1] Designing for Security Android
[2] S. Fahl, M. Harbach, T. Muders, M. Smith, L. Baumgartner, B. Friesleben Why Eve and Mallory Love Android:An Analysis of Android SSL (In)Security
[3] OWASP Mobile Security Testing Guide OWASP
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[8] Standards Mapping - CIS Kubernetes Benchmark partial
[9] Standards Mapping - Common Weakness Enumeration CWE ID 276, CWE ID 313, CWE ID 359, CWE ID 921
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [19] CWE ID 276, [20] CWE ID 200
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [20] CWE ID 276
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [25] CWE ID 276
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[16] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[19] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[20] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[26] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[27] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[60] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[61] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.java.insecure_storage_android_world_readable_or_writeable
Abstract
El m茅todo identificado almacena los datos en las llaves con un nivel de accesibilidad que permite que se haga una copia de seguridad del elemento en iCloud y copias de seguridad de iTunes sin cifrar.
Explanation
Cuando se almacenan los datos en las llaves, es necesario configurar un nivel de accesibilidad que defina cu谩ndo ser谩 posible acceder al elemento. Los niveles de accesibilidad posibles incluyen los siguientes:

-kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly:
No es posible acceder a los datos del elemento de las llaves despu茅s de un reinicio a menos que el usuario haya desbloqueado una vez el dispositivo.
Tras el primer desbloqueo, los datos permanecen accesibles hasta el pr贸ximo reinicio. Esta opci贸n se recomienda para los elementos a los que deben tener acceso las aplicaciones en segundo plano. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleAlways:
Siempre se puede acceder a los datos del elemento de las llaves, independientemente de si el dispositivo est谩 bloqueado.
No se recomienda usar esta opci贸n con aplicaciones. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly:
Solo se puede acceder a los datos de las llaves cuando el dispositivo est谩 desbloqueado. Solo est谩 disponible si se configura un c贸digo de acceso en el dispositivo.
Esta opci贸n se recomienda para los elementos a los que solo es necesario tener acceso mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo nunca migran a un dispositivo nuevo. Tras restaurar una copia de seguridad en un dispositivo nuevo, no se encuentran estos elementos. Ning煤n elemento puede almacenarse en esta clase en los dispositivos sin un c贸digo de acceso. Si se deshabilita el c贸digo de acceso del dispositivo, se eliminan todos los elementos de esta clase.
Disponible en iOS 8.0 y posteriores.

-kSecAttrAccessibleAlwaysThisDeviceOnly:
Siempre se puede acceder a los datos del elemento de las llaves, independientemente de si el dispositivo est谩 bloqueado.
No se recomienda usar esta opci贸n con aplicaciones. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenUnlocked:
Solo se puede acceder a los datos del elemento de las llaves mientras el dispositivo est谩 desbloqueado por el usuario.
Esta opci贸n se recomienda para los elementos a los que solo es necesario acceder mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Este es el valor predeterminado para los elementos de las llaves que se agregan sin configurar de forma expl铆cita una constante de accesibilidad.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenUnlockedThisDeviceOnly:
Solo se puede acceder a los datos del elemento de las llaves mientras el dispositivo est谩 desbloqueado por el usuario.
Esta opci贸n se recomienda para los elementos a los que solo es necesario acceder mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

A los niveles de accesibilidad que no contienen ThisDeviceOnly se les har谩 una copia de seguridad en iCloud y en iTunes incluso si se usan copias de seguridad sin cifrar que pueden restaurarse en cualquier dispositivo. Seg煤n el nivel de confidencialidad y privacidad de los datos almacenados, esto puede suponer un problema de privacidad.

Ejemplo 1: en el siguiente ejemplo, el elemento de las llaves est谩 protegido en todo momento, excepto cuando el dispositivo est谩 encendido y desbloqueado, pero se har谩 una copia de seguridad del elemento de las llaves en iCloud y en copias de seguridad de iTunes sin cifrar:


...
NSMutableDictionary *dict = [NSMutableDictionary dictionary];
NSData *token = [@"secret" dataUsingEncoding:NSUTF8StringEncoding];

// Configure KeyChain Item
[dict setObject:(__bridge id)kSecClassGenericPassword forKey:(__bridge id) kSecClass];
[dict setObject:token forKey:(__bridge id)kSecValueData];
...
[dict setObject:(__bridge id)kSecAttrAccessibleWhenUnlocked forKey:(__bridge id) kSecAttrAccessible];

OSStatus error = SecItemAdd((__bridge CFDictionaryRef)dict, NULL);
...
References
[1] Keychain Services Apple
[2] Keychain Item Accessibility Constants Apple
[3] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[8] Standards Mapping - Common Weakness Enumeration CWE ID 312, CWE ID 359
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[13] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[23] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective B.2.5 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective B.2.5 - Terminal Software Design
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.objc.insecure_storage_externally_available_keychain
Abstract
El m茅todo identificado almacena los datos en las llaves con un nivel de accesibilidad que permite que se haga una copia de seguridad del elemento en iCloud y copias de seguridad de iTunes sin cifrar.
Explanation
Cuando se almacenan los datos en las llaves, es necesario configurar un nivel de accesibilidad que defina cu谩ndo ser谩 posible acceder al elemento. Los niveles de accesibilidad posibles incluyen los siguientes:

-kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly:
No es posible acceder a los datos del elemento de las llaves despu茅s de un reinicio a menos que el usuario haya desbloqueado una vez el dispositivo.
Tras el primer desbloqueo, los datos permanecen accesibles hasta el pr贸ximo reinicio. Esta opci贸n se recomienda para los elementos a los que deben tener acceso las aplicaciones en segundo plano. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleAlways:
Siempre se puede acceder a los datos del elemento de las llaves, independientemente de si el dispositivo est谩 bloqueado.
No se recomienda usar esta opci贸n con aplicaciones. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly:
Solo se puede acceder a los datos de las llaves cuando el dispositivo est谩 desbloqueado. Solo est谩 disponible si se configura un c贸digo de acceso en el dispositivo.
Esta opci贸n se recomienda para los elementos a los que solo es necesario tener acceso mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo nunca migran a un dispositivo nuevo. Tras restaurar una copia de seguridad en un dispositivo nuevo, no se encuentran estos elementos. Ning煤n elemento puede almacenarse en esta clase en los dispositivos sin un c贸digo de acceso. Si se deshabilita el c贸digo de acceso del dispositivo, se eliminan todos los elementos de esta clase.
Disponible en iOS 8.0 y posteriores.

-kSecAttrAccessibleAlwaysThisDeviceOnly:
Siempre se puede acceder a los datos del elemento de las llaves, independientemente de si el dispositivo est谩 bloqueado.
No se recomienda usar esta opci贸n con aplicaciones. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenUnlocked:
Solo se puede acceder a los datos del elemento de las llaves mientras el dispositivo est谩 desbloqueado por el usuario.
Esta opci贸n se recomienda para los elementos a los que solo es necesario acceder mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Este es el valor predeterminado para los elementos de las llaves que se agregan sin configurar de forma expl铆cita una constante de accesibilidad.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenUnlockedThisDeviceOnly:
Solo se puede acceder a los datos del elemento de las llaves mientras el dispositivo est谩 desbloqueado por el usuario.
Esta opci贸n se recomienda para los elementos a los que solo es necesario acceder mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

A los niveles de accesibilidad que no contienen ThisDeviceOnly se les har谩 una copia de seguridad en iCloud y en iTunes incluso si se usan copias de seguridad sin cifrar que pueden restaurarse en cualquier dispositivo. Seg煤n el nivel de confidencialidad y privacidad de los datos almacenados, esto puede suponer un problema de privacidad.

Ejemplo 1: en el siguiente ejemplo, el elemento de las llaves est谩 protegido en todo momento, excepto cuando el dispositivo est谩 encendido y desbloqueado, pero se har谩 una copia de seguridad del elemento de las llaves en iCloud y en copias de seguridad de iTunes sin cifrar:


...
// Configure KeyChain Item
let token = "secret"
var query = [String : AnyObject]()
query[kSecClass as String] = kSecClassGenericPassword
query[kSecValueData as String] = token as AnyObject?
...
query[kSecAttrAccessible as String] = kSecAttrAccessibleWhenUnlocked

SecItemAdd(query as CFDictionary, nil)
...
References
[1] Keychain Services Apple
[2] Keychain Item Accessibility Constants Apple
[3] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[8] Standards Mapping - Common Weakness Enumeration CWE ID 312, CWE ID 359
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[13] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[23] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective B.2.5 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective B.2.5 - Terminal Software Design
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.swift.insecure_storage_externally_available_keychain
Abstract
El m茅todo identificado configura la cach茅 de respuestas HTTP(S) en una ubicaci贸n de almacenamiento compartido no seguro.
Explanation
Las respuestas de HTTP(S) pueden contener datos confidenciales, como cookies de sesi贸n y tokens de API. El sistema de carga de URL guardar谩 en la cach茅 todas las respuestas de HTTP(S) por razones de rendimiento, y las almacenar谩 sin cifrar en una ubicaci贸n de almacenamiento compartido no seguro.

Ejemplo 1: El c贸digo siguiente instala la cach茅 de respuestas HTTP(S) en una ubicaci贸n de almacenamiento compartido no seguro:


protected void onCreate(Bundle savedInstanceState) {
...

try {
File httpCacheDir = new File(context.getExternalCacheDir(), "http");
long httpCacheSize = 10 * 1024 * 1024; // 10 MiB
HttpResponseCache.install(httpCacheDir, httpCacheSize);
} catch (IOException e) {
Log.i(TAG, "HTTP response cache installation failed:" + e);
}
}

protected void onStop() {
...

HttpResponseCache cache = HttpResponseCache.getInstalled();
if (cache != null) {
cache.flush();
}
}
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 311, CWE ID 312, CWE ID 313, CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[12] Standards Mapping - FIPS200 MP
[13] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[24] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.dataflow.java.insecure_storage_http_response_cache_leak
Abstract
El m茅todo identificado realiza una solicitud de URL sin configurar el sistema de carga de URL para evitar el almacenamiento en cach茅 de las respuestas de HTTP(S).
Explanation
Las respuestas de HTTP(S) pueden contener datos confidenciales, como cookies de sesi贸n y tokens de API. El sistema de carga de URL guardar谩 en la cach茅 todas las respuestas de HTTP(S) por razones de rendimiento, y las almacenar谩 sin cifrar en los archivos {app ID}/Library/Caches/com.mycompany.myapp/Cache.db*.
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] URLCache Apple
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 311, CWE ID 312, CWE ID 313, CWE ID 522
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[14] Standards Mapping - FIPS200 MP
[15] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[26] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[27] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.dataflow.objc.insecure_storage_http_response_cache_leak
Abstract
El m茅todo identificado realiza una solicitud de URL sin configurar el sistema de carga de URL para evitar el almacenamiento en cach茅 de las respuestas de HTTP(S).
Explanation
Las respuestas de HTTP(S) pueden contener datos confidenciales, como cookies de sesi贸n y tokens de API. El sistema de carga de URL guardar谩 en la cach茅 todas las respuestas de HTTP(S) por razones de rendimiento, y las almacenar谩 sin cifrar en los archivos {app ID}/Library/Caches/com.mycompany.myapp/Cache.db*.
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] URLCache Apple
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 311, CWE ID 312, CWE ID 313, CWE ID 522
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[14] Standards Mapping - FIPS200 MP
[15] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[26] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[27] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.dataflow.swift.insecure_storage_http_response_cache_leak
Abstract
La aplicaci贸n intenta deshabilitar la cach茅 de HTTP(S) configurando la capacidad de la cach茅 del disco o la memoria en 0. Sin embargo, no hay ninguna garant铆a de que esta configuraci贸n se aplique.
Explanation
Las respuestas de HTTP(S) pueden contener datos confidenciales, como cookies de sesi贸n y tokens de API. El sistema de carga de URL guardar谩 en la cach茅 todas las respuestas de HTTP(S) por razones de rendimiento, y las almacenar谩 sin cifrar en los archivos {app ID}/Library/Caches/com.mycompany.myapp/Cache.db*.
Los desarrolladores pueden pensar que, al configurar las propiedades diskCapacity o memoryCapacity de la clase URLCache en 0, deshabilitan realmente el sistema de cach茅 de respuesta de HTTP(S). Sin embargo, la documentaci贸n de NSURLCache indica que tanto la cach茅 del disco como la de la memoria se truncar谩n en los tama帽os configurados 煤nicamente si al dispositivo le queda poca memoria o poco espacio en disco. Ambas configuraciones est谩n dise帽adas para que el sistema libere recursos del sistema y mejore el rendimiento, no como un control de seguridad.
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] URLCache Apple
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 311, CWE ID 312, CWE ID 313, CWE ID 522
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[14] Standards Mapping - FIPS200 MP
[15] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[26] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[27] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.semantic.objc.insecure_storage_insufficient_cache_leak_protection
Abstract
La aplicaci贸n intenta deshabilitar la cach茅 de HTTP(S) configurando la capacidad de la cach茅 del disco o la memoria en 0. Sin embargo, no hay ninguna garant铆a de que esta configuraci贸n se aplique.
Explanation
Las respuestas de HTTP(S) pueden contener datos confidenciales, como cookies de sesi贸n y tokens de API. El sistema de carga de URL guardar谩 en la cach茅 todas las respuestas de HTTP(S) por razones de rendimiento, y las almacenar谩 sin cifrar en los archivos {app ID}/Library/Caches/com.mycompany.myapp/Cache.db*.
Los desarrolladores pueden pensar que, al configurar las propiedades diskCapacity o memoryCapacity de la clase URLCache en 0, deshabilitan realmente el sistema de cach茅 de respuesta de HTTP(S). Sin embargo, la documentaci贸n de NSURLCache indica que tanto la cach茅 del disco como la de la memoria se truncar谩n en los tama帽os configurados 煤nicamente si al dispositivo le queda poca memoria o poco espacio en disco. Ambas configuraciones est谩n dise帽adas para que el sistema libere recursos del sistema y mejore el rendimiento, no como un control de seguridad.
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] URLCache Apple
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 311, CWE ID 312, CWE ID 313, CWE ID 522
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[14] Standards Mapping - FIPS200 MP
[15] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[26] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[27] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.semantic.swift.insecure_storage_insufficient_cache_leak_protection
Abstract
El m茅todo identificado escribe datos en un archivo con una configuraci贸n de cifrado que probablemente no es suficiente.
Explanation
La API de protecci贸n de datos est谩 dise帽ada para permitir que las aplicaciones declaren cu谩ndo deben ser accesibles los elementos de llaves y los archivos almacenados en el sistema de archivos. Est谩 disponible para la mayor铆a de API de archivo y base de datos, como NSFileManager, CoreData, NSData y SQLite. Al especificar una de las cuatro clases de protecci贸n para un determinado recurso, un desarrollador puede indicar al sistema de archivos subyacente que la cifre mediante una clave derivada del UID del dispositivo y del c贸digo de acceso del usuario, o mediante una clave basada exclusivamente en el UID del dispositivo. Tambi茅n debe indicar cu谩ndo debe descifrarla autom谩ticamente.

Las clases de protecci贸n de datos se definen para NSFileManager como constantes que deben asignarse como el valor de la clave NSFileProtectionKey en un NSDictionary asociado a la instancia de NSFileManager, y se pueden crear archivos o modificar su clase de protecci贸n de datos mediante el uso de funciones NSFileManager como setAttributes:ofItemAtPath:error:, attributesOfItemAtPath:error: y createFileAtPath:contents:attributes:. Adem谩s, las constantes de protecci贸n de datos correspondientes se definen para objetos NSData como NSDataWritingOptions que pueden pasarse como el argumento options a las funciones NSDatawriteToURL:options:error: y writeToFile:options:error:. Las definiciones de las diversas constantes de clases de protecci贸n de datos para NSFileManager y NSData son las siguientes:

-NSFileProtectionComplete, NSDataWritingFileProtectionComplete:
El recurso se almacena en un formato cifrado en el disco y no puede leerse ni escribirse mientras el dispositivo est谩 bloqueado o arrancando.
Disponible en iOS 4.0 y posteriores.
-NSFileProtectionCompleteUnlessOpen, NSDataWritingFileProtectionCompleteUnlessOpen:
El recurso se almacena en un formato cifrado en el disco. Pueden crearse recursos mientras el dispositivo est谩 bloqueado pero, cuando se cierra, ya no puede abrirse de nuevo hasta que el dispositivo est茅 desbloqueado. Si se abre el recurso mientras est谩 desbloqueado, puede seguir teniendo acceso al recurso con normalidad incluso si el usuario bloquea el dispositivo.
Disponible en iOS 5.0 y posteriores.
-NSFileProtectionCompleteUntilFirstUserAuthentication, NSDataWritingFileProtectionCompleteUntilFirstUserAuthentication:
El recurso se almacena en un formato cifrado en el disco y no se puede tener acceso a 茅l hasta que el dispositivo haya arrancado. La primera vez que el usuario desbloquea el dispositivo, la aplicaci贸n puede acceder al recurso y seguir teniendo acceso a 茅l incluso si el usuario bloquea el dispositivo posteriormente.
Disponible en iOS 5.0 y posteriores.
-NSFileProtectionNone, NSDataWritingFileProtectionNone:
El recurso no tiene asociada ninguna protecci贸n especial. Se puede leer y escribir en 茅l en cualquier momento.
Disponible en iOS 4.0 y posteriores.

De ese modo, si bien al marcar un archivo con NSFileProtectionCompleteUnlessOpen o NSFileProtectionCompleteUntilFirstUserAuthentication, se podr谩 cifrar con una clave derivada del c贸digo de acceso del usuario y del UID del dispositivo, los datos seguir谩n siendo accesibles en determinadas circunstancias. Por lo tanto, deben revisarse con atenci贸n los usos de NSFileProtectionCompleteUnlessOpen o NSFileProtectionCompleteUntilFirstUserAuthentication para determinar si se necesita mayor protecci贸n con NSFileProtectionComplete.

Ejemplo 1: en el siguiente ejemplo, el archivo solo est谩 protegido hasta que el usuario enciende el dispositivo y proporciona el c贸digo de acceso por primera vez (hasta que vuelva a reiniciarse):


...
filepath = [self.GetDocumentDirectory stringByAppendingPathComponent:self.setFilename];
...
NSDictionary *protection = [NSDictionary dictionaryWithObject:NSFileProtectionCompleteUntilFirstUserAuthentication forKey:NSFileProtectionKey];
...
[[NSFileManager defaultManager] setAttributes:protection ofItemAtPath:filepath error:nil];
...
BOOL ok = [testToWrite writeToFile:filepath atomically:YES encoding:NSUnicodeStringEncoding error:&err];
...
Ejemplo 2: en el siguiente ejemplo, los datos solo est谩n protegidos hasta que el usuario enciende el dispositivo y proporciona el c贸digo de acceso por primera vez (hasta que vuelva a reiniciarse):


...
filepath = [self.GetDocumentDirectory stringByAppendingPathComponent:self.setFilename];
...
NSData *textData = [textToWrite dataUsingEncoding:NSUnicodeStingEncoding];
...
BOOL ok = [textData writeToFile:filepath options:NSDataWritingFileProtectionCompleteUntilFirstUserAuthentication error:&err];
...
References
[1] iOS Security Guide Apple
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[21] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[22] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.dataflow.objc.insecure_storage_insufficient_data_protection
Abstract
El m茅todo identificado escribe datos en un archivo con una configuraci贸n de cifrado que probablemente no es suficiente.
Explanation
La API de protecci贸n de datos est谩 dise帽ada para permitir que las aplicaciones declaren cu谩ndo deben ser accesibles los elementos de llaves y los archivos almacenados en el sistema de archivos. Est谩 disponible para la mayor铆a de API de archivo y base de datos, como NSFileManager, CoreData, NSData y SQLite. Al especificar una de las cuatro clases de protecci贸n para un determinado recurso, un desarrollador puede indicar al sistema de archivos subyacente que la cifre mediante una clave derivada del UID del dispositivo y del c贸digo de acceso del usuario, o mediante una clave basada exclusivamente en el UID del dispositivo. Tambi茅n debe indicar cu谩ndo debe descifrarla autom谩ticamente.

Las clases de protecci贸n de datos se definen en NSFileManager como constantes que deben asignarse como el valor de la clave NSFileProtectionKey en un Dictionary asociado a la instancia de NSFileManager, y se pueden crear archivos o modificar su clase de protecci贸n de datos mediante el uso de funciones NSFileManager como setAttributes(_:ofItemAtPath:), attributesOfItemAtPath(_:) y createFileAtPath(_:contents:attributes:). Adem谩s, se definen las constantes de protecci贸n de datos correspondientes para objetos NSData en la enumeraci贸n NSDataWritingOptions que pueden pasarse como el argumento options a funciones NSData
writeToFile(_:options:)
. Las definiciones de las diversas constantes de clases de protecci贸n de datos para NSFileManager y NSData son las siguientes:

-NSFileProtectionComplete, NSDataWritingOptions.DataWritingFileProtectionComplete:
El recurso se almacena en un formato cifrado en el disco y no puede leerse ni escribirse mientras el dispositivo est谩 bloqueado o arrancando.
Disponible en iOS 4.0 y posteriores.
-NSFileProtectionCompleteUnlessOpen, NSDataWritingOptions.DataWritingFileProtectionCompleteUnlessOpen:
El recurso se almacena en un formato cifrado en el disco. Pueden crearse recursos mientras el dispositivo est谩 bloqueado pero, cuando se cierra, ya no puede abrirse de nuevo hasta que el dispositivo est茅 desbloqueado. Si se abre el recurso mientras est谩 desbloqueado, puede seguir teniendo acceso al recurso con normalidad incluso si el usuario bloquea el dispositivo.
Disponible en iOS 5.0 y posteriores.
-NSFileProtectionCompleteUntilFirstUserAuthentication, NSDataWritingOptions.DataWritingFileProtectionCompleteUntilFirstUserAuthentication:
El recurso se almacena en un formato cifrado en el disco y no se puede tener acceso a 茅l hasta que el dispositivo haya arrancado. La primera vez que el usuario desbloquea el dispositivo, la aplicaci贸n puede acceder al recurso y seguir teniendo acceso a 茅l incluso si el usuario bloquea el dispositivo posteriormente.
Disponible en iOS 5.0 y posteriores.
-NSFileProtectionNone, NSDataWritingOptions.DataWritingFileProtectionNone:
El recurso no tiene asociada ninguna protecci贸n especial. Se puede leer y escribir en 茅l en cualquier momento.
Disponible en iOS 4.0 y posteriores.

De ese modo, si bien al marcar un archivo con NSFileProtectionCompleteUnlessOpen o NSFileProtectionCompleteUntilFirstUserAuthentication, se podr谩 cifrar con una clave derivada del c贸digo de acceso del usuario y del UID del dispositivo, los datos seguir谩n siendo accesibles en determinadas circunstancias. Por lo tanto, deben revisarse con atenci贸n los usos de NSFileProtectionCompleteUnlessOpen o NSFileProtectionCompleteUntilFirstUserAuthentication para determinar si se necesita mayor protecci贸n con NSFileProtectionComplete.

Ejemplo 1: en el siguiente ejemplo, el archivo determinado solo est谩 protegido hasta que el usuario enciende el dispositivo y proporciona el c贸digo de acceso por primera vez (hasta el siguiente reinicio).


...
let documentsPath = NSURL(fileURLWithPath: NSSearchPathForDirectoriesInDomains(.DocumentDirectory, .UserDomainMask, true)[0])
let filename = "\(documentsPath)/tmp_activeTrans.txt"
let protection = [NSFileProtectionKey: NSFileProtectionCompleteUntilFirstUserAuthentication]
do {
try NSFileManager.defaultManager().setAttributes(protection, ofItemAtPath: filename)
} catch let error as NSError {
NSLog("Unable to change attributes: \(error.debugDescription)")
}
...
BOOL ok = textToWrite.writeToFile(filename, atomically:true)
...
Ejemplo 2: en el siguiente ejemplo, los datos determinados solo est谩n protegidos hasta que el usuario enciende el dispositivo y proporciona el c贸digo de acceso por primera vez (hasta el siguiente reinicio).


...
let documentsPath = NSURL(fileURLWithPath: NSSearchPathForDirectoriesInDomains(.DocumentDirectory, .UserDomainMask, true)[0])
let filename = "\(documentsPath)/tmp_activeTrans.txt"
...
BOOL ok = textData.writeToFile(filepath, options: .DataWritingFileProtectionCompleteUntilFirstUserAuthentication);
...
References
[1] iOS Security Guide Apple
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[21] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[22] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.swift.insecure_storage_insufficient_data_protection
Abstract
El m茅todo identificado almacena los datos en las llaves con valores de configuraci贸n de cifrado potencialmente insuficientes.
Explanation
Las constantes de accesibilidad de las llaves est谩n dise帽adas para permitir que las aplicaciones indiquen cu谩ndo se puede acceder a los elementos de las llaves. Al especificar una de las constantes de accesibilidad para un determinado elemento de las llaves, un desarrollador puede indicar al sistema de archivos subyacente que la cifre mediante una clave derivada del UID del dispositivo y del c贸digo de acceso del usuario, o mediante una clave basada exclusivamente en el UID del dispositivo. Tambi茅n debe indicar cu谩ndo debe descifrarla autom谩ticamente.

Las constantes de accesibilidad de las claves est谩n dise帽adas para asignarse como el valor para la clave kSecAttrAccessible en el diccionario de atributos de las claves. Las definiciones de las diversas constantes de accesibilidad de las claves son las siguientes:

-kSecAttrAccessibleAfterFirstUnlock:
No es posible acceder a los datos del elemento de las llaves despu茅s de un reinicio a menos que el usuario haya desbloqueado una vez el dispositivo.
Tras el primer desbloqueo, los datos permanecen accesibles hasta el pr贸ximo reinicio. Esta opci贸n se recomienda para los elementos a los que deben tener acceso las aplicaciones en segundo plano. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly:
No es posible acceder a los datos del elemento de las llaves despu茅s de un reinicio a menos que el usuario haya desbloqueado una vez el dispositivo.
Tras el primer desbloqueo, los datos permanecen accesibles hasta el pr贸ximo reinicio. Esta opci贸n se recomienda para los elementos a los que deben tener acceso las aplicaciones en segundo plano. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleAlways:
Siempre se puede acceder a los datos del elemento de las llaves, independientemente de si el dispositivo est谩 bloqueado.
No se recomienda usar esta opci贸n con aplicaciones. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly:
Solo se puede acceder a los datos de las llaves cuando el dispositivo est谩 desbloqueado. Solo est谩 disponible si se configura un c贸digo de acceso en el dispositivo.
Esta opci贸n se recomienda para los elementos a los que solo es necesario tener acceso mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo nunca migran a un dispositivo nuevo. Tras restaurar una copia de seguridad en un dispositivo nuevo, no se encuentran estos elementos. Ning煤n elemento puede almacenarse en esta clase en los dispositivos sin un c贸digo de acceso. Si se deshabilita el c贸digo de acceso del dispositivo, se eliminan todos los elementos de esta clase.
Disponible en iOS 8.0 y posteriores.

-kSecAttrAccessibleAlwaysThisDeviceOnly:
Siempre se puede acceder a los datos del elemento de las llaves, independientemente de si el dispositivo est谩 bloqueado.
No se recomienda usar esta opci贸n con aplicaciones. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenUnlocked:
Solo se puede acceder a los datos del elemento de las llaves mientras el dispositivo est谩 desbloqueado por el usuario.
Esta opci贸n se recomienda para los elementos a los que solo es necesario acceder mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Este es el valor predeterminado para los elementos de las llaves que se agregan sin configurar de forma expl铆cita una constante de accesibilidad.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenUnlockedThisDeviceOnly:
Solo se puede acceder a los datos del elemento de las llaves mientras el dispositivo est谩 desbloqueado por el usuario.
Esta opci贸n se recomienda para los elementos a los que solo es necesario acceder mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

De ese modo, si bien al marcar un elemento de las llaves con kSecAttrAccessibleAfterFirstUnlock se podr谩 cifrar con una clave derivada del c贸digo de acceso del usuario y del UID del dispositivo, los datos seguir谩n siendo accesibles en determinadas circunstancias. Por lo tanto, deben revisarse con atenci贸n los usos de kSecAttrAccessibleAfterFirstUnlock para determinar si se necesita mayor protecci贸n.

Ejemplo 1: en el siguiente ejemplo, el elemento de las llaves determinado solo est谩 protegido hasta que el usuario enciende el dispositivo y proporciona el c贸digo de acceso por primera vez (hasta el siguiente reinicio).


...
NSMutableDictionary *dict = [NSMutableDictionary dictionary];
NSData *token = [@"secret" dataUsingEncoding:NSUTF8StringEncoding];

// Configure KeyChain Item
[dict setObject:(__bridge id)kSecClassGenericPassword forKey:(__bridge id) kSecClass];
[dict setObject:token forKey:(__bridge id)kSecValueData];
...
[dict setObject:(__bridge id)kSecAttrAccessibleAfterFirstUnlock forKey:(__bridge id) kSecAttrAccessible];

OSStatus error = SecItemAdd((__bridge CFDictionaryRef)dict, NULL);
...
References
[1] iOS Security Guide Apple: October 2014
[2] Keychain Services Apple
[3] Keychain Item Accessibility Constants Apple
[4] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[6] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[10] Standards Mapping - CIS Kubernetes Benchmark complete
[11] Standards Mapping - Common Weakness Enumeration CWE ID 311, CWE ID 312, CWE ID 313, CWE ID 522
[12] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[13] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[14] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[15] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[16] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[17] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[18] Standards Mapping - FIPS200 MP
[19] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[20] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[21] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[22] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[23] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[24] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[25] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[26] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[27] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[28] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[29] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[30] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[31] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[40] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[41] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.dataflow.objc.insecure_storage_insufficient_keychain_protection
Abstract
El m茅todo identificado almacena los datos en las llaves con valores de configuraci贸n de cifrado potencialmente insuficientes.
Explanation
Las constantes de accesibilidad de las llaves est谩n dise帽adas para permitir que las aplicaciones indiquen cu谩ndo se puede acceder a los elementos de las llaves. Al especificar una de las constantes de accesibilidad para un determinado elemento de las llaves, un desarrollador puede indicar al sistema de archivos subyacente que la cifre mediante una clave derivada del UID del dispositivo y del c贸digo de acceso del usuario, o mediante una clave basada exclusivamente en el UID del dispositivo. Tambi茅n debe indicar cu谩ndo debe descifrarla autom谩ticamente.

Las constantes de accesibilidad de las claves est谩n dise帽adas para asignarse como el valor para la clave kSecAttrAccessible en el diccionario de atributos de las claves. Las definiciones de las diversas constantes de accesibilidad de las claves son las siguientes:

-kSecAttrAccessibleAfterFirstUnlock:
No es posible acceder a los datos del elemento de las llaves despu茅s de un reinicio a menos que el usuario haya desbloqueado una vez el dispositivo.
Tras el primer desbloqueo, los datos permanecen accesibles hasta el pr贸ximo reinicio. Esta opci贸n se recomienda para los elementos a los que deben tener acceso las aplicaciones en segundo plano. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly:
No es posible acceder a los datos del elemento de las llaves despu茅s de un reinicio a menos que el usuario haya desbloqueado una vez el dispositivo.
Tras el primer desbloqueo, los datos permanecen accesibles hasta el pr贸ximo reinicio. Esta opci贸n se recomienda para los elementos a los que deben tener acceso las aplicaciones en segundo plano. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleAlways:
Siempre se puede acceder a los datos del elemento de las llaves, independientemente de si el dispositivo est谩 bloqueado.
No se recomienda usar esta opci贸n con aplicaciones. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly:
Solo se puede acceder a los datos de las llaves cuando el dispositivo est谩 desbloqueado. Solo est谩 disponible si se configura un c贸digo de acceso en el dispositivo.
Esta opci贸n se recomienda para los elementos a los que solo es necesario tener acceso mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo nunca migran a un dispositivo nuevo. Tras restaurar una copia de seguridad en un dispositivo nuevo, no se encuentran estos elementos. Ning煤n elemento puede almacenarse en esta clase en los dispositivos sin un c贸digo de acceso. Si se deshabilita el c贸digo de acceso del dispositivo, se eliminan todos los elementos de esta clase.
Disponible en iOS 8.0 y posteriores.

-kSecAttrAccessibleAlwaysThisDeviceOnly:
Siempre se puede acceder a los datos del elemento de las llaves, independientemente de si el dispositivo est谩 bloqueado.
No se recomienda usar esta opci贸n con aplicaciones. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenUnlocked:
Solo se puede acceder a los datos del elemento de las llaves mientras el dispositivo est谩 desbloqueado por el usuario.
Esta opci贸n se recomienda para los elementos a los que solo es necesario acceder mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Este es el valor predeterminado para los elementos de las llaves que se agregan sin configurar de forma expl铆cita una constante de accesibilidad.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenUnlockedThisDeviceOnly:
Solo se puede acceder a los datos del elemento de las llaves mientras el dispositivo est谩 desbloqueado por el usuario.
Esta opci贸n se recomienda para los elementos a los que solo es necesario acceder mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

De ese modo, si bien al marcar un elemento de las llaves con kSecAttrAccessibleAfterFirstUnlock se podr谩 cifrar con una clave derivada del c贸digo de acceso del usuario y del UID del dispositivo, los datos seguir谩n siendo accesibles en determinadas circunstancias. Por lo tanto, deben revisarse con atenci贸n los usos de kSecAttrAccessibleAfterFirstUnlock para determinar si se necesita mayor protecci贸n.

Ejemplo 1: en el siguiente ejemplo, el elemento de las llaves determinado solo est谩 protegido hasta que el usuario enciende el dispositivo y proporciona el c贸digo de acceso por primera vez (hasta el siguiente reinicio).


...
// Configure KeyChain Item
let token = "secret"
var query = [String : AnyObject]()
query[kSecClass as String] = kSecClassGenericPassword
query[kSecValueData as String] = token as AnyObject?
...
query[kSecAttrAccessible as String] = kSecAttrAccessibleAfterFirstUnlock

SecItemAdd(query as CFDictionary, nil)
...
References
[1] iOS Security Guide Apple: October 2014
[2] Keychain Services Apple
[3] Keychain Item Accessibility Constants Apple
[4] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[6] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[10] Standards Mapping - CIS Kubernetes Benchmark complete
[11] Standards Mapping - Common Weakness Enumeration CWE ID 311, CWE ID 312, CWE ID 313, CWE ID 522
[12] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[13] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[14] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[15] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[16] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[17] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[18] Standards Mapping - FIPS200 MP
[19] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[20] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[21] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[22] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[23] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[24] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[25] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[26] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[27] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[28] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[29] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[30] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[31] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[40] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[41] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.dataflow.swift.insecure_storage_insufficient_keychain_protection
Abstract
El m茅todo identificado escribe datos en un archivo al que le faltan valores de configuraci贸n suficientes de cifrado.
Explanation
La API de protecci贸n de datos est谩 dise帽ada para permitir que las aplicaciones declaren cu谩ndo deben ser accesibles los elementos de llaves y los archivos almacenados en el sistema de archivos. Est谩 disponible para la mayor铆a de API de archivo y base de datos, como NSFileManager, CoreData, NSData y SQLite. Al especificar una de las cuatro clases de protecci贸n para un determinado recurso, un desarrollador puede indicar al sistema de archivos subyacente que la cifre mediante una clave derivada del UID del dispositivo y del c贸digo de acceso del usuario, o mediante una clave basada exclusivamente en el UID del dispositivo. Tambi茅n debe indicar cu谩ndo debe descifrarla autom谩ticamente.

Las clases de protecci贸n de datos se definen para NSFileManager como constantes que deben asignarse como el valor de la clave NSFileProtectionKey en un NSDictionary asociado a la instancia de NSFileManager, y se pueden crear archivos o modificar su clase de protecci贸n de datos mediante el uso de funciones NSFileManager como setAttributes:ofItemAtPath:error:, attributesOfItemAtPath:error: y createFileAtPath:contents:attributes:. Adem谩s, las constantes de protecci贸n de datos correspondientes se definen para objetos NSData como NSDataWritingOptions que pueden pasarse como el argumento options a las funciones NSDatawriteToURL:options:error: y writeToFile:options:error:. Las definiciones de las diversas constantes de clases de protecci贸n de datos para NSFileManager y NSData son las siguientes:

-NSFileProtectionComplete, NSDataWritingFileProtectionComplete:
El recurso se almacena en un formato cifrado en el disco y no puede leerse ni escribirse mientras el dispositivo est谩 bloqueado o arrancando.
Disponible en iOS 4.0 y posteriores.
-NSFileProtectionCompleteUnlessOpen, NSDataWritingFileProtectionCompleteUnlessOpen:
El recurso se almacena en un formato cifrado en el disco. Pueden crearse recursos mientras el dispositivo est谩 bloqueado pero, cuando se cierra, ya no puede abrirse de nuevo hasta que el dispositivo est茅 desbloqueado. Si se abre el recurso mientras est谩 desbloqueado, puede seguir teniendo acceso al recurso con normalidad incluso si el usuario bloquea el dispositivo.
Disponible en iOS 5.0 y posteriores.
-NSFileProtectionCompleteUntilFirstUserAuthentication, NSDataWritingFileProtectionCompleteUntilFirstUserAuthentication:
El recurso se almacena en un formato cifrado en el disco y no se puede tener acceso a 茅l hasta que el dispositivo haya arrancado. La primera vez que el usuario desbloquea el dispositivo, la aplicaci贸n puede acceder al recurso y seguir teniendo acceso a 茅l incluso si el usuario bloquea el dispositivo posteriormente.
Disponible en iOS 5.0 y posteriores.
-NSFileProtectionNone, NSDataWritingFileProtectionNone:
El recurso no tiene asociada ninguna protecci贸n especial. Se puede leer y escribir en 茅l en cualquier momento.
Disponible en iOS 4.0 y posteriores.

Aunque todos los archivos de un dispositivo con iOS, incluidos los que no tienen expl铆citamente asignada una clase de protecci贸n de datos, se almacenan en un formato cifrado, especificar NSFileProtectionNone provoca un cifrado con una clave derivada exclusivamente del UID del dispositivo. Esto permite que se pueda acceder a dichos archivos siempre que el dispositivo est谩 encendido, incluso cuando est谩 bloqueado con un c贸digo de acceso o durante el arranque. Por lo tanto, deben revisarse con atenci贸n los usos de NSFileProtectionNone para determinar si se necesita mayor protecci贸n con una clase de protecci贸n de datos m谩s estricta.

Ejemplo 1: en el siguiente ejemplo, el archivo no est谩 protegido (es accesible en todo momento cuando el dispositivo est谩 encendido):


...
filepath = [self.GetDocumentDirectory stringByAppendingPathComponent:self.setFilename];
...
NSDictionary *protection = [NSDictionary dictionaryWithObject:NSFileProtectionNone forKey:NSFileProtectionKey];
...
[[NSFileManager defaultManager] setAttributes:protection ofItemAtPath:filepath error:nil];
...
BOOL ok = [testToWrite writeToFile:filepath atomically:YES encoding:NSUnicodeStringEncoding error:&err];
...
Ejemplo 2: en el siguiente ejemplo, los datos no est谩n protegidos (son accesibles en todo momento cuando el dispositivo est谩 encendido):


...
filepath = [self.GetDocumentDirectory stringByAppendingPathComponent:self.setFilename];
...
NSData *textData = [textToWrite dataUsingEncoding:NSUnicodeStingEncoding];
...
BOOL ok = [textData writeToFile:filepath options:NSDataWritingFileProtectionNone error:&err];
...
References
[1] iOS Security Guide Apple
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[21] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[22] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.dataflow.objc.insecure_storage_lacking_data_protection
Abstract
El m茅todo identificado escribe datos en un archivo al que le faltan valores de configuraci贸n suficientes de cifrado.
Explanation
La API de protecci贸n de datos est谩 dise帽ada para permitir que las aplicaciones declaren cu谩ndo deben ser accesibles los elementos de llaves y los archivos almacenados en el sistema de archivos. Est谩 disponible para la mayor铆a de API de archivo y base de datos, como NSFileManager, CoreData, NSData y SQLite. Al especificar una de las cuatro clases de protecci贸n para un determinado recurso, un desarrollador puede indicar al sistema de archivos subyacente que la cifre mediante una clave derivada del UID del dispositivo y del c贸digo de acceso del usuario, o mediante una clave basada exclusivamente en el UID del dispositivo. Tambi茅n debe indicar cu谩ndo debe descifrarla autom谩ticamente.

Las clases de protecci贸n de datos se definen en NSFileManager como constantes que deben asignarse como el valor de la clave NSFileProtectionKey en un Dictionary asociado a la instancia de NSFileManager. Se pueden crear archivos o modificar su clase de protecci贸n de datos mediante el uso de funciones NSFileManager como setAttributes(_:ofItemAtPath:), attributesOfItemAtPath(_:) y createFileAtPath(_:contents:attributes:). Adem谩s, se definen constantes de protecci贸n de datos correspondientes para objetos NSData en la enumeraci贸n NSDataWritingOptions que pueden pasarse como el argumento options a funciones NSData como
writeToFile(_:options:)
. Las definiciones de las diversas constantes de clases de protecci贸n de datos para NSFileManager y NSData son las siguientes:

-NSFileProtectionComplete, NSDataWritingOptions.DataWritingFileProtectionComplete:
El recurso se almacena en un formato cifrado en el disco y no puede leerse ni escribirse mientras el dispositivo est谩 bloqueado o arrancando.
Disponible en iOS 4.0 y posteriores.
-NSFileProtectionCompleteUnlessOpen, NSDataWritingOptions.DataWritingFileProtectionCompleteUnlessOpen:
El recurso se almacena en un formato cifrado en el disco. Pueden crearse recursos mientras el dispositivo est谩 bloqueado pero, cuando se cierra, ya no puede abrirse de nuevo hasta que el dispositivo est茅 desbloqueado. Si se abre el recurso mientras est谩 desbloqueado, puede seguir teniendo acceso al recurso con normalidad incluso si el usuario bloquea el dispositivo.
Disponible en iOS 5.0 y posteriores.
-NSFileProtectionCompleteUntilFirstUserAuthentication, NSDataWritingOptions.DataWritingFileProtectionCompleteUntilFirstUserAuthentication:
El recurso se almacena en un formato cifrado en el disco y no se puede tener acceso a 茅l hasta que el dispositivo haya arrancado. La primera vez que el usuario desbloquea el dispositivo, la aplicaci贸n puede acceder al recurso y seguir teniendo acceso a 茅l incluso si el usuario bloquea el dispositivo posteriormente.
Disponible en iOS 5.0 y posteriores.
-NSFileProtectionNone, NSDataWritingOptions.DataWritingFileProtectionNone:
El recurso no tiene asociada ninguna protecci贸n especial. Se puede leer y escribir en 茅l en cualquier momento.
Disponible en iOS 4.0 y posteriores.

Aunque todos los archivos de un dispositivo con iOS, incluidos los que no tienen expl铆citamente asignada una clase de protecci贸n de datos, se almacenan en un formato cifrado, especificar NSFileProtectionNone provoca un cifrado con una clave derivada exclusivamente del UID del dispositivo. Esto permite que se pueda acceder a dichos archivos siempre que el dispositivo est谩 encendido, incluso cuando est谩 bloqueado con un c贸digo de acceso o durante el arranque. Por lo tanto, deben revisarse con atenci贸n los usos de NSFileProtectionNone para determinar si se necesita mayor protecci贸n con una clase de protecci贸n de datos m谩s estricta.

Ejemplo 1: en el siguiente ejemplo, el archivo determinado no est谩 protegido (es decir, es accesible en todo momento cuando el dispositivo est谩 encendido).


...
let documentsPath = NSURL(fileURLWithPath: NSSearchPathForDirectoriesInDomains(.DocumentDirectory, .UserDomainMask, true)[0])
let filename = "\(documentsPath)/tmp_activeTrans.txt"
let protection = [NSFileProtectionKey: NSFileProtectionNone]
do {
try NSFileManager.defaultManager().setAttributes(protection, ofItemAtPath: filename)
} catch let error as NSError {
NSLog("Unable to change attributes: \(error.debugDescription)")
}
...
BOOL ok = textToWrite.writeToFile(filename, atomically:true)
...
Ejemplo 2: en el siguiente ejemplo, los datos determinados no est谩n protegidos (es decir, son accesibles en todo momento cuando el dispositivo est谩 encendido).


...
let documentsPath = NSURL(fileURLWithPath: NSSearchPathForDirectoriesInDomains(.DocumentDirectory, .UserDomainMask, true)[0])
let filename = "\(documentsPath)/tmp_activeTrans.txt"
...
BOOL ok = textData.writeToFile(filepath, options: .DataWritingFileProtectionNone);
...
References
[1] iOS Security Guide Apple
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[21] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[22] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.swift.insecure_storage_lacking_data_protection
Abstract
El m茅todo identificado almacena los datos en las llaves a las que les faltan suficientes valores de configuraci贸n de cifrado.
Explanation
Las constantes de accesibilidad de las llaves est谩n dise帽adas para permitir que las aplicaciones indiquen cu谩ndo se puede acceder a los elementos de las llaves. Al especificar una de las constantes de accesibilidad para un determinado elemento de las llaves, un desarrollador puede indicar al sistema de archivos subyacente que la cifre mediante una clave derivada del UID del dispositivo y del c贸digo de acceso del usuario, o mediante una clave basada exclusivamente en el UID del dispositivo. Tambi茅n debe indicar cu谩ndo debe descifrarla autom谩ticamente.

Las constantes de accesibilidad de las claves est谩n dise帽adas para asignarse como el valor para la clave kSecAttrAccessible en el diccionario de atributos de las claves. Las definiciones de las diversas constantes de accesibilidad de las claves son las siguientes:

-kSecAttrAccessibleAfterFirstUnlock:
No es posible acceder a los datos del elemento de las llaves despu茅s de un reinicio a menos que el usuario haya desbloqueado una vez el dispositivo.
Tras el primer desbloqueo, los datos permanecen accesibles hasta el pr贸ximo reinicio. Esta opci贸n se recomienda para los elementos a los que deben tener acceso las aplicaciones en segundo plano. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly:
No es posible acceder a los datos del elemento de las llaves despu茅s de un reinicio a menos que el usuario haya desbloqueado una vez el dispositivo.
Tras el primer desbloqueo, los datos permanecen accesibles hasta el pr贸ximo reinicio. Esta opci贸n se recomienda para los elementos a los que deben tener acceso las aplicaciones en segundo plano. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleAlways:
Siempre se puede acceder a los datos del elemento de las llaves, independientemente de si el dispositivo est谩 bloqueado.
No se recomienda usar esta opci贸n con aplicaciones. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly:
Solo se puede acceder a los datos de las llaves cuando el dispositivo est谩 desbloqueado. Solo est谩 disponible si se configura un c贸digo de acceso en el dispositivo.
Esta opci贸n se recomienda para los elementos a los que solo es necesario tener acceso mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo nunca migran a un dispositivo nuevo. Tras restaurar una copia de seguridad en un dispositivo nuevo, no se encuentran estos elementos. Ning煤n elemento puede almacenarse en esta clase en los dispositivos sin un c贸digo de acceso. Si se deshabilita el c贸digo de acceso del dispositivo, se eliminan todos los elementos de esta clase.
Disponible en iOS 8.0 y posteriores.

-kSecAttrAccessibleAlwaysThisDeviceOnly:
Siempre se puede acceder a los datos del elemento de las llaves, independientemente de si el dispositivo est谩 bloqueado.
No se recomienda usar esta opci贸n con aplicaciones. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenUnlocked:
Solo se puede acceder a los datos del elemento de las llaves mientras el dispositivo est谩 desbloqueado por el usuario.
Esta opci贸n se recomienda para los elementos a los que solo es necesario acceder mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Este es el valor predeterminado para los elementos de las llaves que se agregan sin configurar de forma expl铆cita una constante de accesibilidad.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenUnlockedThisDeviceOnly:
Solo se puede acceder a los datos del elemento de las llaves mientras el dispositivo est谩 desbloqueado por el usuario.
Esta opci贸n se recomienda para los elementos a los que solo es necesario acceder mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

Aunque todos los archivos de un dispositivo con iOS, incluidos los que no tienen expl铆citamente asignada una constante de accesibilidad de las llaves, se almacenan en un formato cifrado, especificar kSecAttrAccessibleAlways provoca un cifrado con una llave derivada exclusivamente del UID del dispositivo. Esto permite que se pueda acceder a dichos archivos siempre que el dispositivo est谩 encendido, incluso cuando est谩 bloqueado con un c贸digo de acceso o durante el arranque. Por lo tanto, deben revisarse con atenci贸n los usos de kSecAttrAccessibleAlways para determinar si se necesita mayor protecci贸n con un nivel de accesibilidad de las llaves m谩s estricto.

Ejemplo 1: en el siguiente ejemplo, el archivo determinado no est谩 protegido (es decir, es accesible en todo momento cuando el dispositivo est谩 encendido).


...
NSMutableDictionary *dict = [NSMutableDictionary dictionary];
NSData *token = [@"secret" dataUsingEncoding:NSUTF8StringEncoding];

// Configure KeyChain Item
[dict setObject:(__bridge id)kSecClassGenericPassword forKey:(__bridge id) kSecClass];
[dict setObject:token forKey:(__bridge id)kSecValueData];
...
[dict setObject:(__bridge id)kSecAttrAccessibleAlways forKey:(__bridge id) kSecAttrAccessible];

OSStatus error = SecItemAdd((__bridge CFDictionaryRef)dict, NULL);
...
References
[1] iOS Security Guide Apple: October 2014
[2] Keychain Services Apple
[3] Keychain Item Accessibility Constants Apple
[4] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[10] Standards Mapping - CIS Kubernetes Benchmark complete
[11] Standards Mapping - Common Weakness Enumeration CWE ID 311, CWE ID 312, CWE ID 313, CWE ID 522
[12] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[13] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[14] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[15] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[16] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[17] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[18] Standards Mapping - FIPS200 MP
[19] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[20] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[21] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[22] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[23] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[24] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[25] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[26] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[27] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[28] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[29] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[30] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[31] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[40] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[41] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.dataflow.objc.insecure_storage_lacking_keychain_protection
Abstract
El m茅todo identificado almacena los datos en las llaves a las que les faltan suficientes valores de configuraci贸n de cifrado.
Explanation
Las constantes de accesibilidad de las llaves est谩n dise帽adas para permitir que las aplicaciones indiquen cu谩ndo se puede acceder a los elementos de las llaves. Al especificar una de las constantes de accesibilidad para un determinado elemento de las llaves, un desarrollador puede indicar al sistema de archivos subyacente que la cifre mediante una clave derivada del UID del dispositivo y del c贸digo de acceso del usuario, o mediante una clave basada exclusivamente en el UID del dispositivo. Tambi茅n debe indicar cu谩ndo debe descifrarla autom谩ticamente.

Las constantes de accesibilidad de las claves est谩n dise帽adas para asignarse como el valor para la clave kSecAttrAccessible en el diccionario de atributos de las claves. Las definiciones de las diversas constantes de accesibilidad de las claves son las siguientes:

-kSecAttrAccessibleAfterFirstUnlock:
No es posible acceder a los datos del elemento de las llaves despu茅s de un reinicio a menos que el usuario haya desbloqueado una vez el dispositivo.
Tras el primer desbloqueo, los datos permanecen accesibles hasta el pr贸ximo reinicio. Esta opci贸n se recomienda para los elementos a los que deben tener acceso las aplicaciones en segundo plano. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly:
No es posible acceder a los datos del elemento de las llaves despu茅s de un reinicio a menos que el usuario haya desbloqueado una vez el dispositivo.
Tras el primer desbloqueo, los datos permanecen accesibles hasta el pr贸ximo reinicio. Esta opci贸n se recomienda para los elementos a los que deben tener acceso las aplicaciones en segundo plano. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleAlways:
Siempre se puede acceder a los datos del elemento de las llaves, independientemente de si el dispositivo est谩 bloqueado.
No se recomienda usar esta opci贸n con aplicaciones. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly:
Solo se puede acceder a los datos de las llaves cuando el dispositivo est谩 desbloqueado. Solo est谩 disponible si se configura un c贸digo de acceso en el dispositivo.
Esta opci贸n se recomienda para los elementos a los que solo es necesario tener acceso mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo nunca migran a un dispositivo nuevo. Tras restaurar una copia de seguridad en un dispositivo nuevo, no se encuentran estos elementos. Ning煤n elemento puede almacenarse en esta clase en los dispositivos sin un c贸digo de acceso. Si se deshabilita el c贸digo de acceso del dispositivo, se eliminan todos los elementos de esta clase.
Disponible en iOS 8.0 y posteriores.

-kSecAttrAccessibleAlwaysThisDeviceOnly:
Siempre se puede acceder a los datos del elemento de las llaves, independientemente de si el dispositivo est谩 bloqueado.
No se recomienda usar esta opci贸n con aplicaciones. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenUnlocked:
Solo se puede acceder a los datos del elemento de las llaves mientras el dispositivo est谩 desbloqueado por el usuario.
Esta opci贸n se recomienda para los elementos a los que solo es necesario acceder mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Este es el valor predeterminado para los elementos de las llaves que se agregan sin configurar de forma expl铆cita una constante de accesibilidad.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenUnlockedThisDeviceOnly:
Solo se puede acceder a los datos del elemento de las llaves mientras el dispositivo est谩 desbloqueado por el usuario.
Esta opci贸n se recomienda para los elementos a los que solo es necesario acceder mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

Aunque todos los archivos de un dispositivo con iOS, incluidos los que no tienen expl铆citamente asignada una constante de accesibilidad de las llaves, se almacenan en un formato cifrado, especificar kSecAttrAccessibleAlways provoca un cifrado con una llave derivada exclusivamente del UID del dispositivo. Esto permite que se pueda acceder a dichos archivos siempre que el dispositivo est谩 encendido, incluso cuando est谩 bloqueado con un c贸digo de acceso o durante el arranque. Por lo tanto, deben revisarse con atenci贸n los usos de kSecAttrAccessibleAlways para determinar si se necesita mayor protecci贸n con un nivel de accesibilidad de las llaves m谩s estricto.

Ejemplo 1: en el siguiente ejemplo, el archivo determinado no est谩 protegido (es decir, es accesible en todo momento cuando el dispositivo est谩 encendido).


...
// Configure KeyChain Item
let token = "secret"
var query = [String : AnyObject]()
query[kSecClass as String] = kSecClassGenericPassword
query[kSecValueData as String] = token as AnyObject?
...
query[kSecAttrAccessible as String] = kSecAttrAccessibleAlways

SecItemAdd(query as CFDictionary, nil)
...
References
[1] iOS Security Guide Apple: October 2014
[2] Keychain Services Apple
[3] Keychain Item Accessibility Constants Apple
[4] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[10] Standards Mapping - CIS Kubernetes Benchmark complete
[11] Standards Mapping - Common Weakness Enumeration CWE ID 311, CWE ID 312, CWE ID 313, CWE ID 522
[12] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[13] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[14] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[15] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[16] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[17] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[18] Standards Mapping - FIPS200 MP
[19] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[20] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[21] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[22] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[23] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[24] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[25] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[26] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[27] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[28] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[29] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[30] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[31] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[40] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[41] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.dataflow.swift.insecure_storage_lacking_keychain_protection
Abstract
El m茅todo identificado establece una conexi贸n con una base de datos sin cifrar.
Explanation
Otras aplicaciones pueden acceder a los archivos de aplicaci贸n en dispositivos con acceso root o en copias de seguridad sin cifrar. Dado que un usuario podr铆a decidir liberar su dispositivo o realizar copias de seguridad sin cifrar, se recomienda cifrar las bases de datos que contengan datos confidenciales.

Ejemplo 1: El siguiente c贸digo establece una conexi贸n con una base de datos Realm sin cifrar:


Realm realm = Realm.getDefaultInstance();
References
[1] Realm Database Encryption Realm
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[21] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[22] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.dataflow.java.insecure_storage_missing_database_encryption
Abstract
El m茅todo identificado establece una conexi贸n con una base de datos sin cifrar.
Explanation
Otras aplicaciones pueden acceder a los archivos de aplicaci贸n en dispositivos con acceso root o en copias de seguridad sin cifrar. Dado que un usuario podr铆a decidir liberar su dispositivo o realizar copias de seguridad sin cifrar, se recomienda cifrar las bases de datos que contengan datos confidenciales.

Ejemplo 1: El siguiente c贸digo establece una conexi贸n con una base de datos Realm sin cifrar:


RLMRealmConfiguration *config = [RLMRealmConfiguration defaultConfiguration];
RLMRealm *realm = [RLMRealm realmWithConfiguration:config error:nil];
References
[1] Realm Cocoa Tutorial: Encryption with Realm Realm
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[21] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[22] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.dataflow.objc.insecure_storage_missing_database_encryption
Abstract
El m茅todo identificado establece una conexi贸n con una base de datos sin cifrar.
Explanation
Otras aplicaciones pueden acceder a los archivos de aplicaciones en dispositivos liberados o en copias de seguridad sin cifrar. Puesto que los desarrolladores de aplicaciones no pueden controlar si el usuario decidir谩 liberar el dispositivo o realizar copias de seguridad sin cifrar, se recomienda cifrar las bases de datos que contienen datos confidenciales.

Ejemplo 1: El siguiente c贸digo establece una conexi贸n con una base de datos Realm sin cifrar:


let realm = try! Realm()
References
[1] Realm Cocoa Tutorial: Encryption with Realm Realm
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[10] Standards Mapping - FIPS200 MP
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[21] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[22] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.dataflow.swift.insecure_storage_missing_database_encryption
Abstract
El m茅todo identificado escribe datos no cifrados en el 谩lbum de fotos de iOS.
Explanation
Los archivos guardados en el 谩lbum de fotos de iOS pueden ser le铆dos por cualquiera y todas las aplicaciones del dispositivo pueden tener acceso a ellos. Esto podr铆a permitir a un usuario malintencionado robar fotos confidenciales, por ejemplo las im谩genes de cheques utilizadas en los dep贸sitos de cheques con dispositivos m贸viles.

Ejemplo 1: el siguiente c贸digo utiliza UIImageWriteToSavedPhotosAlbum para guardar las im谩genes en el 谩lbum de fotos:


- (void) imagePickerController:(UIImagePickerController *)picker didFinishPickingMediaWithInfo:(NSDictionary *)info
{
// Access the uncropped image from info dictionary
UIImage *image = [info objectForKey:UIImagePickerControllerOriginalImage];

// Save image
UIImageWriteToSavedPhotosAlbum(image, self, @selector(image:didFinishSavingWithError:contextInfo:), nil);

...
}
References
[1] iOS Security Guide Apple
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 313, CWE ID 359, CWE ID 921
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[13] Standards Mapping - FIPS200 MP
[14] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)
[24] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[25] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[26] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.objc.insecure_storage_missing_encryption_on_stored_private_media
Abstract
El m茅todo identificado escribe datos no cifrados en el 谩lbum de fotos de iOS.
Explanation
Los archivos guardados en el 谩lbum de fotos de iOS pueden ser le铆dos por cualquiera y todas las aplicaciones del dispositivo pueden tener acceso a ellos. Esto podr铆a permitir a un usuario malintencionado robar fotos confidenciales, por ejemplo las im谩genes de cheques utilizadas en los dep贸sitos de cheques con dispositivos m贸viles.

Ejemplo 1: el siguiente c贸digo utiliza UIImageWriteToSavedPhotosAlbum para guardar las im谩genes en el 谩lbum de fotos:


func imagePickerController(picker: UIImagePickerController, didFinishPickingMediaWithInfo info: [NSObject : AnyObject]) {
if let pickedImage = info[UIImagePickerControllerOriginalImage] as? UIImage {
imageView.contentMode = .ScaleAspectFit
imageView.image = pickedImage
}

// Save image
UIImageWriteToSavedPhotosAlbum(pickedImage!, self, nil, nil)

dismissViewControllerAnimated(true, completion: nil)
}
References
[1] iOS Security Guide Apple
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 313, CWE ID 359, CWE ID 921
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[13] Standards Mapping - FIPS200 MP
[14] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)
[24] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[25] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[26] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.structural.swift.insecure_storage_missing_encryption_on_stored_private_media
Abstract
El m茅todo identificado almacena los datos en las llaves sin exigirle al usuario que establezca un c贸digo de acceso para su dispositivo.
Explanation
Los niveles de accesibilidad de las llaves definen cu谩ndo se descifran los elementos de las llaves y se quedan disponibles para las aplicaciones. Los niveles de accesibilidad posibles incluyen los siguientes:

-kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly:
No es posible acceder a los datos del elemento de las llaves despu茅s de un reinicio a menos que el usuario haya desbloqueado una vez el dispositivo.
Tras el primer desbloqueo, los datos permanecen accesibles hasta el pr贸ximo reinicio. Esta opci贸n se recomienda para los elementos a los que deben tener acceso las aplicaciones en segundo plano. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleAlways:
Siempre se puede acceder a los datos del elemento de las llaves, independientemente de si el dispositivo est谩 bloqueado.
No se recomienda usar esta opci贸n con aplicaciones. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly:
Solo se puede acceder a los datos de las llaves cuando el dispositivo est谩 desbloqueado. Solo est谩 disponible si se configura un c贸digo de acceso en el dispositivo.
Esta opci贸n se recomienda para los elementos a los que solo es necesario tener acceso mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo nunca migran a un dispositivo nuevo. Tras restaurar una copia de seguridad en un dispositivo nuevo, no se encuentran estos elementos. Ning煤n elemento puede almacenarse en esta clase en los dispositivos sin un c贸digo de acceso. Si se deshabilita el c贸digo de acceso del dispositivo, se eliminan todos los elementos de esta clase.
Disponible en iOS 8.0 y posteriores.

-kSecAttrAccessibleAlwaysThisDeviceOnly:
Siempre se puede acceder a los datos del elemento de las llaves, independientemente de si el dispositivo est谩 bloqueado.
No se recomienda usar esta opci贸n con aplicaciones. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenUnlocked:
Solo se puede acceder a los datos del elemento de las llaves mientras el dispositivo est谩 desbloqueado por el usuario.
Esta opci贸n se recomienda para los elementos a los que solo es necesario acceder mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Este es el valor predeterminado para los elementos de las llaves que se agregan sin configurar de forma expl铆cita una constante de accesibilidad.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenUnlockedThisDeviceOnly:
Solo se puede acceder a los datos del elemento de las llaves mientras el dispositivo est谩 desbloqueado por el usuario.
Esta opci贸n se recomienda para los elementos a los que solo es necesario acceder mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

Si los elementos de las llaves se almacenan con una directiva de seguridad razonable, como kSecAttrAccessibleWhenUnlocked, si luego roban su dispositivo y se establece un c贸digo de acceso, el ladr贸n deber谩 desbloquear el dispositivo para descifrar los elementos de las llaves. Si no se introduce el c贸digo de acceso correcto, se bloquear谩 el descifrado de los elementos de las llaves del dispositivo robado. Sin embargo, si no se establece un c贸digo de acceso, el atacante solo necesitar谩 deslizar el dedo para desbloquear el dispositivo y obtener las llaves para descifrar sus elementos. Por lo tanto, no exigir un c贸digo de acceso en el dispositivo puede debilitar el mecanismo de cifrado de las llaves.

Ejemplo 1: en el siguiente ejemplo, el elemento de las llaves est谩 protegido en todo momento, excepto cuando el dispositivo est谩 encendido y desbloqueado, pero tambi茅n est谩 disponible si no se establece un c贸digo de acceso en el dispositivo:


...
NSMutableDictionary *dict = [NSMutableDictionary dictionary];
NSData *token = [@"secret" dataUsingEncoding:NSUTF8StringEncoding];

// Configure KeyChain Item
[dict setObject:(__bridge id)kSecClassGenericPassword forKey:(__bridge id) kSecClass];
[dict setObject:token forKey:(__bridge id)kSecValueData];
...
[dict setObject:(__bridge id)kSecAttrAccessibleWhenUnlockedThisDeviceOnly forKey:(__bridge id) kSecAttrAccessible];

OSStatus error = SecItemAdd((__bridge CFDictionaryRef)dict, NULL);
...
References
[1] Keychain Services Apple
[2] Keychain Item Accessibility Constants Apple
[3] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311, CWE ID 312, CWE ID 313, CWE ID 522
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[13] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[15] Standards Mapping - FIPS200 MP
[16] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[19] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[20] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[22] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[24] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[25] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[26] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[27] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[28] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[60] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.dataflow.objc.insecure_storage_passcode_policy_unenforced
Abstract
El m茅todo identificado almacena los datos en las llaves sin exigirle al usuario que establezca un c贸digo de acceso para su dispositivo.
Explanation
Los niveles de accesibilidad de las llaves definen cu谩ndo se descifran los elementos de las llaves y se quedan disponibles para las aplicaciones. Los niveles de accesibilidad posibles incluyen los siguientes:

-kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly:
No es posible acceder a los datos del elemento de las llaves despu茅s de un reinicio a menos que el usuario haya desbloqueado una vez el dispositivo.
Tras el primer desbloqueo, los datos permanecen accesibles hasta el pr贸ximo reinicio. Esta opci贸n se recomienda para los elementos a los que deben tener acceso las aplicaciones en segundo plano. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleAlways:
Siempre se puede acceder a los datos del elemento de las llaves, independientemente de si el dispositivo est谩 bloqueado.
No se recomienda usar esta opci贸n con aplicaciones. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly:
Solo se puede acceder a los datos de las llaves cuando el dispositivo est谩 desbloqueado. Solo est谩 disponible si se configura un c贸digo de acceso en el dispositivo.
Esta opci贸n se recomienda para los elementos a los que solo es necesario tener acceso mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo nunca migran a un dispositivo nuevo. Tras restaurar una copia de seguridad en un dispositivo nuevo, no se encuentran estos elementos. Ning煤n elemento puede almacenarse en esta clase en los dispositivos sin un c贸digo de acceso. Si se deshabilita el c贸digo de acceso del dispositivo, se eliminan todos los elementos de esta clase.
Disponible en iOS 8.0 y posteriores.

-kSecAttrAccessibleAlwaysThisDeviceOnly:
Siempre se puede acceder a los datos del elemento de las llaves, independientemente de si el dispositivo est谩 bloqueado.
No se recomienda usar esta opci贸n con aplicaciones. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenUnlocked:
Solo se puede acceder a los datos del elemento de las llaves mientras el dispositivo est谩 desbloqueado por el usuario.
Esta opci贸n se recomienda para los elementos a los que solo es necesario acceder mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo migran a un dispositivo nuevo cuando se usan copias de seguridad cifradas.
Este es el valor predeterminado para los elementos de las llaves que se agregan sin configurar de forma expl铆cita una constante de accesibilidad.
Disponible en iOS 4.0 y posteriores.

-kSecAttrAccessibleWhenUnlockedThisDeviceOnly:
Solo se puede acceder a los datos del elemento de las llaves mientras el dispositivo est谩 desbloqueado por el usuario.
Esta opci贸n se recomienda para los elementos a los que solo es necesario acceder mientras la aplicaci贸n est谩 en primer plano. Los elementos con este atributo no migran a un dispositivo nuevo. Por lo tanto, al realizar una restauraci贸n con una copia de seguridad de otro dispositivo, estos elementos no estar谩n presentes.
Disponible en iOS 4.0 y posteriores.

Si los elementos de las llaves se almacenan con una directiva de seguridad razonable, como kSecAttrAccessibleWhenUnlocked, si luego roban su dispositivo y se establece un c贸digo de acceso, el ladr贸n deber谩 desbloquear el dispositivo para descifrar los elementos de las llaves. Si no se introduce el c贸digo de acceso correcto, se bloquear谩 el descifrado de los elementos de las llaves del dispositivo robado. Sin embargo, si no se establece un c贸digo de acceso, el atacante solo necesitar谩 deslizar el dedo para desbloquear el dispositivo y obtener las llaves para descifrar sus elementos. Por lo tanto, no exigir un c贸digo de acceso en el dispositivo puede debilitar el mecanismo de cifrado de las llaves.

Ejemplo 1: en el siguiente ejemplo, el elemento de las llaves est谩 protegido en todo momento, excepto cuando el dispositivo est谩 encendido y desbloqueado, pero tambi茅n est谩 disponible si no se establece un c贸digo de acceso en el dispositivo:


...
// Configure KeyChain Item
let token = "secret"
var query = [String : AnyObject]()
query[kSecClass as String] = kSecClassGenericPassword
query[kSecValueData as String] = token as AnyObject?
...
query[kSecAttrAccessible as String] = kSecAttrAccessibleWhenUnlockedThisDeviceOnly

SecItemAdd(query as CFDictionary, nil)
...
References
[1] Keychain Services Apple
[2] Keychain Item Accessibility Constants Apple
[3] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311, CWE ID 312, CWE ID 313, CWE ID 522
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[13] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001350, CCI-002475
[15] Standards Mapping - FIPS200 MP
[16] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-9 Protection of Audit Information (P1), SC-28 Protection of Information at Rest (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-9 Protection of Audit Information, SC-28 Protection of Information at Rest
[19] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[20] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[22] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[24] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[25] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[26] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[27] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[28] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001350 CAT II, APSC-DV-002340 CAT II
[60] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
desc.dataflow.swift.insecure_storage_passcode_policy_unenforced
Abstract
Un portapapeles con nombre configurado como persistente puede dar lugar a la exposici贸n de informaci贸n confidencial.
Explanation
Los portapapeles con nombre permiten a los desarrolladores compartir datos con otras partes de una aplicaci贸n o con otras aplicaciones que tienen el mismo ID de equipo. Configurar un portapapeles con nombre como persistente es una opci贸n obsoleta que puede conducir a la exposici贸n de datos confidenciales. Cuando un portapapeles se marca como persistente, los datos almacenados en el portapapeles se pueden guardar sin cifrar en el almacenamiento local y persisten al reiniciar las aplicaciones y el dispositivo.
Ejemplo聽1: En el siguiente ejemplo, se crea un portapapeles con nombre y se configura como persistente invocando setPersistent:YES .

...
UIPasteboard *pasteboard = [UIPasteboard pasteboardWithName:@"myPasteboard" create:YES];
[pasteboard setPersistent:YES];
...
References
[1] setPersistent: | Apple Developer Documentation Apple
[2] iOS Platform APIs - OWASP Mobile Application Security OWASP
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 312, CWE ID 359
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[22] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective B.2.5 - Terminal Software Design
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective B.2.5 - Terminal Software Design
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.objc.insecure_storage_persistent_named_pasteboard
Abstract
Un portapapeles con nombre configurado como persistente puede dar lugar a la exposici贸n de informaci贸n confidencial.
Explanation
Los portapapeles con nombre permiten a los desarrolladores compartir datos con otras partes de una aplicaci贸n o con otras aplicaciones que tienen el mismo ID de equipo. Configurar un portapapeles con nombre como persistente es una opci贸n obsoleta que puede conducir a la exposici贸n de datos confidenciales. Cuando un portapapeles se marca como persistente, los datos almacenados en el portapapeles se pueden guardar sin cifrar en el almacenamiento local y persisten al reiniciar las aplicaciones y el dispositivo.
Ejemplo聽1: En el siguiente ejemplo, se crea un portapapeles con nombre y se configura como persistente invocando setPersistent(true) .

...
let pasteboard = UIPasteboard(name: UIPasteboard.Name(rawValue: "myPasteboard"), create: true)!
pasteboard.setPersistent(true)
...
References
[1] setPersistent(_:) | Apple Developer Documentation Apple
[2] iOS Platform APIs - OWASP Mobile Application Security OWASP
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 312, CWE ID 359
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[22] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective B.2.5 - Terminal Software Design
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective B.2.5 - Terminal Software Design
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.swift.insecure_storage_persistent_named_pasteboard
Abstract
La aplicaci贸n concede acceso an贸nimo completo a un objeto o contenedor de AWS S3.
Explanation
La concesi贸n de acceso an贸nimo completo a un objeto o contenedor permite que los usuarios malintencionados lean el contenido o lo reemplacen con contenido malintencionado.

Ejemplo 1: El siguiente c贸digo define una Access Control Policy que concede acceso an贸nimo completo al contenedor foo.


GetBucketAclRequest bucketAclReq = GetBucketAclRequest.builder().bucket("foo").build();
GetBucketAclResponse getAclRes = s3.getBucketAcl(bucketAclReq);
List<Grant> grants = getAclRes.grants();

Grantee allusers = Grantee.builder().uri("http://acs.amazonaws.com/groups/global/AllUsers").build();
Permission fc_permission = Permission.fromValue("FullControl");
Grant grant = Grant.builder().grantee(allusers).permission(fc_permission).build();
grants.add(grant);

AccessControlPolicy acl = AccessControlPolicy.builder().grants(grants).build();
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 284, CWE ID 359
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[22] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.semantic.java.insecure_storage_s3_full_anonymous_access
Abstract
La aplicaci贸n concede un permiso an贸nimo para leer la pol铆tica de control de acceso (ACP) de un objeto o contenedor de AWS S3.
Explanation
La concesi贸n de un permiso an贸nimo para leer la pol铆tica de control de acceso (ACP) de un objeto o contenedor permite que los usuarios malintencionados identifiquen los objetos que se pueden recuperar o reemplazar.

Ejemplo 1: El siguiente c贸digo define una Access Control Policy que concede un permiso an贸nimo de lectura de la ACP en el contenedor foo.


GetBucketAclRequest bucketAclReq = GetBucketAclRequest.builder().bucket("foo").build();
GetBucketAclResponse getAclRes = s3.getBucketAcl(bucketAclReq);
List<Grant> grants = getAclRes.grants();

Grantee allusers = Grantee.builder().uri("http://acs.amazonaws.com/groups/global/AllUsers").build();
Permission fc_permission = Permission.fromValue("READ_ACP");
Grant grant = Grant.builder().grantee(allusers).permission(fc_permission).build();
grants.add(grant);

AccessControlPolicy acl = AccessControlPolicy.builder().grants(grants).build();
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 284, CWE ID 359
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[22] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.semantic.java.insecure_storage_s3_read_acp_anonymous_access