Reino: Encapsulation
Encapsulamento consiste em traçar limites fortes. Em um navegador web, isso pode significar que seu código para dispositivos móveis não pode ser abusado por outros códigos para dispositivos móveis. No servidor, pode significar a diferenciação entre dados validados e não validados, entre os dados de dois usuários ou entre os dados que os usuários podem ou não acessar.
Insecure IPC: Missing Sender Verification
Abstract
O aplicativo falha ao verificar o remetente de uma chamada de Comunicação Entre Procedimentos (IPC) baseada em URL.
Explanation
Quando um aplicativo ou
Exemplo 1: A seguinte implementação do método delegado
webview de terceiros usa uma URL para se comunicar com seu aplicativo, o aplicativo receptor deve confrontar o remetente com uma lista de permissões com aplicativos que são esperados para se comunicar com ele. O aplicativo receptor tem a opção de verificar a origem da URL de chamada usando os métodos delegados UIApplicationDelegate application:openURL:options: ou UIApplicationDelegate application:openURL:sourceApplication:annotation:.Exemplo 1: A seguinte implementação do método delegado
UIApplicationDelegate application:openURL:options: falha ao verificar o remetente da chamada de IPC e processa apenas a URL de chamada:
- (BOOL)application:(UIApplication *)app openURL:(NSURL *)url options:(NSDictionary<NSString *,id> *)options {
NSString *theQuery = [[url query] stringByRemovingPercentEncoding:NSUTF8StringEncoding];
NSArray *chunks = [theQuery componentsSeparatedByString:@"&"];
for (NSString* chunk in chunks) {
NSArray *keyval = [chunk componentsSeparatedByString:@"="]; NSString *key = [keyval objectAtIndex:0];
NSString *value = [keyval objectAtIndex:1];
// Do something with your key and value
}
return YES;
}
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] UIApplicationDelegate Apple
[3] Standards Mapping - Common Weakness Enumeration CWE ID 501, CWE ID 939
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [11] CWE ID 862
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [9] CWE ID 862
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001084, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-3 Security Function Isolation (P1), SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-3 Security Function Isolation, SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[18] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[19] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.objc.insecure_ipc_missing_sender_verification
Abstract
O aplicativo falha ao verificar o remetente de uma chamada de Comunicação Entre Procedimentos (IPC) baseada em URL.
Explanation
Quando um aplicativo ou
Exemplo 1: A seguinte implementação do método delegado
wewbview de terceiros usa uma URL para se comunicar com seu aplicativo, o aplicativo receptor deve confrontar o remetente com uma lista de permissões com aplicativos que são esperados para se comunicar com ele. O aplicativo receptor tem a opção de verificar a origem da URL de chamada usando os métodos delegados UIApplicationDelegate application:openURL:options: ou UIApplicationDelegate application:openURL:sourceApplication:annotation:.Exemplo 1: A seguinte implementação do método delegado
UIApplicationDelegate application:openURL:options: falha ao verificar o remetente da chamada de IPC e processa apenas a URL de chamada:
func application(app: UIApplication, openURL url: NSURL, options: [String : AnyObject]) -> Bool {
return processCall(url)
}
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] UIApplicationDelegate Apple
[3] Standards Mapping - Common Weakness Enumeration CWE ID 501, CWE ID 939
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [11] CWE ID 862
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [9] CWE ID 862
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001084, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-3 Security Function Isolation (P1), SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-3 Security Function Isolation, SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[18] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[19] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.swift.insecure_ipc_missing_sender_verification