界: Security Features
软件安全不是安全软件。此处我们关注的主题包括身份验证、Access Control、机密性、加密和权限管理。
Authentication Bad Practice: Ignored Authentication Method
Abstract
实施
NSURLConnectionDelegate.connection(_:willSendRequestFor:) 代理回调方法将使系统忽略 NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:) 和 NSURLConnectionDelegate.connection(_:didReceive:) 方法。Explanation
NSURLConnectionDelegate.connection(_:willSendRequestFor:) 代理方法允许代理立即就连接身份验证做出明智的选择。如果代理实施此方法,则无需实施 NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:) 或 NSURLConnectionDelegate.connection(_:didReceive:)。事实上,这些方法不会被调用,因此将忽略它们的所有安全检查。References
[1] connection(_:willSendRequestFor:) API documentation Apple
[2] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[3] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[4] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[5] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
desc.structural.objc.authentication_bad_practice_ignored_authentication_method
Abstract
实施
NSURLConnectionDelegate.connection(_:willSendRequestFor:) 代理回调方法将使系统忽略 NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:) 和 NSURLConnectionDelegate.connection(_:didReceive:) 方法。Explanation
NSURLConnectionDelegate.connection(_:willSendRequestFor:) 代理方法允许代理立即就连接身份验证做出明智的选择。如果代理实施此方法,则无需实施 NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:) 或 NSURLConnectionDelegate.connection(_:didReceive:)。事实上,这些方法不会被调用,因此将忽略它们的所有安全检查。References
[1] connection(_:willSendRequestFor:) API documentation Apple
[2] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[3] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[4] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[5] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
desc.structural.swift.authentication_bad_practice_ignored_authentication_method