界: Security Features
软件安全不是安全软件。此处我们关注的主题包括身份验证、Access Control、机密性、加密和权限管理。
Authentication Bad Practice: Missing Host Check
Abstract
NSURLConnection 或 NSURLSession 的身份验证处理回调无法检查它正将凭证发送到哪个主机。Explanation
应用程序实施
示例 1:以下应用程序将用户凭据发送到请求进行身份验证的任何主机:
NSURLConnection 或 NSURLSession 回调以处理身份验证请求。如果忘记确保身份验证请求来自于预期主机,凭证会发送到应用程序所加载的每个 URL。此外,如果无法检查是否能安全发送凭证,则会导致凭证被盗。示例 1:以下应用程序将用户凭据发送到请求进行身份验证的任何主机:
- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NS URLAuthenticationChallenge *)challenge completionHandler:(void (^)(NS URLSessionAuthChallengeDisposition, NSURLCredential *))completionHandler {
NSString *user = [self getUser];
NSString *pass = [self getPassword];
NSURLCredential *cred = [NSURLCredential credentialWithUser:user
password:pass persistence:NSURLCredentialPersistenceForSession];
completionHandler(NSURLSessionAuthChallengeUseCredential, credential);
}
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[3] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[4] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[5] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
desc.structural.objc.authentication_bad_practice_missing_host_check
Abstract
NSURLConnection 或 NSURLSession 的身份验证处理回调无法检查它正将凭证发送到哪个主机。Explanation
应用程序实施
示例 1:以下应用程序将用户凭据发送到请求进行身份验证的任何主机:
NSURLConnection 或 NSURLSession 回调以处理身份验证请求。如果忘记确保身份验证请求来自于预期主机,凭证会发送到应用程序所加载的每个 URL。此外,如果无法检查是否能安全发送凭证,则会导致凭证被盗。示例 1:以下应用程序将用户凭据发送到请求进行身份验证的任何主机:
func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
let user = getUser()
let pass = getPassword()
let credential = URLCredential(user: user, password: pass, persistence: .none)
completionHandler(Foundation.URLSession.AuthChallengeDisposition.useCredential, credential)
}
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[3] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[4] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[5] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
desc.structural.swift.authentication_bad_practice_missing_host_check