界: Encapsulation
封装即绘制强边界。在 Web 浏览器中,这可能意味着确保您的移动代码不会被其他移动代码滥用。在服务器上,这可能意味着区分已验证数据和未验证数据、区分一个用户的数据和另一个用户的数据,或者区分允许用户查看的数据和不允许用户查看的数据。
Insecure IPC: Missing Sender Verification
Abstract
该应用程序未能验证基于 URL 的过程间通信 (IPC) 调用的发送方。
Explanation
当第三方应用程序或
示例 1:
webview 使用 URL 与您的应用程序通信时,作为接收方的应用程序应验证预期与其通信的应用程序允许列表中是否包含发送方。作为接收方的应用程序可选择使用 UIApplicationDelegate application:openURL:options: 或 UIApplicationDelegate application:openURL:sourceApplication:annotation: 代理方法来验证调用 URL 的来源。示例 1:
UIApplicationDelegate application:openURL:options: 代理方法的以下实现在未验证 IPC 调用发送方的情况下便处理了调用 URL:
- (BOOL)application:(UIApplication *)app openURL:(NSURL *)url options:(NSDictionary<NSString *,id> *)options {
NSString *theQuery = [[url query] stringByRemovingPercentEncoding:NSUTF8StringEncoding];
NSArray *chunks = [theQuery componentsSeparatedByString:@"&"];
for (NSString* chunk in chunks) {
NSArray *keyval = [chunk componentsSeparatedByString:@"="]; NSString *key = [keyval objectAtIndex:0];
NSString *value = [keyval objectAtIndex:1];
// Do something with your key and value
}
return YES;
}
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] UIApplicationDelegate Apple
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 501, CWE ID 939
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[10] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[11] Standards Mapping - Common Weakness Enumeration Top 25 2023 [11] CWE ID 862
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001084, CCI-002754
[13] Standards Mapping - FIPS200 SI
[14] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[18] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.objc.insecure_ipc_missing_sender_verification
Abstract
该应用程序未能验证基于 URL 的过程间通信 (IPC) 调用的发送方。
Explanation
当第三方应用程序或
示例 1:
wewbview 使用 URL 与您的应用程序通信时,作为接收方的应用程序应验证预期与其通信的应用程序允许列表中是否包含发送方。作为接收方的应用程序可选择使用 UIApplicationDelegate application:openURL:options: 或 UIApplicationDelegate application:openURL:sourceApplication:annotation: 代理方法来验证调用 URL 的来源。示例 1:
UIApplicationDelegate application:openURL:options: 代理方法的以下实现在未验证 IPC 调用发送方的情况下便处理了调用 URL:
func application(app: UIApplication, openURL url: NSURL, options: [String : AnyObject]) -> Bool {
return processCall(url)
}
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] UIApplicationDelegate Apple
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 501, CWE ID 939
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[10] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[11] Standards Mapping - Common Weakness Enumeration Top 25 2023 [11] CWE ID 862
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001084, CCI-002754
[13] Standards Mapping - FIPS200 SI
[14] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[18] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.swift.insecure_ipc_missing_sender_verification