1464 个项目已找到

弱点

Insecure Storage: Universal Clipboard

Objective-C
Swift

Abstract

应用程序会将内容存储到通用粘贴板，该粘贴板会在使用同一个 iCloud 帐户登录的所有设备之间自动同步。

Explanation

识别出的函数会将数据写入通用粘贴板，但未阻止数据通过“接力”功能在各个设备的通用剪贴板之间同步。

写入通用粘贴板的内容在设备重启、应用程序卸载和应用程序恢复期间会永久存储。在启用了通用剪贴板功能的情况下使用通用粘贴板会增加粘贴板数据被盗用或被修改的风险，这是在另一台设备上运行的恶意应用程序发起剪贴板劫持攻击的一部分。

此外，由于通用剪贴板与运行 iOS 10 及更高版本或 macOS Sierra 及更高版本的设备兼容，因此运行较旧的操作系统（不含旨在保护未经授权的剪贴板访问的最新隐私和安全更新）的兼容设备会带来更大的威胁。

示例 1：以下代码通过设置 items 属性将数据写入通用粘贴板，默认情况下，该属性允许通过通用剪贴板在用户设备之间共享粘贴板内容。


...
UIPasteboard *pasteboard = [UIPasteboard generalPasteboard];
NSDictionary *items = @{
    UTTypePlainText : sensitiveDataString,
    UTTypePNG : [UIImage imageWithData:medicalImageData]
};
[pasteboard setItems: @[items]];
...

示例 2：以下代码在通用剪贴板行为显式启用（通过将 localOnly 参数设置为 NO）的情况下通过调用 setObjects:localOnly:expirationDate: 方法将数据写入通用粘贴板。


...
UIPasteboard *pasteboard = [UIPasteboard generalPasteboard];
[pasteboard setObjects:@[sensitiveDataString, [UIImage imageWithData:medicalImageData]] 
            localOnly:NO 
            expirationDate:[NSDate distantFuture]];
...

References

[1] UIPasteboard | Apple Developer Documentation Apple

[2] iOS Platform APIs - OWASP Mobile Application Security OWASP

[3] Standards Mapping - Common Weakness Enumeration CWE ID 312, CWE ID 359

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200

[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475

[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.1.1 Data Classification (L2 L3), 6.1.2 Data Classification (L2 L3), 6.1.3 Data Classification (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)

[13] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage

[14] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage

[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1

[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[17] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[20] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.1, Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 4.2.2, Requirement 6.2.4, Requirement 8.3.1

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective B.2.5 - Terminal Software Design

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective B.2.5 - Terminal Software Design

[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002340 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002340 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002340 CAT II

[56] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[57] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.dataflow.objc.insecure_storage_universal_clipboard

Abstract

应用程序会将内容存储到通用粘贴板，该粘贴板会在使用同一个 iCloud 帐户登录的所有设备之间自动同步。

Explanation

识别出的函数会将数据写入通用粘贴板，但未阻止数据通过“接力”功能在各个设备的通用剪贴板之间同步。

写入通用粘贴板的内容在设备重启、应用程序卸载和应用程序恢复期间会永久存储。在启用了通用剪贴板功能的情况下使用通用粘贴板会增加粘贴板数据被盗用或被修改的风险，这是在另一台设备上运行的恶意应用程序发起剪贴板劫持攻击的一部分。

此外，由于通用剪贴板与运行 iOS 10 及更高版本或 macOS Sierra 及更高版本的设备兼容，因此运行较旧的操作系统（不含旨在保护未经授权的剪贴板访问的最新隐私和安全更新）的兼容设备会带来更大的威胁。

示例 1：以下代码使用 setItems(_:options:) 方法将数据写入通用粘贴板，默认情况下，该方法通过通用剪贴板在用户设备之间共享粘贴板内容。


...
let pasteboard = UIPasteboard.general
let items: [[String: Any]] = [
    ["text": sensitiveDataString],
    ["image": UIImage(data: medicalImageData)!]
]
pasteboard.setItems(items)
...

示例 2：以下代码在通用剪贴板行为显式启用（通过将 localOnly 参数设置为 false）的情况下使用 setObjects(_:localOnly:expirationDate:) 方法将数据写入通用粘贴板。


...
let pasteboard = UIPasteboard.general
let items: [Any] = [
    sensitiveDataString,
    UIImage(data: medicalImageData)!
]
pasteboard.setObjects([items], localOnly: false, expirationDate: Date.distantFuture)
...