界: Security Features

軟體安全性並非安全性軟體。我們關注驗證、Access Control、保密性、加密以及權限管理之類的主題。

Authentication Bad Practice: Missing Host Check

Abstract
針對 NSURLConnectionNSURLSession 的驗證處理回呼無法檢查其將認證傳送至的目標主機。
Explanation
應用程式會執行 NSURLConnectionNSURLSession 回呼來處理驗證要求。忘記確保驗證要求來自預期的主機,將導致認證傳送至應用程式載入的每個 URL。此外,未能檢查認證是否能安全傳送將導致認證遭竊取。

範例 1:以下應用程式會將使用者認證傳送至要求驗證的任何主機:


- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NS URLAuthenticationChallenge *)challenge completionHandler:(void (^)(NS URLSessionAuthChallengeDisposition, NSURLCredential *))completionHandler { 
    NSString *user = [self getUser]; 
    NSString *pass = [self getPassword]; 

    NSURLCredential *cred = [NSURLCredential credentialWithUser:user 
    password:pass persistence:NSURLCredentialPersistenceForSession]; 
    completionHandler(NSURLSessionAuthChallengeUseCredential, credential);
}
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[9] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
desc.structural.objc.authentication_bad_practice_missing_host_check
Abstract
針對 NSURLConnectionNSURLSession 的驗證處理回呼無法檢查其將認證傳送至的目標主機。
Explanation
應用程式會執行 NSURLConnectionNSURLSession 回呼來處理驗證要求。忘記確保驗證要求來自預期的主機,將導致認證傳送至應用程式載入的每個 URL。此外,未能檢查認證是否能安全傳送將導致認證遭竊取。

範例 1:以下應用程式會將使用者認證傳送至要求驗證的任何主機:


func urlSession(_ session: URLSession, didReceive challenge: URLAuthenticationChallenge, completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {

    let user = getUser()
    let pass = getPassword()  

    let credential = URLCredential(user: user, password: pass, persistence: .none)

    completionHandler(Foundation.URLSession.AuthChallengeDisposition.useCredential, credential)
}
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[9] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
desc.structural.swift.authentication_bad_practice_missing_host_check