From b9e7d8bae4262b1958703e4d99f2a46b4ce8a56e Mon Sep 17 00:00:00 2001 From: Richard Im <100542994+richeeta@users.noreply.github.com> Date: Mon, 4 Nov 2024 13:26:43 -0600 Subject: [PATCH 1/7] Update Mobile_Application_Security_Cheat_Sheet.md --- ...Mobile_Application_Security_Cheat_Sheet.md | 40 ++++++++++++++++--- 1 file changed, 35 insertions(+), 5 deletions(-) diff --git a/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md b/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md index 49428dc14d..6f435601b7 100644 --- a/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md +++ b/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md @@ -246,11 +246,41 @@ examples of data that should not be logged. on working with data securely for more details. - Disable backup mode to prevent sensitive data being stored in backups. -### iOS - -- Use ATS (App Transport Security) to enforce strong security policies for - network communication. -- Do not store sensitive data in plist files. +### iOS and iPadOS +#### Shortcuts Permissions + +- iOS/iPadOS Shortcuts allow for automation of app functions, which may enable sensitive actions even when the device is locked. +- There are several scenarios in which a user can execute a Shortcut while the device is locked: +1. If a Shortcut is added as a widget to Today View, it can be accessed and executed while the device is locked. +2. If a Shortcut is assigned to the Action Button (on iPhone 15 Pro and iPhone 16 Pro models), it can be executed by pressing the Action Button while the device is locked. +3. If a Shortcut is assigned to the Control Center (on iOS/iPadOS 18+), it can be executed by pulling up the Control Center and pressing the Shortcut button while the device is locked. +4. A Shortcut can be invoked via Siri while the device is locked. +5. If a Shortcut is added to the user's Home Screen (on iOS/iPadOS 18+), it can be directly executed by tapping the Shortcut button on the user's lock screen while the device is locked. +6. If a Shortcut is set to run at a specific interval or a specific time, it can execute even if the device is locked. +- Sensitive app functionalities triggered via Shortcuts should always require device unlock before execution. +- **How**: Store secure tokens in Keychain that the app validates before executing sensitive shortcuts. Implement checks with `UIApplication.shared.isProtectedDataAvailable` to restrict execution of sensitive actions when the device is locked. + +#### Siri Permissions + +- Siri can access app functionalities through voice or [Type to Siri](https://support.apple.com/guide/iphone/change-siri-accessibility-settings-iphaff1d606/ios#:~:text=Type%20instead%20of%20speak%20to,this%20option%20isn't%20shown.) commands, which is by default accessible even when the device is locked, potentially enabling unauthorized actions. +- Solution: Configure `requiresUserAuthentication` to `true` on intents that expose sensitive information or functionality. Additionally, set `INIntent.userConfirmationRequired = true` for operations requiring explicit user confirmation. These settings ensure proper authentication (e.g., Face ID or PIN) and explicit approval before Siri can execute sensitive commands. (For more information, see Apple Developer's [SiriKit](https://developer.apple.com/documentation/sirikit) documentation.) + +#### Deep Link Security +- Deep links offer direct access to specific app screens, which could potentially bypass authentication if not secured, allowing unauthorized users access to secure sections of the app. +-- An example of this on Microsoft Authenticator for iOS (which was remediated in July 2024) allowed users to bypass App Lock by simply navigating to `msauth://microsoft.aad.brokerplugin/?`, which would open Authenticator and dismiss the Face ID/Touch ID/passcode prompt. +- **How**: Implement authentication checks on any view controllers or endpoints accessed via deep links. Configure and validate Universal Links using apple-app-site-association files for secure deep linking. Sanitize and validate all parameters received through deep links to prevent injection attacks. Ensure unauthorized users are redirected to the login screen, preventing direct access to sensitive parts of the app without proper authentication. (See Apple Developer's [Supporting universal links in your app](https://developer.apple.com/documentation/xcode/supporting-universal-links-in-your-app) documentation for more information.) + +#### WidgetKit Security + +- Widgets on the lock screen may display sensitive data, potentially exposing it without the device being unlocked. +- **How**: For iOS/iPadOS versions 17 and higher, use `WidgetInfo.isLocked` to detect lock screen state. For earlier iOS versions, implement custom logic based on available widget states since `widgetFamily` alone doesn't directly provide lock screen information. Apply conditional logic to mask or restrict sensitive widget content when appropriate security conditions aren't met. (See Apple's [WidgetKit security](https://support.apple.com/guide/security/widgetkit-security-secbb0a1f9b4/web) for more information.) + +#### Additional Security Considerations +- Configure appropriate background refresh policies to prevent sensitive data updates while the device is locked. +- Implement proper privacy-related configurations in `Info.plist` for features requiring user permissions. +- Use App Groups with appropriate security configurations when sharing data between app and widgets. +- Use ATS (App Transport Security) to enforce strong security policies for network communication. +- Do not store sensitive data in `plist` files. For further reading, visit the [OWASP Mobile Top 10 Project](https://owasp.org/www-project-mobile-top-10/). From 5bb15583373b746550e160763b0e680cbc1c3fcd Mon Sep 17 00:00:00 2001 From: Richard Im <100542994+richeeta@users.noreply.github.com> Date: Mon, 4 Nov 2024 13:39:29 -0600 Subject: [PATCH 2/7] Update Mobile_Application_Security_Cheat_Sheet.md --- cheatsheets/Mobile_Application_Security_Cheat_Sheet.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md b/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md index 6f435601b7..84a812485b 100644 --- a/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md +++ b/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md @@ -263,11 +263,11 @@ examples of data that should not be logged. #### Siri Permissions - Siri can access app functionalities through voice or [Type to Siri](https://support.apple.com/guide/iphone/change-siri-accessibility-settings-iphaff1d606/ios#:~:text=Type%20instead%20of%20speak%20to,this%20option%20isn't%20shown.) commands, which is by default accessible even when the device is locked, potentially enabling unauthorized actions. -- Solution: Configure `requiresUserAuthentication` to `true` on intents that expose sensitive information or functionality. Additionally, set `INIntent.userConfirmationRequired = true` for operations requiring explicit user confirmation. These settings ensure proper authentication (e.g., Face ID or PIN) and explicit approval before Siri can execute sensitive commands. (For more information, see Apple Developer's [SiriKit](https://developer.apple.com/documentation/sirikit) documentation.) +- **How**: Configure `requiresUserAuthentication` to `true` on intents that expose sensitive information or functionality. Additionally, set `INIntent.userConfirmationRequired = true` for operations requiring explicit user confirmation. These settings ensure proper authentication (e.g., Face ID or PIN) and explicit approval before Siri can execute sensitive commands. (For more information, see Apple Developer's [SiriKit](https://developer.apple.com/documentation/sirikit) documentation.) #### Deep Link Security - Deep links offer direct access to specific app screens, which could potentially bypass authentication if not secured, allowing unauthorized users access to secure sections of the app. --- An example of this on Microsoft Authenticator for iOS (which was remediated in July 2024) allowed users to bypass App Lock by simply navigating to `msauth://microsoft.aad.brokerplugin/?`, which would open Authenticator and dismiss the Face ID/Touch ID/passcode prompt. +- An example of this on Microsoft Authenticator for iOS (which was remediated in July 2024) allowed users to bypass App Lock by simply navigating to `msauth://microsoft.aad.brokerplugin/?`, which would open Authenticator and dismiss the Face ID/Touch ID/passcode prompt. - **How**: Implement authentication checks on any view controllers or endpoints accessed via deep links. Configure and validate Universal Links using apple-app-site-association files for secure deep linking. Sanitize and validate all parameters received through deep links to prevent injection attacks. Ensure unauthorized users are redirected to the login screen, preventing direct access to sensitive parts of the app without proper authentication. (See Apple Developer's [Supporting universal links in your app](https://developer.apple.com/documentation/xcode/supporting-universal-links-in-your-app) documentation for more information.) #### WidgetKit Security From 0a12d55c6a0adbdf53a11660b0240fb0870f862a Mon Sep 17 00:00:00 2001 From: Richard Im <100542994+richeeta@users.noreply.github.com> Date: Mon, 4 Nov 2024 14:19:10 -0600 Subject: [PATCH 3/7] Update Mobile_Application_Security_Cheat_Sheet.md --- cheatsheets/Mobile_Application_Security_Cheat_Sheet.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md b/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md index 84a812485b..f9bc583fb8 100644 --- a/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md +++ b/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md @@ -247,6 +247,7 @@ examples of data that should not be logged. - Disable backup mode to prevent sensitive data being stored in backups. ### iOS and iPadOS + #### Shortcuts Permissions - iOS/iPadOS Shortcuts allow for automation of app functions, which may enable sensitive actions even when the device is locked. @@ -266,6 +267,7 @@ examples of data that should not be logged. - **How**: Configure `requiresUserAuthentication` to `true` on intents that expose sensitive information or functionality. Additionally, set `INIntent.userConfirmationRequired = true` for operations requiring explicit user confirmation. These settings ensure proper authentication (e.g., Face ID or PIN) and explicit approval before Siri can execute sensitive commands. (For more information, see Apple Developer's [SiriKit](https://developer.apple.com/documentation/sirikit) documentation.) #### Deep Link Security + - Deep links offer direct access to specific app screens, which could potentially bypass authentication if not secured, allowing unauthorized users access to secure sections of the app. - An example of this on Microsoft Authenticator for iOS (which was remediated in July 2024) allowed users to bypass App Lock by simply navigating to `msauth://microsoft.aad.brokerplugin/?`, which would open Authenticator and dismiss the Face ID/Touch ID/passcode prompt. - **How**: Implement authentication checks on any view controllers or endpoints accessed via deep links. Configure and validate Universal Links using apple-app-site-association files for secure deep linking. Sanitize and validate all parameters received through deep links to prevent injection attacks. Ensure unauthorized users are redirected to the login screen, preventing direct access to sensitive parts of the app without proper authentication. (See Apple Developer's [Supporting universal links in your app](https://developer.apple.com/documentation/xcode/supporting-universal-links-in-your-app) documentation for more information.) @@ -276,6 +278,7 @@ examples of data that should not be logged. - **How**: For iOS/iPadOS versions 17 and higher, use `WidgetInfo.isLocked` to detect lock screen state. For earlier iOS versions, implement custom logic based on available widget states since `widgetFamily` alone doesn't directly provide lock screen information. Apply conditional logic to mask or restrict sensitive widget content when appropriate security conditions aren't met. (See Apple's [WidgetKit security](https://support.apple.com/guide/security/widgetkit-security-secbb0a1f9b4/web) for more information.) #### Additional Security Considerations + - Configure appropriate background refresh policies to prevent sensitive data updates while the device is locked. - Implement proper privacy-related configurations in `Info.plist` for features requiring user permissions. - Use App Groups with appropriate security configurations when sharing data between app and widgets. From feac408daaf1a7ae3760fabf591cce000bf63aa3 Mon Sep 17 00:00:00 2001 From: Richard Hyunho Im Date: Wed, 20 Nov 2024 13:00:10 -0600 Subject: [PATCH 4/7] Update Mobile_Application_Security_Cheat_Sheet.md --- .../Mobile_Application_Security_Cheat_Sheet.md | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md b/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md index 84a812485b..e91979cb67 100644 --- a/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md +++ b/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md @@ -15,8 +15,8 @@ developers to consider security in their mobile app development. - Keep in mind security principles like least privilege, defense in depth, and separation of concerns. - Follow industry standards and best practices, such as: - - National Institute of Standards and Technology (NIST) - - Internet Engineering Task Force (IETF) + - National Institute of Standards and Technology (NIST) + - Internet Engineering Task Force (IETF) For more information, see the [Secure Product Design Cheat Sheet](Secure_Product_Design_Cheat_Sheet.md). @@ -204,8 +204,8 @@ examples of data that should not be logged. - Perform ethical hacking to identify vulnerabilities. - Example tests: - - Cryptographic vulnerability assessment. - - Attempt to execute backend server functionality anonymously by removing any session tokens from POST/GET requests. + - Cryptographic vulnerability assessment. + - Attempt to execute backend server functionality anonymously by removing any session tokens from POST/GET requests. ### 2. Automated Tests @@ -247,17 +247,22 @@ examples of data that should not be logged. - Disable backup mode to prevent sensitive data being stored in backups. ### iOS and iPadOS + #### Shortcuts Permissions - iOS/iPadOS Shortcuts allow for automation of app functions, which may enable sensitive actions even when the device is locked. + - There are several scenarios in which a user can execute a Shortcut while the device is locked: + 1. If a Shortcut is added as a widget to Today View, it can be accessed and executed while the device is locked. 2. If a Shortcut is assigned to the Action Button (on iPhone 15 Pro and iPhone 16 Pro models), it can be executed by pressing the Action Button while the device is locked. 3. If a Shortcut is assigned to the Control Center (on iOS/iPadOS 18+), it can be executed by pulling up the Control Center and pressing the Shortcut button while the device is locked. 4. A Shortcut can be invoked via Siri while the device is locked. 5. If a Shortcut is added to the user's Home Screen (on iOS/iPadOS 18+), it can be directly executed by tapping the Shortcut button on the user's lock screen while the device is locked. -6. If a Shortcut is set to run at a specific interval or a specific time, it can execute even if the device is locked. +6. If a Shortcut is set to run at a specific interval or a specific time, it can execute even if the device is locked. + - Sensitive app functionalities triggered via Shortcuts should always require device unlock before execution. + - **How**: Store secure tokens in Keychain that the app validates before executing sensitive shortcuts. Implement checks with `UIApplication.shared.isProtectedDataAvailable` to restrict execution of sensitive actions when the device is locked. #### Siri Permissions @@ -266,6 +271,7 @@ examples of data that should not be logged. - **How**: Configure `requiresUserAuthentication` to `true` on intents that expose sensitive information or functionality. Additionally, set `INIntent.userConfirmationRequired = true` for operations requiring explicit user confirmation. These settings ensure proper authentication (e.g., Face ID or PIN) and explicit approval before Siri can execute sensitive commands. (For more information, see Apple Developer's [SiriKit](https://developer.apple.com/documentation/sirikit) documentation.) #### Deep Link Security + - Deep links offer direct access to specific app screens, which could potentially bypass authentication if not secured, allowing unauthorized users access to secure sections of the app. - An example of this on Microsoft Authenticator for iOS (which was remediated in July 2024) allowed users to bypass App Lock by simply navigating to `msauth://microsoft.aad.brokerplugin/?`, which would open Authenticator and dismiss the Face ID/Touch ID/passcode prompt. - **How**: Implement authentication checks on any view controllers or endpoints accessed via deep links. Configure and validate Universal Links using apple-app-site-association files for secure deep linking. Sanitize and validate all parameters received through deep links to prevent injection attacks. Ensure unauthorized users are redirected to the login screen, preventing direct access to sensitive parts of the app without proper authentication. (See Apple Developer's [Supporting universal links in your app](https://developer.apple.com/documentation/xcode/supporting-universal-links-in-your-app) documentation for more information.) @@ -276,6 +282,7 @@ examples of data that should not be logged. - **How**: For iOS/iPadOS versions 17 and higher, use `WidgetInfo.isLocked` to detect lock screen state. For earlier iOS versions, implement custom logic based on available widget states since `widgetFamily` alone doesn't directly provide lock screen information. Apply conditional logic to mask or restrict sensitive widget content when appropriate security conditions aren't met. (See Apple's [WidgetKit security](https://support.apple.com/guide/security/widgetkit-security-secbb0a1f9b4/web) for more information.) #### Additional Security Considerations + - Configure appropriate background refresh policies to prevent sensitive data updates while the device is locked. - Implement proper privacy-related configurations in `Info.plist` for features requiring user permissions. - Use App Groups with appropriate security configurations when sharing data between app and widgets. From 83c7f668cce22b0c284d3c6afbf2ec754d04e803 Mon Sep 17 00:00:00 2001 From: Richard Im Date: Wed, 20 Nov 2024 13:04:58 -0600 Subject: [PATCH 5/7] Fix Markdown linting issues for Mobile Application Security Cheat Sheet --- .../Mobile_Application_Security_Cheat_Sheet.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md b/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md index f9bc583fb8..e91979cb67 100644 --- a/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md +++ b/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md @@ -15,8 +15,8 @@ developers to consider security in their mobile app development. - Keep in mind security principles like least privilege, defense in depth, and separation of concerns. - Follow industry standards and best practices, such as: - - National Institute of Standards and Technology (NIST) - - Internet Engineering Task Force (IETF) + - National Institute of Standards and Technology (NIST) + - Internet Engineering Task Force (IETF) For more information, see the [Secure Product Design Cheat Sheet](Secure_Product_Design_Cheat_Sheet.md). @@ -204,8 +204,8 @@ examples of data that should not be logged. - Perform ethical hacking to identify vulnerabilities. - Example tests: - - Cryptographic vulnerability assessment. - - Attempt to execute backend server functionality anonymously by removing any session tokens from POST/GET requests. + - Cryptographic vulnerability assessment. + - Attempt to execute backend server functionality anonymously by removing any session tokens from POST/GET requests. ### 2. Automated Tests @@ -251,14 +251,18 @@ examples of data that should not be logged. #### Shortcuts Permissions - iOS/iPadOS Shortcuts allow for automation of app functions, which may enable sensitive actions even when the device is locked. + - There are several scenarios in which a user can execute a Shortcut while the device is locked: + 1. If a Shortcut is added as a widget to Today View, it can be accessed and executed while the device is locked. 2. If a Shortcut is assigned to the Action Button (on iPhone 15 Pro and iPhone 16 Pro models), it can be executed by pressing the Action Button while the device is locked. 3. If a Shortcut is assigned to the Control Center (on iOS/iPadOS 18+), it can be executed by pulling up the Control Center and pressing the Shortcut button while the device is locked. 4. A Shortcut can be invoked via Siri while the device is locked. 5. If a Shortcut is added to the user's Home Screen (on iOS/iPadOS 18+), it can be directly executed by tapping the Shortcut button on the user's lock screen while the device is locked. -6. If a Shortcut is set to run at a specific interval or a specific time, it can execute even if the device is locked. +6. If a Shortcut is set to run at a specific interval or a specific time, it can execute even if the device is locked. + - Sensitive app functionalities triggered via Shortcuts should always require device unlock before execution. + - **How**: Store secure tokens in Keychain that the app validates before executing sensitive shortcuts. Implement checks with `UIApplication.shared.isProtectedDataAvailable` to restrict execution of sensitive actions when the device is locked. #### Siri Permissions From bf254e2969cbfff1bdd3e10dfe002ceb35dcb1eb Mon Sep 17 00:00:00 2001 From: Richard Im Date: Wed, 20 Nov 2024 13:19:34 -0600 Subject: [PATCH 6/7] Fix Markdown linting issues for Mobile Application Security Cheat Sheet --- ...Mobile_Application_Security_Cheat_Sheet.md | 121 +++++++++++++----- 1 file changed, 91 insertions(+), 30 deletions(-) diff --git a/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md b/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md index e91979cb67..d7dba8f804 100644 --- a/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md +++ b/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md @@ -45,8 +45,11 @@ of security unknowns. - Establish security controls for app updates, patches, and releases. - Monitor and detect security incidents of used third-party products. -See the [Vulnerable Dependency Management Cheat Sheet](Vulnerable_Dependency_Management_Cheat_Sheet.md) -for recommendations on managing third-party dependencies when vulnerabilities are discovered. +See the [Vulnerable Dependency Management Cheat Sheet]( +Vulnerable_Dependency_Management_Cheat_Sheet.md) + +for recommendations on managing third-party dependencies when +vulnerabilities are discovered. ## Authentication & Authorization @@ -54,28 +57,36 @@ Authentication is a complex topic and there are many pitfalls. Authentication logic must be written and tested with extreme care. The tips here are only a starting point and barely scratch the surface. For more information, see the [Authentication Cheat Sheet](Authentication_Cheat_Sheet.md) and -[M1: Insecure Authentication/Authorization](https://owasp.org/www-project-mobile-top-10/2023-risks/m1-insecure-authentication-authorization.html) from the OWASP Mobile Top 10. +[M1: Insecure Authentication/Authorization]( +https://owasp.org/www-project-mobile-top-10/2023-risks/m1-insecure-authentication-authorization.html) +from the OWASP Mobile Top 10. ### 1. Don't Trust the Client -- Perform authentication/authorization server-side and only load data on the device after successful authentication. -- If storing data locally, encrypt it using a key derived from the user’s login credentials. -- Do not store user passwords on the device; use device-specific tokens that can be revoked. +- Perform authentication/authorization server-side and only load data on +the device after successful authentication. +- If storing data locally, encrypt it using a key derived from the user’s +login credentials. +- Do not store user passwords on the device; use device-specific tokens +that can be revoked. - Avoid using spoofable values like device identifiers for authentication. -- Assume all client-side controls can be bypassed and perform them server-side as well. +- Assume all client-side controls can be bypassed and perform them +server-side as well. - Include client side code to detect code/binary tampering. ### 2. Credential Handling - Do not hardcode credentials in the mobile app. - Encrypt credentials in transmission. -- Do not store user credentials on the device. Consider using secure, revocable access tokens. +- Do not store user credentials on the device. Consider using +secure, revocable access tokens. ### 3. Passwords and PIN Policy - Require password complexity. - Do not allow short PINs such as 4 digits. -- Use platform specific secure storage mechanisms, such as Keychain (iOS) or Keystore (Android). +- Use platform specific secure storage mechanisms, such as +Keychain (iOS) or Keystore (Android). ### 4. Biometric Authentication @@ -205,7 +216,8 @@ examples of data that should not be logged. - Perform ethical hacking to identify vulnerabilities. - Example tests: - Cryptographic vulnerability assessment. - - Attempt to execute backend server functionality anonymously by removing any session tokens from POST/GET requests. + - Attempt to execute backend server functionality anonymously by removing any + session tokens from POST/GET requests. ### 2. Automated Tests @@ -250,43 +262,92 @@ examples of data that should not be logged. #### Shortcuts Permissions -- iOS/iPadOS Shortcuts allow for automation of app functions, which may enable sensitive actions even when the device is locked. +- iOS/iPadOS Shortcuts allow for automation of app functions, which may +enable sensitive actions even when the device is locked. -- There are several scenarios in which a user can execute a Shortcut while the device is locked: +- There are several scenarios in which a user can execute a Shortcut +while the device is locked: -1. If a Shortcut is added as a widget to Today View, it can be accessed and executed while the device is locked. -2. If a Shortcut is assigned to the Action Button (on iPhone 15 Pro and iPhone 16 Pro models), it can be executed by pressing the Action Button while the device is locked. -3. If a Shortcut is assigned to the Control Center (on iOS/iPadOS 18+), it can be executed by pulling up the Control Center and pressing the Shortcut button while the device is locked. +1. If a Shortcut is added as a widget to Today View, it can be accessed +and executed while the device is locked. +2. If a Shortcut is assigned to the Action Button (on iPhone 15 Pro and +iPhone 16 Pro models), it can be executed by pressing the Action Button +while the device is locked. +3. If a Shortcut is assigned to the Control Center (on iOS/iPadOS 18+), +it can be executed by pulling up the Control Center and pressing the +Shortcut button while the device is locked. 4. A Shortcut can be invoked via Siri while the device is locked. -5. If a Shortcut is added to the user's Home Screen (on iOS/iPadOS 18+), it can be directly executed by tapping the Shortcut button on the user's lock screen while the device is locked. -6. If a Shortcut is set to run at a specific interval or a specific time, it can execute even if the device is locked. +5. If a Shortcut is added to the user's Home Screen (on iOS/iPadOS 18+), +it can be directly executed by tapping the Shortcut button on the user's +lock screen while the device is locked. +6. If a Shortcut is set to run at a specific interval or a specific time, +it can execute even if the device is locked. -- Sensitive app functionalities triggered via Shortcuts should always require device unlock before execution. +- Sensitive app functionalities triggered via Shortcuts should always +require device unlock before execution. -- **How**: Store secure tokens in Keychain that the app validates before executing sensitive shortcuts. Implement checks with `UIApplication.shared.isProtectedDataAvailable` to restrict execution of sensitive actions when the device is locked. +- **How**: Store secure tokens in Keychain that the app validates before +executing sensitive shortcuts. Implement checks with +`UIApplication.shared.isProtectedDataAvailable` to restrict execution +of sensitive actions when the device is locked. #### Siri Permissions -- Siri can access app functionalities through voice or [Type to Siri](https://support.apple.com/guide/iphone/change-siri-accessibility-settings-iphaff1d606/ios#:~:text=Type%20instead%20of%20speak%20to,this%20option%20isn't%20shown.) commands, which is by default accessible even when the device is locked, potentially enabling unauthorized actions. -- **How**: Configure `requiresUserAuthentication` to `true` on intents that expose sensitive information or functionality. Additionally, set `INIntent.userConfirmationRequired = true` for operations requiring explicit user confirmation. These settings ensure proper authentication (e.g., Face ID or PIN) and explicit approval before Siri can execute sensitive commands. (For more information, see Apple Developer's [SiriKit](https://developer.apple.com/documentation/sirikit) documentation.) +- Siri can access app functionalities through voice or [Type to Siri]( + https://support.apple.com/guide/iphone/change-siri-accessibility-settings-iphaff1d606/ios.) + commands, which is by default accessible even when the device is locked + potentially enabling unauthorized actions. +- **How**: Configure `requiresUserAuthentication` to `true` on intents that expose +sensitive information or functionality. Additionally, set +`INIntent.userConfirmationRequired = true` for operations requiring explicit +user confirmation. These settings ensure proper authentication +(e.g., Face ID or PIN) and explicit approval before Siri can +execute sensitive commands. (For more information, see Apple Developer's +[SiriKit](https://developer.apple.com/documentation/sirikit) documentation.) #### Deep Link Security -- Deep links offer direct access to specific app screens, which could potentially bypass authentication if not secured, allowing unauthorized users access to secure sections of the app. -- An example of this on Microsoft Authenticator for iOS (which was remediated in July 2024) allowed users to bypass App Lock by simply navigating to `msauth://microsoft.aad.brokerplugin/?`, which would open Authenticator and dismiss the Face ID/Touch ID/passcode prompt. -- **How**: Implement authentication checks on any view controllers or endpoints accessed via deep links. Configure and validate Universal Links using apple-app-site-association files for secure deep linking. Sanitize and validate all parameters received through deep links to prevent injection attacks. Ensure unauthorized users are redirected to the login screen, preventing direct access to sensitive parts of the app without proper authentication. (See Apple Developer's [Supporting universal links in your app](https://developer.apple.com/documentation/xcode/supporting-universal-links-in-your-app) documentation for more information.) +- Deep links offer direct access to specific app screens, which could +potentially bypass authentication if not secured, allowing unauthorized +users access to secure sections of the app. +- An example of this on Microsoft Authenticator for iOS (which was +remediated in July 2024) allowed users to bypass App Lock by simply +navigating to `msauth://microsoft.aad.brokerplugin/?`, which would +open Authenticator and dismiss the Face ID/Touch ID/passcode prompt. +- **How**: Implement authentication checks on any view controllers +or endpoints accessed via deep links. Configure and validate Universal +Links using apple-app-site-association files for secure deep linking. +Sanitize and validate all parameters received through deep links to +prevent injection attacks. Ensure unauthorized users are redirected +to the login screen, preventing direct access to sensitive parts of +the app without proper authentication. (See Apple Developer's +[Supporting universal links in your app]( +https://developer.apple.com/documentation/xcode/supporting-universal-links-in-your-app) +documentation for more information.) #### WidgetKit Security -- Widgets on the lock screen may display sensitive data, potentially exposing it without the device being unlocked. -- **How**: For iOS/iPadOS versions 17 and higher, use `WidgetInfo.isLocked` to detect lock screen state. For earlier iOS versions, implement custom logic based on available widget states since `widgetFamily` alone doesn't directly provide lock screen information. Apply conditional logic to mask or restrict sensitive widget content when appropriate security conditions aren't met. (See Apple's [WidgetKit security](https://support.apple.com/guide/security/widgetkit-security-secbb0a1f9b4/web) for more information.) +- Widgets on the lock screen may display sensitive data, potentially +exposing it without the device being unlocked. +- **How**: For iOS/iPadOS versions 17 and higher, use `WidgetInfo.isLocked` +to detect lock screen state. For earlier iOS versions, implement custom +logic based on available widget states since `widgetFamily` alone doesn't +directly provide lock screen information. Apply conditional logic to mask +or restrict sensitive widget content when appropriate security conditions +aren't met. (See Apple's [WidgetKit security]( +https://support.apple.com/guide/security/widgetkit-security-secbb0a1f9b4/web) +for more information.) #### Additional Security Considerations -- Configure appropriate background refresh policies to prevent sensitive data updates while the device is locked. -- Implement proper privacy-related configurations in `Info.plist` for features requiring user permissions. -- Use App Groups with appropriate security configurations when sharing data between app and widgets. -- Use ATS (App Transport Security) to enforce strong security policies for network communication. +- Configure appropriate background refresh policies to prevent sensitive data +updates while the device is locked. +- Implement proper privacy-related configurations in `Info.plist` for +features requiring user permissions. +- Use App Groups with appropriate security configurations when sharing data +between app and widgets. +- Use ATS (App Transport Security) to enforce strong security policies for +network communication. - Do not store sensitive data in `plist` files. For further reading, visit the From 87e772198e2fa7ff5195d1b68f3433e725014778 Mon Sep 17 00:00:00 2001 From: Richard Hyunho Im Date: Tue, 10 Dec 2024 18:21:50 -0600 Subject: [PATCH 7/7] Update Mobile_Application_Security_Cheat_Sheet.md --- ...Mobile_Application_Security_Cheat_Sheet.md | 34 ++++--------------- 1 file changed, 6 insertions(+), 28 deletions(-) diff --git a/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md b/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md index e37fd07657..0d1c38a386 100644 --- a/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md +++ b/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md @@ -268,19 +268,19 @@ enable sensitive actions even when the device is locked. - There are several scenarios in which a user can execute a Shortcut while the device is locked: -1. If a Shortcut is added as a widget to Today View, it can be accessed + 1. If a Shortcut is added as a widget to Today View, it can be accessed and executed while the device is locked. -2. If a Shortcut is assigned to the Action Button (on iPhone 15 Pro and + 2. If a Shortcut is assigned to the Action Button (on iPhone 15 Pro and iPhone 16 Pro models), it can be executed by pressing the Action Button while the device is locked. -3. If a Shortcut is assigned to the Control Center (on iOS/iPadOS 18+), + 3. If a Shortcut is assigned to the Control Center (on iOS/iPadOS 18+), it can be executed by pulling up the Control Center and pressing the Shortcut button while the device is locked. -4. A Shortcut can be invoked via Siri while the device is locked. -5. If a Shortcut is added to the user's Home Screen (on iOS/iPadOS 18+), + 4. A Shortcut can be invoked via Siri while the device is locked. + 5. If a Shortcut is added to the user's Home Screen (on iOS/iPadOS 18+), it can be directly executed by tapping the Shortcut button on the user's lock screen while the device is locked. -6. If a Shortcut is set to run at a specific interval or a specific time, + 6. If a Shortcut is set to run at a specific interval or a specific time, it can execute even if the device is locked. - Sensitive app functionalities triggered via Shortcuts should always @@ -291,21 +291,6 @@ executing sensitive shortcuts. Implement checks with `UIApplication.shared.isProtectedDataAvailable` to restrict execution of sensitive actions when the device is locked. -- iOS/iPadOS Shortcuts allow for automation of app functions, which may enable sensitive actions even when the device is locked. - -- There are several scenarios in which a user can execute a Shortcut while the device is locked: - -1. If a Shortcut is added as a widget to Today View, it can be accessed and executed while the device is locked. -2. If a Shortcut is assigned to the Action Button (on iPhone 15 Pro and iPhone 16 Pro models), it can be executed by pressing the Action Button while the device is locked. -3. If a Shortcut is assigned to the Control Center (on iOS/iPadOS 18+), it can be executed by pulling up the Control Center and pressing the Shortcut button while the device is locked. -4. A Shortcut can be invoked via Siri while the device is locked. -5. If a Shortcut is added to the user's Home Screen (on iOS/iPadOS 18+), it can be directly executed by tapping the Shortcut button on the user's lock screen while the device is locked. -6. If a Shortcut is set to run at a specific interval or a specific time, it can execute even if the device is locked. - -- Sensitive app functionalities triggered via Shortcuts should always require device unlock before execution. - -- **How**: Store secure tokens in Keychain that the app validates before executing sensitive shortcuts. Implement checks with `UIApplication.shared.isProtectedDataAvailable` to restrict execution of sensitive actions when the device is locked. - #### Siri Permissions - Siri can access app functionalities through voice or [Type to Siri]( @@ -339,9 +324,6 @@ the app without proper authentication. (See Apple Developer's [Supporting universal links in your app]( https://developer.apple.com/documentation/xcode/supporting-universal-links-in-your-app) documentation for more information.) -- Deep links offer direct access to specific app screens, which could potentially bypass authentication if not secured, allowing unauthorized users access to secure sections of the app. -- An example of this on Microsoft Authenticator for iOS (which was remediated in July 2024) allowed users to bypass App Lock by simply navigating to `msauth://microsoft.aad.brokerplugin/?`, which would open Authenticator and dismiss the Face ID/Touch ID/passcode prompt. -- **How**: Implement authentication checks on any view controllers or endpoints accessed via deep links. Configure and validate Universal Links using apple-app-site-association files for secure deep linking. Sanitize and validate all parameters received through deep links to prevent injection attacks. Ensure unauthorized users are redirected to the login screen, preventing direct access to sensitive parts of the app without proper authentication. (See Apple Developer's [Supporting universal links in your app](https://developer.apple.com/documentation/xcode/supporting-universal-links-in-your-app) documentation for more information.) #### WidgetKit Security @@ -366,10 +348,6 @@ features requiring user permissions. between app and widgets. - Use ATS (App Transport Security) to enforce strong security policies for network communication. -- Configure appropriate background refresh policies to prevent sensitive data updates while the device is locked. -- Implement proper privacy-related configurations in `Info.plist` for features requiring user permissions. -- Use App Groups with appropriate security configurations when sharing data between app and widgets. -- Use ATS (App Transport Security) to enforce strong security policies for network communication. - Do not store sensitive data in `plist` files. For further reading, visit the