App allows self signed or invalid SSL certificates. App is vulnerable to MITM attacks.

objectivec.network.ios_self_signed_ssl

Severity

critical

Resource

Network

Language

Objective-C

Description

App allows self signed or invalid SSL certificates. App is vulnerable to MITM attacks.

Rationale

App allows self signed or invalid SSL certificates. App is vulnerable to MITM attacks.

The following code illustrates a vulnerable pattern detected by this rule:

@interface BadSSLDelegate : NSObject <NSURLSessionDelegate>
@end

@implementation BadSSLDelegate

- (BOOL)connection:(NSURLConnection *)connection canAuthenticateAgainstProtectionSpace:(NSURLProtectionSpace *)protectionSpace {
    // VULNERABLE: App allows self signed or invalid SSL certificates. App is vulnerable to MITM attacks.
    return YES;
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-295
OWASP Top 10 2021 - A02 : Cryptographic Failures.
OWASP Top 10 2021 - A07 : Identification and Authentication Failures.
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x06g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-3-and-mstg-network-4