UIWebView in App ignore SSL errors and accept any SSL Certificate.

objectivec.network.ios_webview_ignore_ssl

Severity

critical

Resource

Network

Language

Objective-C

Description

UIWebView in App ignore SSL errors and accept any SSL Certificate. App is vulnerable to MITM attacks.

Rationale

UIWebView in App ignore SSL errors and accept any SSL Certificate. App is vulnerable to MITM attacks.

The following code illustrates a vulnerable pattern detected by this rule:

void badSetAllowsAnyHTTPS() {
    // VULNERABLE: UIWebView in App ignore SSL errors and accept any SSL Certificate.
    [NSURLRequest setAllowsAnyHTTPSCertificate:YES forHost:@"example.com"];
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-295
OWASP Top 10 2021 - A02 : Cryptographic Failures.
OWASP Top 10 2021 - A07 : Identification and Authentication Failures.
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification