DerScanner
Home / Vulnerability Database / Objective-C : Unsafe SSL or TLS settings using AFNetworking
Objective-C

Objective-C : Unsafe SSL or TLS settings using AFNetworking

Classification

OWASP Mobile Top 10 2014
M3-Insufficient Transport Layer Protection
OWASP Mobile Top 10 2016
M3-Insecure Communication
OWASP MASVS
V5: 5.2.(L1/L2/L1+R/L2+R)
PCI DSS 4.0
2.2.54.2.16.2.4
HIPAA
§164.312 (e)(1)
CWE
CWE-295

Overview

The application establishes an SSL / TLS connection with insecure settings using the AFNetworking library.

To establish a secure connection the application must verify that the certificate corresponds to the requested host, the certificate term has not expired, and that the chain of trust goes back to one of the root certificates trusted by the system. Disabling any of these checks may lead to compromise of transferred data.

Insecure Communication ranks third in the “OWASP Mobile Top 10 2016”. mobile platforms vulnerabilities ranking.

References

  1. CWE-295: Improper Certificate Validation
  2. OWASP Mobile Top 10 2014: Insufficient Transport Layer Protection
  3. Using Networking Securely - developer.apple.com
  4. OWASP Mobile Top 10 2016-M3-Insecure Communication
CRITICAL

DerScanner Severity Score

Do you want to fix Objective-C : Unsafe SSL or TLS settings using AFNetworking in your application?

See also

Objective-C

Objective-C : Internal information leak

Objective-C

Objective-C : Weak hashing algorithm

Objective-C

Objective-C : Unsafe reflection