DerScanner
Home / Vulnerability Database / Swift : Insecure configuration of the keychain Access Policy
Swift

Swift : Insecure configuration of the keychain Access Policy

Classification

OWASP Mobile Top 10 2016
M1-Improper Platform Usage
OWASP MASVS
V2: 2.11.(L2/L2+R)V4: 4.8.(L2/L2+R)
CWE
CWE-284CWE-287CWE-306
CWE/SANS Top 25 2011
CWE-306
CWE/SANS Top 25 2021
CWE-287CWE-306

Overview

The application uses potentially insecure keychain access control settings.

There is no user access policy setting for writing data to the keychain. Local user authentication via device password, Touch ID or Face ID is required to access the most sensitive data stored in the keychain.

References

  1. Testing Local Authentication (MSTG-AUTH-8 and MSTG-STORAGE-11)
  2. OWASP Mobile Top 10 2016-M1-Improper Platform Usage
  3. CWE-284: Improper Access Control
  4. CWE-306: Missing Authentication for Critical Function
LOW

DerScanner Severity Score

Do you want to fix Swift : Insecure configuration of the keychain Access Policy in your application?

See also

Swift

Swift : Nill password

Swift

Swift : Hardcoded salt

Swift

Swift : Undocumented feature: special account