Swift : WebView Misconfiguration

Classification

OWASP MASVS V6: 6.6.(L1/L2/L1+R/L2+R)

Overview

WebView is not configured with support for a minimum set of protocols (ideally https only). Support for potentially dangerous URL schemes (such as: file, tel and app-id) is not disabled.

Several default schemes are available for WebView interpretation on iOS, for example: * http(s):// * file://

WebView can load remote content from an endpoint, but they can also load local content from the app data directory. If the local content is loaded, the user shouldn’t be able to influence the filename or the path used to load the file, and users shouldn’t be able to edit the loaded file. Thus, it is recommended to use other methods for loading local files or take recommended precautions.

References

1.OWASP MASVS V6:Platform Interaction Requirements