software composition analysis
Product
SAST
Catch vulnerabilities as you develop DAST
Test live web applications like an attacker SCA
Secure open-source and supply chain MAST
Secure mobile apps from code to store Compliance
Align with standards while shipping secure code
Resources
Vulnerability database Healthy Package
Blog News
Documentation
Pricing Partners About Us Log In
software composition analysis

Swift : WebView Misconfiguration

Classification

OWASP MASVS V6: 6.6.(L1/L2/L1+R/L2+R)

Overview

WebView is not configured with support for a minimum set of protocols (ideally https only). Support for potentially dangerous URL schemes (such as: file, tel and app-id) is not disabled.

Several default schemes are available for WebView interpretation on iOS, for example: * http(s):// * file://

WebView can load remote content from an endpoint, but they can also load local content from the app data directory. If the local content is loaded, the user shouldn’t be able to influence the filename or the path used to load the file, and users shouldn’t be able to edit the loaded file. Thus, it is recommended to use other methods for loading local files or take recommended precautions.

References

1.OWASP MASVS V6:Platform Interaction Requirements

See also

Swift : Weak seed of random number generator
Swift : Weak hashing algorithm
Swift : Missing jailbreak detection