diff --git a/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md b/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md index e37fd07657..0d1c38a386 100644 --- a/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md +++ b/cheatsheets/Mobile_Application_Security_Cheat_Sheet.md @@ -268,19 +268,19 @@ enable sensitive actions even when the device is locked. - There are several scenarios in which a user can execute a Shortcut while the device is locked: -1. If a Shortcut is added as a widget to Today View, it can be accessed + 1. If a Shortcut is added as a widget to Today View, it can be accessed and executed while the device is locked. -2. If a Shortcut is assigned to the Action Button (on iPhone 15 Pro and + 2. If a Shortcut is assigned to the Action Button (on iPhone 15 Pro and iPhone 16 Pro models), it can be executed by pressing the Action Button while the device is locked. -3. If a Shortcut is assigned to the Control Center (on iOS/iPadOS 18+), + 3. If a Shortcut is assigned to the Control Center (on iOS/iPadOS 18+), it can be executed by pulling up the Control Center and pressing the Shortcut button while the device is locked. -4. A Shortcut can be invoked via Siri while the device is locked. -5. If a Shortcut is added to the user's Home Screen (on iOS/iPadOS 18+), + 4. A Shortcut can be invoked via Siri while the device is locked. + 5. If a Shortcut is added to the user's Home Screen (on iOS/iPadOS 18+), it can be directly executed by tapping the Shortcut button on the user's lock screen while the device is locked. -6. If a Shortcut is set to run at a specific interval or a specific time, + 6. If a Shortcut is set to run at a specific interval or a specific time, it can execute even if the device is locked. - Sensitive app functionalities triggered via Shortcuts should always @@ -291,21 +291,6 @@ executing sensitive shortcuts. Implement checks with `UIApplication.shared.isProtectedDataAvailable` to restrict execution of sensitive actions when the device is locked. -- iOS/iPadOS Shortcuts allow for automation of app functions, which may enable sensitive actions even when the device is locked. - -- There are several scenarios in which a user can execute a Shortcut while the device is locked: - -1. If a Shortcut is added as a widget to Today View, it can be accessed and executed while the device is locked. -2. If a Shortcut is assigned to the Action Button (on iPhone 15 Pro and iPhone 16 Pro models), it can be executed by pressing the Action Button while the device is locked. -3. If a Shortcut is assigned to the Control Center (on iOS/iPadOS 18+), it can be executed by pulling up the Control Center and pressing the Shortcut button while the device is locked. -4. A Shortcut can be invoked via Siri while the device is locked. -5. If a Shortcut is added to the user's Home Screen (on iOS/iPadOS 18+), it can be directly executed by tapping the Shortcut button on the user's lock screen while the device is locked. -6. If a Shortcut is set to run at a specific interval or a specific time, it can execute even if the device is locked. - -- Sensitive app functionalities triggered via Shortcuts should always require device unlock before execution. - -- **How**: Store secure tokens in Keychain that the app validates before executing sensitive shortcuts. Implement checks with `UIApplication.shared.isProtectedDataAvailable` to restrict execution of sensitive actions when the device is locked. - #### Siri Permissions - Siri can access app functionalities through voice or [Type to Siri]( @@ -339,9 +324,6 @@ the app without proper authentication. (See Apple Developer's [Supporting universal links in your app]( https://developer.apple.com/documentation/xcode/supporting-universal-links-in-your-app) documentation for more information.) -- Deep links offer direct access to specific app screens, which could potentially bypass authentication if not secured, allowing unauthorized users access to secure sections of the app. -- An example of this on Microsoft Authenticator for iOS (which was remediated in July 2024) allowed users to bypass App Lock by simply navigating to `msauth://microsoft.aad.brokerplugin/?`, which would open Authenticator and dismiss the Face ID/Touch ID/passcode prompt. -- **How**: Implement authentication checks on any view controllers or endpoints accessed via deep links. Configure and validate Universal Links using apple-app-site-association files for secure deep linking. Sanitize and validate all parameters received through deep links to prevent injection attacks. Ensure unauthorized users are redirected to the login screen, preventing direct access to sensitive parts of the app without proper authentication. (See Apple Developer's [Supporting universal links in your app](https://developer.apple.com/documentation/xcode/supporting-universal-links-in-your-app) documentation for more information.) #### WidgetKit Security @@ -366,10 +348,6 @@ features requiring user permissions. between app and widgets. - Use ATS (App Transport Security) to enforce strong security policies for network communication. -- Configure appropriate background refresh policies to prevent sensitive data updates while the device is locked. -- Implement proper privacy-related configurations in `Info.plist` for features requiring user permissions. -- Use App Groups with appropriate security configurations when sharing data between app and widgets. -- Use ATS (App Transport Security) to enforce strong security policies for network communication. - Do not store sensitive data in `plist` files. For further reading, visit the