Skip to content

OWASP Mobile Application Security

MASTG-TEST-0056: Determining Whether Sensitive Data Is Exposed via IPC Mechanisms

OWASP/owasp-mastg

MASTG-TEST-0056: Determining Whether Sensitive Data Is Exposed via IPC Mechanisms

Overview¶

Static Analysis¶

The following section summarizes keywords that you should look for to identify IPC implementations within iOS source code.

XPC Services¶

Several classes may be used to implement the NSXPCConnection API:

NSXPCConnection
NSXPCInterface
NSXPCListener
NSXPCListenerEndpoint

You can set security attributes for the connection. The attributes should be verified.

Check for the following two files in the Xcode project for the XPC Services API (which is C-based):

xpc.h
connection.h

Mach Ports¶

Keywords to look for in low-level implementations:

mach_port_t
mach_msg_*

Keywords to look for in high-level implementations (Core Foundation and Foundation wrappers):

CFMachPort
CFMessagePort
NSMachPort
NSMessagePort

NSFileCoordinator¶

Keywords to look for:

NSFileCoordinator

Dynamic Analysis¶

Verify IPC mechanisms with static analysis of the iOS source code. No iOS tool is currently available to verify IPC usage.