MASTG-TEST-0056: Determining Whether Sensitive Data Is Exposed via IPC Mechanisms

This test will be updated soon

The test can be used in its current form, but it will receive a complete overhaul as part of the new OWASP MASTG v2 guidelines.

Help us out by submitting a PR for: MASTG v1->v2 MASTG-TEST-0056: Determining Whether Sensitive Data Is Exposed via IPC Mechanisms (ios)

Send Feedback

Overview

Static Analysis

The following section summarizes keywords that you should look for to identify IPC implementations within iOS source code.

XPC Services

Several classes may be used to implement the NSXPCConnection API:

• NSXPCConnection
• NSXPCInterface
• NSXPCListener
• NSXPCListenerEndpoint

You can set security attributes for the connection. The attributes should be verified.

Check for the following two files in the Xcode project for the XPC Services API (which is C-based):

• xpc.h
• connection.h

Mach Ports

Keywords to look for in low-level implementations:

• mach_port_t
• mach_msg_*

Keywords to look for in high-level implementations (Core Foundation and Foundation wrappers):

• CFMachPort
• CFMessagePort
• NSMachPort
• NSMessagePort

NSFileCoordinator

Keywords to look for:

• NSFileCoordinator

Dynamic Analysis

Verify IPC mechanisms with static analysis of the iOS source code. No iOS tool is currently available to verify IPC usage.