MASWE-0032: Platform-provided Authentication APIs Not Used
Content in BETA
This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).
Draft Weakness
This weakness hasn't been created yet and it's in draft. But you can check its status or start working on it yourself. If the issue has not yet been assigned, you can request to be assigned to it and submit a PR with the new content for that weakness by following our guidelines.
Check our GitHub Issues for MASWE-0032
Initial Description or Hints¶
AKA don't roll your own authentication security. Platform-provided APIs are designed and implemented by experts who have deep knowledge of the platform's security features and considerations. These APIs often incorporate security best practices and are regularly updated to address new threats and vulnerabilities. Not using platform-provided authentication APIs in mobile apps can result in security vulnerabilities, inconsistent user experience, missed integration opportunities, and increased development and maintenance efforts.
Relevant Topics¶
- credential auto-fill to avoid copy/paste
- correct use of Android AccountManager (e.g. invoke a cloud-based service and don't store passwords on the device). AccountManager data stored in clear in some Android versions.
- use of CREATOR afterretrieving an account with AccountManager
- use of Authentication Services framework on iOS
- iOS Password AutoFill streamlines logging into web services at your domain. However, if you need to log into a third-party service, use ASWebAuthenticationSession instead
References¶
- https://developer.android.com/privacy-and-security/security-tips#Credentials
- https://developer.apple.com/documentation/security/password_autofill
- https://developer.apple.com/videos/play/wwdc2017/206
- https://developer.android.com/guide/topics/text/autofill-optimize
MASTG v1 Coverage¶
No MASTG v1 tests are related to this weakness.