Insecure IPC: Missing URL Validation
Sneha0523 opened this issue · comments
Summary
The application fails to validate the calling URL in a URL-based Inter-Procedure Communication (IPC) call.
Explanation
When a third party application or webview uses a URL to communicate with your application, the receiving application should validate the calling URL before proceeding with further actions. The receiving application has the option to verify that it wants to open the calling URL using the UIApplicationDelegate application:didFinishLaunchingWithOptions: or UIApplicationDelegate application:willFinishLaunchingWithOptions: delegate methods.
The following implementation of the UIApplicationDelegate application:didFinishLaunchingWithOptions: delegate method fails to validate the calling URL and always processes the untrusted URL:
- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NS Dictionary *)launchOptions {
return YES;
}
Best practices dictate that we should always validate the calling URL and verify it conforms to what your application expects, which may vary depending on the URL components and purpose.