Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Mobile Application Security Cheat Sheet with iOS-Specific Guidelines #1531

Merged
merged 11 commits into from
Jan 22, 2025

Conversation

richeeta
Copy link
Contributor

@richeeta richeeta commented Nov 4, 2024

Added iOS-specific security recommendations to the Mobile Application Security Cheat Sheet, specifically: guidelines on Shortcuts permissions, Siri permissions, deep links, and WidgetKit security.

This change was made to enhance the security best practices for iOS apps, addressing issue #1524.

@szh szh linked an issue Nov 4, 2024 that may be closed by this pull request
Copy link
Contributor Author

@richeeta richeeta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed spacing

@szh
Copy link
Collaborator

szh commented Nov 5, 2024

Thanks for the PR! There are a few lint errors remaining:

cheatsheets/Mobile_Application_Security_Cheat_Sheet.md:254 MD032/blanks-around-lists Lists should be surrounded by blank lines [Context: "- There are several scenarios ..."]
cheatsheets/Mobile_Application_Security_Cheat_Sheet.md:255 MD032/blanks-around-lists Lists should be surrounded by blank lines [Context: "1. If a Shortcut is added as a..."]
cheatsheets/Mobile_Application_Security_Cheat_Sheet.md:260:119 MD009/no-trailing-spaces Trailing spaces [Expected: 0 or 2; Actual: 1]
cheatsheets/Mobile_Application_Security_Cheat_Sheet.md:260 MD032/blanks-around-lists Lists should be surrounded by blank lines [Context: "6. If a Shortcut is set to run..."]
cheatsheets/Mobile_Application_Security_Cheat_Sheet.md:261 MD032/blanks-around-lists Lists should be surrounded by blank lines [Context: "- Sensitive app functionalitie..."]

I wonder if we have an experienced iOS developer who could review this...

jmanico
jmanico previously approved these changes Nov 7, 2024
@mackowski
Copy link
Collaborator

@richeeta can you please fix linter errors?

@richeeta
Copy link
Contributor Author

@mackowski & @jmanico, I have resolved all the Markdown linting issues, and the changes are ready for review. Could you please approve the workflows so the checks can run? Thank you!

@richeeta
Copy link
Contributor Author

Oops, sorry, I forgot to run it with --config .markdownlint.json on my end — the issues should be fixed now.

@richeeta richeeta requested a review from jmanico November 22, 2024 14:01
@jmanico
Copy link
Member

jmanico commented Nov 23, 2024

The lints all looks fixed, thank you

mackowski
mackowski previously approved these changes Nov 25, 2024
@mackowski mackowski requested a review from szh November 25, 2024 16:33
Copy link
Collaborator

@szh szh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm by no means an iOS expert - I'm not even an iOS user. But here are my comments.

cheatsheets/Mobile_Application_Security_Cheat_Sheet.md Outdated Show resolved Hide resolved
cheatsheets/Mobile_Application_Security_Cheat_Sheet.md Outdated Show resolved Hide resolved
cheatsheets/Mobile_Application_Security_Cheat_Sheet.md Outdated Show resolved Hide resolved
cheatsheets/Mobile_Application_Security_Cheat_Sheet.md Outdated Show resolved Hide resolved
@mackowski mackowski requested review from szh and ottosulin December 9, 2024 16:04
Copy link
Collaborator

@szh szh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost there, one nit

for recommendations on managing third-party dependencies when vulnerabilities are discovered.
See the [Vulnerable Dependency Management Cheat Sheet](
Vulnerable_Dependency_Management_Cheat_Sheet.md)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unnecessary newline

@mackowski
Copy link
Collaborator

@richeeta can you address changes requested by @szh?

@mackowski mackowski requested review from szh and ottosulin January 20, 2025 14:18

## Authentication & Authorization

Authentication is a complex topic and there are many pitfalls. Authentication
logic must be written and tested with extreme care. The tips here are only a
starting point and barely scratch the surface. For more information, see the
[Authentication Cheat Sheet](Authentication_Cheat_Sheet.md) and
[M1: Insecure Authentication/Authorization](https://owasp.org/www-project-mobile-top-10/2023-risks/m1-insecure-authentication-authorization.html) from the OWASP Mobile Top 10.
[M1: Insecure Authentication/Authorization](
https://owasp.org/www-project-mobile-top-10/2023-risks/m1-insecure-authentication-authorization.html)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@szh already commented once about the newline issue which is also present here while fixed on line 48. This PR adds newlines here and there which are unnecessary changes, but I'm not sure if they affect page rendering though.

@mackowski mackowski merged commit d0b9a1d into OWASP:master Jan 22, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Update: Mobile Application Security Cheat Sheet
5 participants