Skip to main content

Insecure Network Communication

Why is this important?

Ensuring that the data in transit is secured between the mobile applications and the backend is one of the most fundamental security requirements. If this security control is not in place then all bets are off and attackers have many ways to attack your users.

Check out this video for a high-level explanation:

Insufficient Transport Layer Protection

Fixing Insecure Network Communication

Option A: Ensure certificate validation

Insecure certificate validation, even in a WebView implementation, where SSL Certificate errors are ignored and any SSL certificate is accepted can lead to Man-in-the-middle attacks.

  1. Go through the issues that GuardRails identified in the PR.
  2. Look for patterns like:
    • setAllowsAnyHTTPSCertificate:YES
    • allowsAnyHTTPSCertificateForHost
    • loadingUnvalidatedHTTPSPage=YES
    • canAuthenticateAgainstProtectionSpace
    • continueWithoutCredentialForAuthenticationChallenge
    • kCFStreamSSLAllowsExpiredCertificates
    • kCFStreamSSLAllowsAnyRoot
    • kCFStreamSSLAllowsExpiredRoots
    • validatesSecureCertificate=NO
    • allowInvalidCertificates=YES
  3. Make sure that they don't apply to production code, otherwise remove them or set the to the secure setting.

Option B: Rely on secure TLS versions

All versions of TLS v1.2 and below, including SSL have been considered insecure and it is recommended to switch to TLS v1.3.

Look for patterns like:

  • TLSMinimumSupportedProtocolVersion:
    • Use tls_protocol_version_t.TLSv13, or tls_protocol_version_t.DTLSv10 instead.
  • tlsMinimumSupportedProtocol:
    • Is deprecated, use TLSMinimumSupportedProtocolVersion instead.

More information: