Flag insecure TrustKit certificate pinning settings

Este producto no es compatible con el sitio Datadog seleccionado. ().
Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Metadata

ID: swift-security/trustkit-pinning

Language: Unknown

Severity: Error

Category: Security

CWE: 295

Description

This rule detects improper or disabled certificate pinning when using TrustKit in iOS applications. Without strict pinning, attackers could intercept and manipulate network traffic through Man-in-the-Middle (MitM) attacks, compromising confidentiality and integrity of user data. To mitigate this, applications should enforce proper certificate pinning configurations in line with Apple guidelines.

Non-Compliant Code Examples

import Foundation
import TrustKit

// --- NON-COMPLIANT EXAMPLE 1: Pinning is not enforced ---

// ruleid: trustkit_pinning_enforce_disabled
let trustKitConfigEnforceDisabled: [String: Any] = [
    kTSKPinnedDomains: [
        "www.datatheorem.com": [
            kTSKEnforcePinning: false, // VULNERABILITY: Pinning is explicitly disabled.
            kTSKIncludeSubdomains: true,
            kTSKPublicKeyHashes: [
                "someHash1",
                "someHash2"
            ]
        ]
    ]
]

TrustKit.init(configuration: trustKitConfigEnforceDisabled)


// --- NON-COMPLIANT EXAMPLE 2: Subdomain pinning is disabled ---

// ruleid: trustkit_pinning_subdomain_disabled
let trustKitConfigSubdomainDisabled: [String: Any] = [
    kTSKPinnedDomains: [
        "example.com": [
            kTSKEnforcePinning: true,
            kTSKIncludeSubdomains: false, // VULNERABILITY: Subdomains are not pinned.
            kTSKPublicKeyHashes: [
                "anotherHash1",
                "anotherHash2"
            ]
        ]
    ]
]

TrustKit.init(configuration: trustKitConfigSubdomainDisabled)

Compliant Code Examples

import Foundation
import TrustKit

// This file demonstrates the SECURE and COMPLIANT way to configure TrustKit.

// Define the TrustKit configuration dictionary.
let trustKitConfig: [String: Any] = [
    kTSKPinnedDomains: [
        "www.datatheorem.com": [
            // COMPLIANT: Pinning is explicitly enforced. This is the most critical setting
            // to prevent MitM attacks.
            kTSKEnforcePinning: true,
            
            // COMPLIANT: Pinning is also enforced for all subdomains, ensuring
            // comprehensive security coverage for the entire domain.
            kTSKIncludeSubdomains: true,
            
            // Provide the valid Base64-encoded SHA-256 hashes of the public keys.
            kTSKPublicKeyHashes: [
                "khh4hgtv9b0z6yioj2l8f9d6h3j3b2b1j6g6f8d3d2c2b1a0", // Primary key
                "jhh5igtv9b0z6yioj2l8f9d6h3j3b2b1j6g6f8d3d2c2b1a1"  // Backup key
            ],
        ]
    ]
]

// Initialize TrustKit with the secure configuration.
// This should be done early in the app's lifecycle, e.g., in AppDelegate.
TrustKit.init(configuration: trustKitConfig)

print("TrustKit has been initialized with a SECURE pinning configuration.")
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Integraciones sin problemas. Prueba Datadog Code Security

Datadog Code Security