Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potentially insecure usage of the NSURLSession API #1079

Closed
QuintinWillison opened this issue Oct 13, 2020 · 2 comments · Fixed by #1120 or #1158
Closed

Potentially insecure usage of the NSURLSession API #1079

QuintinWillison opened this issue Oct 13, 2020 · 2 comments · Fixed by #1120 or #1158
Assignees
@maratal
Labels
bug Something isn't working. It's clear that this does need to be fixed.

Comments

@QuintinWillison
Copy link
Contributor

QuintinWillison commented Oct 13, 2020
edited by sync-by-unito bot

We use NSURLSessionConfiguration's defaultSessionConfiguration singleton in ARTURLSessionServerTrust.m.

We should be using ephemeralSessionConfiguration instead as that "uses no persistent storage for caches, cookies, or credentials".

Additionally we should also be insisting on TLS protocol negotiation at a minimum of version 1.2. Possibly by using TLSMinimumSupportedProtocol, though that seems to have been deprecated and replaced with TLSMinimumSupportedProtocolVersion but we need to consider using that API cautiously when it comes to backwards compatibility.

When working on this issue please ensure to check other use of NSURLSession APIs as, for example, the sharedSession singleton is also problematic for the same reasons.

Also, for the purposes of breadcrumbs, see the question I asked in Slack to which paddybyers responded with:

all clients should insist on 1.2+

┆Issue is synchronized with this Jira Bug by Unito
@QuintinWillison QuintinWillison added the bug Something isn't working. It's clear that this does need to be fixed. label Oct 13, 2020
@QuintinWillison QuintinWillison mentioned this issue Oct 13, 2020
Open
@SpencerWallsworth
Copy link

Is there an update on this bug or an expectation when this will be fixed?

@QuintinWillison
Copy link
Contributor Author

Hi @SpencerWallsworth - sorry for the (very slow!) response but I only just now noticed your comment when I was looking through issues. There is no precise timescale I can provide, however we are looking at ramping up development on this client library in the next couple of months and, as such, this issue is high on the backlog to be worked on then.

maratal added a commit that referenced this issue May 19, 2021
@maratal
ephemeralSessionConfiguration + TLSMinimumSupportedProtocolVersion (i…
cf4ac3b 
…ssue #1079)
@maratal maratal linked a pull request May 20, 2021 that will close this issue
Fix/1079 #1120
Merged
maratal added a commit that referenced this issue Jul 29, 2021
@maratal
Removed insecure usage of the NSURLSession (Issue #1079)
893d047
@maratal maratal linked a pull request Jul 29, 2021 that will close this issue
Fix for potentially insecure usage of the NSURLSession API #1158
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maratal maratal

Labels
bug Something isn't working. It's clear that this does need to be fixed.
Milestone
No milestone
3 participants
@QuintinWillison @SpencerWallsworth @maratal