Update: Mobile Application Security Cheat Sheet

[richeeta]

What is missing or needs to be updated?

The current Mobile Application Security Cheat Sheet lacks specific guidance on securing app functionality that could be accessed when an iOS/iPadOS device is locked. I believe this cheat sheet could be enhanced by adding specific guidance for iOS/iPadOS for Shortcuts, Siri, deep links, and WidgetKit data.

How should this be resolved?

To address these gaps, I would respectfully suggest that the following sections be added:

1. Shortcuts Permissions
   iOS Shortcuts allow for automation of app functions, which may enable sensitive actions even when the device is locked. Sensitive app functionalities triggered via Shortcuts should always require device unlock before execution.
   Solution: Store secure tokens in Keychain that the app validates before executing sensitive shortcuts. Implement checks with UIApplication.shared.isProtectedDataAvailable to restrict execution of sensitive actions when the device is locked.

2. Siri Permissions
   Siri can access app functionalities through voice commands, which may be accessible even when the device is locked, potentially enabling unauthorized actions.
   Solution: Configure requiresUserAuthentication to true on intents that expose sensitive information or functionality. Additionally, set INIntent.userConfirmationRequired = true for operations requiring explicit user confirmation. These settings ensure proper authentication (e.g., Face ID or PIN) and explicit approval before Siri can execute sensitive commands.

3. Deep Link Security
   Deep links offer direct access to specific app screens, which could potentially bypass authentication if not secured, allowing unauthorized users access to secure sections of the app.
   Solution: Implement authentication checks on any view controllers or endpoints accessed via deep links. Configure and validate Universal Links using apple-app-site-association files for secure deep linking. Sanitize and validate all parameters received through deep links to prevent injection attacks. Ensure unauthorized users are redirected to the login screen, preventing direct access to sensitive parts of the app without proper authentication.

4. WidgetKit Security
   Widgets on the lock screen may display sensitive data, potentially exposing it without the device being unlocked.
   Solution: For iOS 17+, use WidgetInfo.isLocked to detect lock screen state. For earlier iOS versions, implement custom logic based on available widget states since widgetFamily alone doesn't directly provide lock screen information. Apply conditional logic to mask or restrict sensitive widget content when appropriate security conditions aren't met.

Additional Security Considerations:

1. Configure appropriate background refresh policies to prevent sensitive data updates while device is locked
2. Implement proper privacy-related configurations in Info.plist for features requiring user permissions
3. Use App Groups with appropriate security configurations when sharing data between app and widgets

Thank you!

[szh]

I think this is a great idea. Want to submit a PR?