Protect Application Settings Details Remediation CWE/OWASP Protect Application Settings Details iOS developers often store application settings in plist files which can be...

使用表单令牌保护CSRF 详细描述 建议 参考 CWE/OWASP 使用表单令牌保护CSRF 详细描述 CSRF (Cross-site Request Forgery) 依赖于已知或可预测的表单值和登录的浏览器会话。 建议 每个表单提交应包含一个令牌，该令牌在表单中或在用户会话的开头载入。 在接收POST请求时，在服务器上检查此令...

应用ATS(App Transport Security) 详细描述 建议 参考 CWE/OWASP 应用ATS(App Transport Security) 详细描述 iOS 9中的新功能，ATS(App Transport Security)有助于确保应用程序和任何后端服务器之间的安全连接。 默认情况下，当应用程序与iOS 9.0 ...

Understand Secure Deletion of Data Details Remediation References CWE/OWASP Understand Secure Deletion of Data Details On Android, calling file.delete() will not securely...

Avoid Crash Logs Details Remediation CWE/OWASP Avoid Crash Logs Details There are several frameworks for tracking user usage and collect crash logs for iOS and Android, bo...

Carefully Manage Debug Logs Details Remediation Android Remove method calls to the Log class in release builds Set the “android:debuggable” flag to “false” in production builds ...

保护内部资源 详细描述 建议 CWE/OWASP 保护内部资源 详细描述 用于内部使用的资源（例如管理员登录表单）经常使用可能被暴力破解的身份验证。 例如无锁定的HTTP或表单认证。 管理或其他内部资源的泄露可能导致广泛的数据丢失和其他损害。 建议 这种资源应该被阻止外部访问。 任何不需要公共互联网访问的资源都应该使用防火墙规则和网络...

Test Third-Party Libraries Details Remediation CWE/OWASP Test Third-Party Libraries Details Developers rely heavily on third-party libraries. It is important to thoroughly...

Institute Local Session Timeout Details Remediation CWE/OWASP Institute Local Session Timeout Details Mobile devices are frequently lost or stolen, and an attacker can tak...

Avoid Cached Application Snapshots Details Remediation References CWE/OWASP Avoid Cached Application Snapshots Details In order to provide the visual transitions in the i...