search

ably / ably-cocoa

iOS, tvOS and macOS Objective-C and Swift client library SDK for Ably realtime messaging service
https://ably.com/download
Apache License 2.0
46 stars 25 forks source link

Potentially insecure usage of the NSURLSession API #1079

Closed QuintinWillison closed 3 years ago

QuintinWillison commented 4 years ago

We use NSURLSessionConfiguration's defaultSessionConfiguration singleton in ARTURLSessionServerTrust.m.

We should be using ephemeralSessionConfiguration instead as that "uses no persistent storage for caches, cookies, or credentials".

Additionally we should also be insisting on TLS protocol negotiation at a minimum of version 1.2. Possibly by using TLSMinimumSupportedProtocol, though that seems to have been deprecated and replaced with TLSMinimumSupportedProtocolVersion but we need to consider using that API cautiously when it comes to backwards compatibility.

When working on this issue please ensure to check other use of NSURLSession APIs as, for example, the sharedSession singleton is also problematic for the same reasons.

Also, for the purposes of breadcrumbs, see the question I asked in Slack to which paddybyers responded with:

all clients should insist on 1.2+

┆Issue is synchronized with this Jira Bug by Unito

SpencerWallsworth commented 3 years ago

Is there an update on this bug or an expectation when this will be fixed?

QuintinWillison commented 3 years ago

Hi @SpencerWallsworth - sorry for the (very slow!) response but I only just now noticed your comment when I was looking through issues. There is no precise timescale I can provide, however we are looking at ramping up development on this client library in the next couple of months and, as such, this issue is high on the backlog to be worked on then.