Closed cesar-cmt closed 2 years ago
This looks like a false positive from Veracode.
Using completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
triggers iOS' standard TLS validation, which is secure. In addition to that we have unit tests to ensure that the validation code works as expected.
The readme has an example implementation showing
When performing a Veracode static scan the line
completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
if flagged as a security flaw. http://cwe.mitre.org/data/definitions/297.html