Often Misused: SMS

ABSTRACT

程序執行 SMS 操作。

EXPLANATION

不可在沒有原因或考慮的情況下執行 SMS 操作。惡意軟件會盜取這些 API，在用戶不知情的情況下竊取金錢與數據。

例 1：在這類情況下，程序會發送基于 SMS 的文本。

[[UIApplication sharedApplication] openURL:@"sms:+3912345678"];

//or

[[CTMessageCenter sharedMessageCenter]sendSMSWithText:msgField.text serviceCenter:nil toAddress:@"phonenumber"];

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A2 Broken Access Control

[2] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration

[3] Standards Mapping - FIPS200 - (FISMA) AC

[4] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 265

[5] First SMS Trojan detected for smartphones running Android

[6] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Improper Access Control - CWE ID 285

[7] Apple UIApplication Class Reference