{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 【Aperson】 的问题《MITM attack reported on deprecated NSURLConnection》','https://www.manongdao.com/q-1221260.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have an Objective-C project whose .ipa was tested with this tool online: https://www.immuniweb.com/mobile
It reports that my app has a high risk security issue, pointing to the canAuthenticateAgainstProtectionSpace in the NSURLConnectionDelegate protocol.
This method has been deprecated by iOS after 8.0 version. My app is not using it directly anywhere and I suppose this is not used by apple also even indirectly, since it is deprecated.
I tried a sample ipa (new project with nothing in it) with Objective-C project and the same issue came for that as well. But it did not come for a sample ipa which supported Swift. Even if this is just a warning, is there a way to fix other than just supporting Swift language only?
TBH it seems like a bug in the tool if not any of your Libraries or Frameworks internally uses that.
In your test for the sample Objective C project it's reported as bug however for a sample swift project it's not reported Hence I guess it's more of bug from the tool side.
I would suggest you to report this issue to them.Hopefully they will get you back with some suggestions.
or
you can try some other pen-testing tools as well.
The tool has detected that the .h file that defines the
NSURLConnectionDelegateprotocol declares thecanAuthenticateAgainstProtectionSpacefunction. This is, of course, to be expected.It would make more sense for the tool to report implementations of the method, not simply declarations of it
Since you haven’t implemented this method you don’t need to worry about flaws in your implementation.
As for getting rid of the issue...Don’t use the tool? It doesn’t seem very good based on this.
Is there an option to tell it not to scan .h files?