NowSecure static analysis: Hardcoded URLs

[lcimeni]

Finding Description

Embedded URL data was found within the application code.

Steps to Reproduce

Inspect source code for the hardcoded URLs shown in the Findings Evidence tables. Evaluating code for common schemes of URL strings and known domains can be helpful in finding uses of hardcoded URLs. In NowSecure's automated testing, we identify embedded URLs in the source code.

Business Impact

Hardcoded URLs were found in the application's code or resources. URLs can often contain sensitive information such as access tokens or provide insight on backend resources that a malicious attacker can leverage to exploit the app.

Remediation Resources

Recommended Fix

Do not embed sensitive URLs in your application code or resources. If sensitive URLs need to be configured into an app, they should be retrieved from a backend when possible.

Code Samples

Good Code Example (.swift)

import Obfuscator

// Add SERVER_URL to build settings with key

// Read SERVER_URL
let SERVER_URL = Bundle.main.object(forInfoDictionaryKey: “ServerURL”) as! String

let o = Obfuscator(withSalt: [AppDelegate.self, NSObject.self, NSString.self])

// Generate byte array
let bytes = o.bytesByObfuscatingString(string: SERVER_URL)

// Reveal the string
let url = o.reveal(key: bytes)

Good Code Example (.objc)

#import "Globals.h"
#import <Obfuscator/Obfuscator.h>

// Add SERVER_URL to build settings with key

// Read SERVER_URL
NSString * SERVER_URL = [[NSBundle mainBundle] objectForInfoDictionaryKey: @"ServerURL"];

Obfuscator *o = [Obfuscator newWithSalt:[AppDelegate class],[NSString class], nil];

extern const unsigned char *key;
// Generate byte array
const unsigned char _key[] = [o hexByObfuscatingString:@SERVER_URL];
const unsigned char *key = &_key[0];

- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {

Obfuscator *o = [Obfuscator newWithSalt:[AppDelegate class],[NSString class], nil];

[Parse setApplicationId:@"TestApp"
clientKey:[o reveal:key];

return YES;
}

Additional Guidance

• This article describes the URL structure: https://developer.apple.com/documentation/foundation/url
• This article provides details about how to store keys in the Keychain: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_keychain

Risk and Regulatory Information

Severity: info

• FISMA LOW: AC-22 PUBLICLY ACCESSIBLE CONTENT
• Risk OWASP: Mobile Top 10: M7-Client Code Quality
• GDPR: Risks violating Article 25, Risks violating Article 32
• FFIEC: May violate D3.PC.Am.A.1
• PCI: May violate requirement 3.1 through 3.4
• HIPAA: May violate §164.312(a)(1): Standard: Access control.

Application

• Platform: ios
• Package: tv.twitch

See more detail in the NowSecure Report