NowSecure dynamic analysis: Misconfigured Library Potentially Allows Network Traffic Interception and Modification

[lcimeni]

Finding Description

A vulnerability was detected within an AFNetworking implementation, however, was not observed being executed during runtime. This can be tied to the main executable, or statically embedded within a third-party library. The context table below will provide the vulnerable configurations that were detected, along with the module they were found in (if applicable).

Steps to Reproduce

This test observes the AFNetworking library at runtime and reports the configuration being used. This can be validated in the code used to configure AFNetworking.

Business Impact

The app is using a 3rd party library to communicate which is not secure. A malicious actor could remotely see and modify information coming to and from the app. This could then be used to access confidential information on your device or work network.

Remediation Resources

Ensure the application is using an updated version of AFNetworking, and that it is configured properly. In the case of unused implementations of AFNetworking, it is recommended that it be removed.

Risk and Regulatory Information

Severity: medium CVSS: 5.3

• FISMA LOW: SC-13 CRYPTOGRAPHIC PROTECTION
• FISMA MED: SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY
• Risk OWASP: Mobile Top 10: M3-Insecure Communication
• GDPR: Risks violating Article 25, Risks violating Article 32
• FFIEC: May violate D3.PC.Am.Int.7
• PCI: May violate requirement 4.1
• HIPAA: May violate §164.312(e)(1): Standard: Transmission security.
• CCPA: Risks violating CCPA: exfiltration, theft, or disclosure of PII

Application

• Platform: ios
• Package: com.zhiliaoapp.musically

See more detail in the NowSecure Report