lcimeni / tiktok-ios

0 stars 0 forks source link

NowSecure static analysis: Allowing Debuggable Webviews Allows Unintended Access to Device Data #93

Open lcimeni opened 3 years ago

lcimeni commented 3 years ago

Finding Description

The app is allowing debuggable webviews. If an attacker gained access to an unlocked device, they can use those webviews to access data on the device. That data can even be inside the app's private data folder which is normally protected from outside interference. Any secrets contained within the directory are completely compromised.

Steps to Reproduce

This test looks in the application code for instances where setWebContentsDebuggingEnabled has been set to true.

Business Impact

The app is allowing certain webpages to have access to device data that they really should not be able to access. If someone gets accessed to the unlocked device they would be able to see and modify significant amounts of potentially sensitive data on the device, bypassing normal protections.

Remediation Resources

In a production build of an application, setWebContentsDebuggingEnabled should not be set to true. The evidence evidence table lists the places where this has occurred inside the app's decompiled binary.

Risk and Regulatory Information

Severity: high CVSS: 7.1

Application

See more detail in the NowSecure Report

lcimeni commented 2 years ago

Update: The fix for this finding has been verified by NowSecure.

Powered by NowSecure Platform