Test Vulnerabilities

App Transport Security (ATS) exceptions

Manual See the Info.plist

unzip <appName>.ipa
cd Payload/<BundleName>.app/
plutil -convert xml1 Info.plist
open Info.plist

The .ipa is now unzipped and the Info.plist file is converted into a readable format and opened. Now, locate the “App Transport Security Settings,” and there you will find the current ATS configuration which will look something like this:

If you see this, this application uses ATS bypass

See more in https://www.nowsecure.com/blog/2017/08/31/security-analysts-guide-nsapptransportsecurity-nsallowsarbitraryloads-app-transport-security-ats-exceptions/ and https://vulncat.fortify.com/en/detail?id=desc.config.swift.insecure_transport_disabled_app_transport_security

Determining whether your app’s endpoints can support ATS

Check whether your endpoints are already compatible with ATS. Do that using your MacOS device and the /usr/bin/nscurl --ats-diagnostics --verbose <https://yourdomain.com> Xcode command to verify if your endpoint is currently compatible.

This shows an endpoint which is able to use ATS

Use of obsolete/insecure libraries

Within the C language, libraries or functions such as _sprintf, _strlen, _vsnprintf, _printf, _strncpy, _memcpy, _sscanf, _strcpy, _strcat, _vsprintf, _stat , _fopen are deprecated as they can lead to memory corruption so should no longer be used.

Usage of these represent a vulnerability that can be exploited by causing a buffer overflow, which is very difficult to exploit in the iOS ecosystem. However, it is considered a "good practice" not to use them.

You can evidence/discover when the binary may contain the following insecure API(s): _sprintf, _strlen, _vsnprintf, _printf, _strncpy, _memcpy, _sscanf, _strcpy, _strcat, _vsprintf, _stat , _fopen.

This is really useful to evidence the Binary makes use of insecure API(s) results from MobSF

References:

• CVSS V2: 6 (medium)

• CWE: CWE-676 - Use of Potentially Dangerous Function

• OWASP Top 10: M7: Client Code Quality

• OWASP MASVS: MSTG-CODE-8

1. Decompress the .ipa file

2. Open a terminal in the decompressed folder

3. Run the following command

otool -Iv <APP_NAME>.app/<APP_NAME> | grep -w <API>

4. Also you can ask for all the insecure APIs"

otool -Iv <APP_NAME>.app/<APP_NAME> | grep -w "_sprintf|_fopen|_strncat|_strncpy|_strtok|_vsnprintf|_stat|_strlen|_strcat|_strcpy|_sscanf|_chmod|_printf|_memcpy"

Use of the insecure Random function(s)

Under certain conditions, this weakness can expose the mobile app's data encryption or other randomization-based protection. For example, if encryption tokens are generated within the app.

References:

• CVSS V2: 3 (low)

• CWE: CWE-330 Use of Insufficiently Random Values

• OWASP Top 10: M5 : Insufficient Cryptography

• OWASP MASVS: MSTG-CRYPTO-6

While this vulnerability could be reported, it is important for code developers, who are the ones with access to the code, to validate whether these random but insecure functions are actually used for encryption since, for example, using an insecure random function to generate a random color on the screen for display is not a security issue since a cryptographically secure random number generator is not needed for this task, even if it can be predicted it would not be a problem.

1. Decompress the .ipa file

2. Open a terminal in the decompressed folder

3. Run the following command

otool -Iv <APP_NAME>.app/<APP_NAME> | grep -w <FUNCTION>

4. Also you can ask for all the insecure APIs"

otool -Iv <APP_NAME>.app/<APP_NAME> | grep -w "_random\|_srand"