# Test Vulnerabilities

## App Transport Security (ATS) exceptions

#### Manual See the Info.plist 

```
unzip <appName>.ipa
cd Payload/<BundleName>.app/
plutil -convert xml1 Info.plist
open Info.plist
```

The `.ipa` is now unzipped and the `Info.plist` file is converted into a readable format and opened.  Now, locate the “App Transport Security Settings,” and there you will find the current ATS configuration which will look something like this:

![If you see this, this application uses ATS bypass](https://532189072-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lt8335BPUBXjq3iC572%2F-LtevW0mq-BY-g2zQZOq%2F-LtfUBQcuwMMuPAUlPZZ%2Fimage.png?alt=media\&token=86a1473c-8264-4156-89b8-d116284ca876)

{% hint style="info" %}
See more in <https://www.nowsecure.com/blog/2017/08/31/security-analysts-guide-nsapptransportsecurity-nsallowsarbitraryloads-app-transport-security-ats-exceptions/> and <https://vulncat.fortify.com/en/detail?id=desc.config.swift.insecure_transport_disabled_app_transport_security>
{% endhint %}

### Determining whether your app’s endpoints can support ATS

Check whether your endpoints are already compatible with ATS. Do that using your MacOS device and the `/usr/bin/nscurl --ats-diagnostics --verbose <https://yourdomain.com>` Xcode command to verify if your endpoint is currently compatible.

![This shows an endpoint which is able to use ATS](https://532189072-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lt8335BPUBXjq3iC572%2F-LtfWEci4kPp-Yb4Lk6t%2F-Ltf_GIPp0zwEdhiHd3d%2Fimage.png?alt=media\&token=f4e53ea3-ec34-434a-9fb1-1a1c66d2f674)

## Use of obsolete/insecure libraries

Within the C language, libraries or functions such as `_sprintf`, `_strlen`, `_vsnprintf`, `_printf`, `_strncpy`, `_memcpy`, `_sscanf`, `_strcpy`, `_strcat`, `_vsprintf`, `_stat`
, `_fopen` are deprecated as they can lead to memory corruption so should no longer be used.

Usage of these represent a vulnerability that can be exploited by causing a buffer overflow, which is very difficult to exploit in the iOS ecosystem. However, it is considered a "good practice" not to use them.

You can evidence/discover when the binary may contain the following insecure API(s): `_sprintf`, `_strlen`, `_vsnprintf`, `_printf`, `_strncpy`, `_memcpy`, `_sscanf`, `_strcpy`, `_strcat`, `_vsprintf`, `_stat`
, `_fopen`.

{% hint style="info" %}
This is really useful to evidence the `Binary makes use of insecure API(s)` results from MobSF
{% endhint %}

{% hint style="info" %}
References:

* **CVSS V2:** 6
  (medium)
* **CWE:** CWE-676 -&#x20;
  Use of Potentially
  &#x20;Dangerous&#x20;
  Function
* **OWASP Top 10:** M7:
  Client Code
  &#x20;Quality
* **OWASP MASVS:** MSTG-CODE-8
  {% endhint %}

1\. Decompress the `.ipa` file

![](https://532189072-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lt8335BPUBXjq3iC572%2F-MlHtpHfFCHYZFDX-9nR%2F-MlHvtLmflVYf1I1erfK%2Fimage.png?alt=media\&token=3e217c50-e3d3-4537-8a77-4d7d0476ac74)

2\. Open a terminal in the decompressed folder

3\. Run the following command

```
otool -Iv <APP_NAME>.app/<APP_NAME> | grep -w <API>
```

![](https://532189072-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lt8335BPUBXjq3iC572%2F-MlHtpHfFCHYZFDX-9nR%2F-MlHwtDYEiyKeC4SlaoU%2Fimage.png?alt=media\&token=600bf41a-d4a6-41f3-b88c-fe48bdfc4048)

4\. Also you can ask for all the insecure APIs"

```bash
otool -Iv <APP_NAME>.app/<APP_NAME> | grep -w "_sprintf|_fopen|_strncat|_strncpy|_strtok|_vsnprintf|_stat|_strlen|_strcat|_strcpy|_sscanf|_chmod|_printf|_memcpy"
```

Use&#x20;
of the insecure&#x20;
Random&#x20;
function(s)
-----------

Under certain conditions, this weakness can expose the mobile app's data encryption or other randomization-based protection. For example, if encryption tokens are generated within the app.

{% hint style="info" %}
References:

* **CVSS V2:** 3 (low)
* **CWE:** CWE-330 Use
  &#x20;of Insufficiently&#x20;
  Random Values
* **OWASP Top 10:** M5 :&#x20;
  Insufficient
  &#x20;Cryptography
* **OWASP MASVS:**&#x20;
  MSTG-CRYPTO-6
  {% endhint %}

{% hint style="warning" %}
While this vulnerability could be reported, it is important for code developers, who are the ones with access to the code, to validate whether these random but insecure functions are actually used for encryption since, for example, using an insecure random function to generate a random color on the screen for display is not a security issue since a cryptographically secure random number generator is not needed for this task, even if it can be predicted it would not be a problem.
{% endhint %}

1\. Decompress the `.ipa` file

![](https://532189072-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lt8335BPUBXjq3iC572%2F-MlHtpHfFCHYZFDX-9nR%2F-MlHvtLmflVYf1I1erfK%2Fimage.png?alt=media\&token=3e217c50-e3d3-4537-8a77-4d7d0476ac74)

2\. Open a terminal in the decompressed folder

3\. Run the following command

```
otool -Iv <APP_NAME>.app/<APP_NAME> | grep -w <FUNCTION>
```

![](https://532189072-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lt8335BPUBXjq3iC572%2F-MlHwv4_Vs8lQ1XzitUQ%2F-MlI-qhWKInviE3CtvbI%2Fimage.png?alt=media\&token=14a390d3-4357-4481-b830-8c052ebe9895)

4\. Also you can ask for all the insecure APIs"

```bash
otool -Iv <APP_NAME>.app/<APP_NAME> | grep -w "_random\|_srand"
```