Dynamic Analysis

iOS Dynamic Analysis

iOS Dynamic analysis is the testing and evaluation of an iOS application by executing data in real-time. The objective is to find errors in the application while it is running, rather than by repeatedly examining the code offline.

Dynamic Analysis results are displayed in json objects with the following names:

  • kind“: Type of analysis test (static or dynamic)
  • key“: Contains the value of the static analysis test title used for testing purposes
  • title“: Title of the specific static analysis test
  • category“: Category of the specific static analysis test
  • summary“: Summary of the specific static analysis test
  • cvss“: Common Vulnerability Scoring System (CVSS) The universal, open and standardized method for rating IT vulnerabilities and determining the urgency of response
  • regulatory“: Security and compliance regulations

If a specific dynamic analysis test is found vulnerable, a json array with the following names under the regulatory category:

  • cwe“: The “CWE” or “Common Weakness Enumeration category is displayed in a json array with id and url of each specifc software weakness(es) found during static analysis.

  • owasp“: The “OWASP” or “Open Web Application Security Project” category is displayed in a json array with id and url of each specific mobile security risk(s) found during static analysis.

Example:

{
    "kind": "dynamic",
    "key": "afnetworking",
    "title": "AFNetworking Implementation",
    "category": "code",
    "summary": "Checks the security of the AFNetworking library's implementation setting, which allows developers to add networking functionality to their applications.",
    "cvss": "7.1",
    "regulatory": {}
    }

If an application was not found to be vulnerable or affected by this specific dynamic analysis test, the results will display in json objects with the following names and values:

  • affected“: Boolean value (true or false) that states whether the application is affected by the specific static analysis test
  • severity“: If the application is not vulnerable to a specific static analysis test, the severity value will display “pass”
  • description“: Description of the static analysis test result

Example:

"affected": false,
    "severity": "pass",
    "description": "Your application is using an updated version of the AFNetworking library.",
    "context": {
      "title": "Tests",
      "fields": {
        "name": {
          "title": "Name"
        },
        "tests": {
          "title": "Tests"
        }
      },
      "rows": [
        {
          "name": "AFSecurityPolicy",
          "tests": [
            "testDefaultPolicyIsSetToAFSSLPinningModeNone: true",
            "testDefaultPolicyFailsToEvaluateServerTrustFromSelfSignedCertificate: true"
          ]
        },
        {
          "name": "MVAFSecurityPolicy",
          "tests": [
            "testDefaultPolicyIsSetToAFSSLPinningModeNone: true",
            "testDefaultPolicyFailsToEvaluateServerTrustFromSelfSignedCertificate: true"
          ]
        }
      ]
    }
  }

If an application was found to be vulnerable and affected by this specific dynamic analysis test, the results will display in json objects with the following names and values:

  • affected“: Boolean value (true or false) that states whether the application is affected by the specific static analysis test
  • category“: Category of the specific static analysis test
  • severity“: If the application is vulnerable to a specific static analysis test, the severity values range from “high”, “medium”, and “low”
  • cvss“: Common Vulnerability Scoring System (CVSS) The universal, open and standardized method for rating IT vulnerabilities and determining the urgency of response
  • title“: Title of the specific static analysis test
  • cwe“: The “CWE” or “Common Weakness Enumeration category is displayed in a json array with id and url of each specifc software weakness(es) found during static analysis.
  • description“: Description of the static analysis test result
  • recommendation“: Recommendation on how to fix the issue or vulnerability

Example:

{
    "affected": true,
    "issue": {
      "severity": "high",
      "cvss": "7.1",
      "title": "AFNetworking vulnerability detected",
      "description": "Your application was found to be using an outdated version of the AFNetworking library. This vulnerability was patched as of version 2.5.2, however, if an older version is used, it allows all the SSL traffic to be intercepted and decrypted in a standard man-in-the-middle environment.",
      "recommendation": "You should update the AFNetworking library bundled with the application to version 2.5.2 or later.",
      "pass": "Your application is using an updated version of the AFNetworking library."
    },
    "severity": "high",
    "description": "Your application was found to be using an outdated version of the AFNetworking library. This vulnerability was patched as of version 2.5.2, however, if an older version is used, it allows all the SSL traffic to be intercepted and decrypted in a standard man-in-the-middle environment.",
    "recommendation": "You should update the AFNetworking library bundled with the application to version 2.5.2 or later.",
    "context": {
      "title": "Tests",
      "fields": {
        "name": {
          "title": "Name"
        },
        "tests": {
          "title": "Tests"
        }
      },
      "rows": [
        {
          "name": "AFSecurityPolicy",
          "tests": [
            "testDefaultPolicyIsSetToAFSSLPinningModeNone: true",
            "testDefaultPolicyFailsToEvaluateServerTrustFromSelfSignedCertificate: false"
          ]
        }
      ]
    }
  }