iOS Dynamic analysis is the testing and evaluation of an iOS application by executing data in real-time. The objective is to find errors in the application while it is running, rather than by repeatedly examining the code offline.
Dynamic Analysis results are displayed in json objects with the following names:
If a specific dynamic analysis test is found vulnerable, a json array with the following names under the regulatory category:
“cwe“: The “CWE” or “Common Weakness Enumeration category is displayed in a json array with id and url of each specifc software weakness(es) found during static analysis.
“owasp“: The “OWASP” or “Open Web Application Security Project” category is displayed in a json array with id and url of each specific mobile security risk(s) found during static analysis.
Example:
{
"kind": "dynamic",
"key": "afnetworking",
"title": "AFNetworking Implementation",
"category": "code",
"summary": "Checks the security of the AFNetworking library's implementation setting, which allows developers to add networking functionality to their applications.",
"cvss": "7.1",
"regulatory": {}
}
If an application was not found to be vulnerable or affected by this specific dynamic analysis test, the results will display in json objects with the following names and values:
Example:
"affected": false,
"severity": "pass",
"description": "Your application is using an updated version of the AFNetworking library.",
"context": {
"title": "Tests",
"fields": {
"name": {
"title": "Name"
},
"tests": {
"title": "Tests"
}
},
"rows": [
{
"name": "AFSecurityPolicy",
"tests": [
"testDefaultPolicyIsSetToAFSSLPinningModeNone: true",
"testDefaultPolicyFailsToEvaluateServerTrustFromSelfSignedCertificate: true"
]
},
{
"name": "MVAFSecurityPolicy",
"tests": [
"testDefaultPolicyIsSetToAFSSLPinningModeNone: true",
"testDefaultPolicyFailsToEvaluateServerTrustFromSelfSignedCertificate: true"
]
}
]
}
}
If an application was found to be vulnerable and affected by this specific dynamic analysis test, the results will display in json objects with the following names and values:
Example:
{
"affected": true,
"issue": {
"severity": "high",
"cvss": "7.1",
"title": "AFNetworking vulnerability detected",
"description": "Your application was found to be using an outdated version of the AFNetworking library. This vulnerability was patched as of version 2.5.2, however, if an older version is used, it allows all the SSL traffic to be intercepted and decrypted in a standard man-in-the-middle environment.",
"recommendation": "You should update the AFNetworking library bundled with the application to version 2.5.2 or later.",
"pass": "Your application is using an updated version of the AFNetworking library."
},
"severity": "high",
"description": "Your application was found to be using an outdated version of the AFNetworking library. This vulnerability was patched as of version 2.5.2, however, if an older version is used, it allows all the SSL traffic to be intercepted and decrypted in a standard man-in-the-middle environment.",
"recommendation": "You should update the AFNetworking library bundled with the application to version 2.5.2 or later.",
"context": {
"title": "Tests",
"fields": {
"name": {
"title": "Name"
},
"tests": {
"title": "Tests"
}
},
"rows": [
{
"name": "AFSecurityPolicy",
"tests": [
"testDefaultPolicyIsSetToAFSSLPinningModeNone: true",
"testDefaultPolicyFailsToEvaluateServerTrustFromSelfSignedCertificate: false"
]
}
]
}
}