Static Analysis

iOS Static Analysis

iOS Static analysis, also called static code analysis, is a method of debugging that is done by examining the code without executing the iOS application. The process provides an understanding of the code structure, and can help to ensure that the code adheres to industry standards.

Static Analysis results are displayed in json objects with the following names:

  • kind“: Type of analysis test (static or dynamic)
  • key“: Contains the value of the static analysis test title used for testing purposes
  • title“: Title of the specific static analysis test
  • category“: Category of the specific static analysis test
  • summary“: Summary of the specific static analysis test
  • cvss“: Common Vulnerability Scoring System (CVSS) The universal, open and standardized method for rating IT vulnerabilities and determining the urgency of response
  • regulatory“: Security and compliance regulations

Under the regulatory category will display a json array with the following names:

  • cwe“: The “CWE” or “Common Weakness Enumeration category is displayed in a json array with id and url of each specifc software weakness(es) found during static analysis.

  • owasp“: The “OWASP” or “Open Web Application Security Project” category is displayed in a json array with id and url of each specific mobile security risk(s) found during static analysis.

Example:

{
    "kind": "static",
    "key": "app_transport_security",
    "title": "App Transport Security",
    "category": "network",
    "summary": "\n    App Transport Security (ATS) is new in iOS 9, and it helps ensure secure connections between an app and the back end server(s). It is on by default when an app is linked against iOS 9.0 SDK or later. With ATS enabled, HTTP connections are forced to use HTTPS (TLS v1.2), and any attempts to connect using insecure HTTP will fail. There are a couple of options when implementing ATS:\n    * ATS can be enabled globally (by linking to iOS 9.0 or later SDK), and the developer can choose to decrease ATS restrictions on a specific server using an exception key.\n    * ATS can be disabled globally (by settings the NSAllowsArbitraryLoads key to YES). An exception could then allow the developer to increase ATS restrictions on a specific server.\n  ",
    "cvss": 5.1,
    "regulatory": {
      "cwe": [
        {
          "id": 319,
          "url": "https://cwe.mitre.org/data/definitions/319.html"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M3-Insufficient Transport Layer Protection",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M3"
        }
      ]
    }

If an application was not found to be vulnerable or affected by this specific static analysis test, the results will display in json objects with the following names and values:

  • affected“: Boolean value (true or false) that states whether the application is affected by the specific static analysis test
  • severity“: If the application is not vulnerable to a specific static analysis test, the severity value will display “pass”
  • description“: Description of the static analysis test result

Example:

"affected": false,
    "severity": "pass",
    "description": "\n    Your application has enabled ATS globally, ensuring all connections are using \n    secure SSL/TLS. This does not include any domains where an exception has been set. \n    If any exceptions have been implemented for a specific domain, these are provided \n    in the table below.\n  ",
#    "context": {
#      "title": "Domain Exceptions",
#      "fields": {
#        "domain": {
#          "title": "Domain"
#        },
#        "exception": {
#          "title": "Exception"
#        }
#      },
#      "rows": [
#        {
#          "domain": "baidu.com",
#          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSTemporaryExceptionAllowsInsecureHTTPLoads\": true\n}"
#        },
#        {
#          "domain": "ubereats.com",
#          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSExceptionAllowsInsecureHTTPLoads\": true\n}"
#        },
#        {
#          "domain": "cloudfront.net",
#          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSTemporaryExceptionAllowsInsecureHTTPLoads\": true\n}"
#        },
#        {
#          "domain": "s3.amazonaws.com",
#          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSTemporaryExceptionAllowsInsecureHTTPLoads\": true\n}"
#        },
#        {
#          "domain": "www.ubereats.com",
#          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSExceptionAllowsInsecureHTTPLoads\": true\n}"
#        }
#      ]
#    }
#  }

If an application was found to be vulnerable and affected by this specific static analysis test, the results will display in json objects with the following names and values:

  • affected“: Boolean value (true or false) that states whether the application is affected by the specific static analysis test
  • category“: Category of the specific static analysis test
  • severity“: If the application is vulnerable to a specific static analysis test, the severity values range from “high”, “medium”, and “low”
  • cvss“: Common Vulnerability Scoring System (CVSS) The universal, open and standardized method for rating IT vulnerabilities and determining the urgency of response
  • title“: Title of the specific static analysis test
  • cwe“: The “CWE” or “Common Weakness Enumeration category is displayed in a json array with id and url of each specifc software weakness(es) found during static analysis.
  • description“: Description of the static analysis test result
  • recommendation“: Recommendation on how to fix the issue or vulnerability

Example:

"affected": true,
    "issue": {
      "category": "network",
      "severity": "medium",
      "cvss": 5.1,
      "title": "App Transport Security not in use",
      "cwe": [
        {
          "id": 319,
          "url": "https://cwe.mitre.org/data/definitions/319.html"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M3-Insufficient Transport Layer Protection",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M3"
        }
      ],
      "description": "\n    Your application has globally disabled ATS, which will allow a \n    connection regardless of HTTP or HTTPS configuration, allow \n    connection to servers with lower TLS versions, and allow connection \n    using cipher suites that do not support forward secrecy (FS).\n  ",
      "pass": "\n    Your application has enabled ATS globally, ensuring all connections are using \n    secure SSL/TLS. This does not include any domains where an exception has been set. \n    If any exceptions have ben implemented for a specific domain, these are provided \n    in the table below.\n  ",
      "recommendation": "For apps running on iOS 9.0 or higher, ATS must be \n  enabled globally by linking to the iOS 9.0 or later SDK, and avoid \n  setting the \"NSAllowsArbitraryLoads\" key to \"Yes\" or \"True.\" For any \n  existing apps which communicate to servers over HTTP, an exception must \n  be set using either the “NSExceptionAllowsInsecureHTTPLoads” or \n  “NSThirdPartyExceptionAllowsInsecureHTTPLoads” key.\n  \n  Important Note: While Apple currently allows exceptions for HTTP sites, \n  they will no longer accept exceptions by the end of 2016. All communications \n  must use TLS v.1.2 or higher by December 2016.\n  "
    },
    "severity": "medium",
    "description": "\n    Your application has globally disabled ATS, which will allow a \n    connection regardless of HTTP or HTTPS configuration, allow \n    connection to servers with lower TLS versions, and allow connection \n    using cipher suites that do not support forward secrecy (FS).\n  ",
    "recommendation": "For apps running on iOS 9.0 or higher, ATS must be \n  enabled globally by linking to the iOS 9.0 or later SDK, and avoid \n  setting the \"NSAllowsArbitraryLoads\" key to \"Yes\" or \"True.\" For any \n  existing apps which communicate to servers over HTTP, an exception must \n  be set using either the “NSExceptionAllowsInsecureHTTPLoads” or \n  “NSThirdPartyExceptionAllowsInsecureHTTPLoads” key.\n  \n  Important Note: While Apple currently allows exceptions for HTTP sites, \n  they will no longer accept exceptions by the end of 2016. All communications \n  must use TLS v.1.2 or higher by December 2016.\n  "
  }