Static Analysis

iOS Static Analysis

iOS Static analysis, also called static code analysis, is a method of debugging that is done by examining the code without executing the iOS application. The process provides an understanding of the code structure, and can help to ensure that the code adheres to industry standards.

Static Analysis results are displayed in json objects with the following names:

  • kind“: Type of analysis test (static or dynamic)
  • key“: Contains the value of the static analysis test title used for testing purposes
  • title“: Title of the specific static analysis test
  • category“: Category of the specific static analysis test
  • summary“: Summary of the specific static analysis test
  • cvss“: Common Vulnerability Scoring System (CVSS) The universal, open and standardized method for rating IT vulnerabilities and determining the urgency of response
  • regulatory“: Security and compliance regulations

Under the regulatory category will display a json array with the following names:

  • cwe“: The “CWE” or “Common Weakness Enumeration category is displayed in a json array with id and url of each specifc software weakness(es) found during static analysis.

  • owasp“: The “OWASP” or “Open Web Application Security Project” category is displayed in a json array with id and url of each specific mobile security risk(s) found during static analysis.

Example:

{
    "kind": "static",
    "key": "app_transport_security",
    "title": "App Transport Security",
    "category": "network",
    "summary": "\n    App Transport Security (ATS) is new in iOS 9, and it helps ensure secure connections between an app and the back end server(s). It is on by default when an app is linked against iOS 9.0 SDK or later. With ATS enabled, HTTP connections are forced to use HTTPS (TLS v1.2), and any attempts to connect using insecure HTTP will fail. There are a couple of options when implementing ATS:\n    * ATS can be enabled globally (by linking to iOS 9.0 or later SDK), and the developer can choose to decrease ATS restrictions on a specific server using an exception key.\n    * ATS can be disabled globally (by settings the NSAllowsArbitraryLoads key to YES). An exception could then allow the developer to increase ATS restrictions on a specific server.\n  ",
    "cvss": 5.1,
    "regulatory": {
      "cwe": [
        {
          "id": 319,
          "url": "https://cwe.mitre.org/data/definitions/319.html"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M3-Insufficient Transport Layer Protection",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M3"
        }
      ]
    }

If an application was not found to be vulnerable or affected by this specific static analysis test, the results will display in json objects with the following names and values:

  • affected“: Boolean value (true or false) that states whether the application is affected by the specific static analysis test
  • severity“: If the application is not vulnerable to a specific static analysis test, the severity value will display “pass”
  • description“: Description of the static analysis test result

Example:

"affected": false,
    "severity": "pass",
    "description": "\n    Your application has enabled ATS globally, ensuring all connections are using \n    secure SSL/TLS. This does not include any domains where an exception has been set. \n    If any exceptions have been implemented for a specific domain, these are provided \n    in the table below.\n  ",
#    "context": {
#      "title": "Domain Exceptions",
#      "fields": {
#        "domain": {
#          "title": "Domain"
#        },
#        "exception": {
#          "title": "Exception"
#        }
#      },
#      "rows": [
#        {
#          "domain": "baidu.com",
#          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSTemporaryExceptionAllowsInsecureHTTPLoads\": true\n}"
#        },
#        {
#          "domain": "ubereats.com",
#          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSExceptionAllowsInsecureHTTPLoads\": true\n}"
#        },
#        {
#          "domain": "cloudfront.net",
#          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSTemporaryExceptionAllowsInsecureHTTPLoads\": true\n}"
#        },
#        {
#          "domain": "s3.amazonaws.com",
#          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSTemporaryExceptionAllowsInsecureHTTPLoads\": true\n}"
#        },
#        {
#          "domain": "www.ubereats.com",
#          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSExceptionAllowsInsecureHTTPLoads\": true\n}"
#        }
#      ]
#    }
#  }

If an application was found to be vulnerable and affected by this specific static analysis test, the results will display in json objects with the following names and values:

  • affected“: Boolean value (true or false) that states whether the application is affected by the specific static analysis test
  • category“: Category of the specific static analysis test
  • severity“: If the application is vulnerable to a specific static analysis test, the severity values range from “high”, “medium”, and “low”
  • cvss“: Common Vulnerability Scoring System (CVSS) The universal, open and standardized method for rating IT vulnerabilities and determining the urgency of response
  • title“: Title of the specific static analysis test
  • cwe“: The “CWE” or “Common Weakness Enumeration category is displayed in a json array with id and url of each specifc software weakness(es) found during static analysis.
  • description“: Description of the static analysis test result
  • recommendation“: Recommendation on how to fix the issue or vulnerability

Example:

"affected": true,
    "issue": {
      "category": "network",
      "severity": "medium",
      "cvss": 5.1,
      "title": "App Transport Security not in use",
      "cwe": [
        {
          "id": 319,
          "url": "https://cwe.mitre.org/data/definitions/319.html"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M3-Insufficient Transport Layer Protection",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M3"
        }
      ],
      "description": "\n    Your application has globally disabled ATS, which will allow a \n    connection regardless of HTTP or HTTPS configuration, allow \n    connection to servers with lower TLS versions, and allow connection \n    using cipher suites that do not support forward secrecy (FS).\n  ",
      "pass": "\n    Your application has enabled ATS globally, ensuring all connections are using \n    secure SSL/TLS. This does not include any domains where an exception has been set. \n    If any exceptions have ben implemented for a specific domain, these are provided \n    in the table below.\n  ",
      "recommendation": "For apps running on iOS 9.0 or higher, ATS must be \n  enabled globally by linking to the iOS 9.0 or later SDK, and avoid \n  setting the \"NSAllowsArbitraryLoads\" key to \"Yes\" or \"True.\" For any \n  existing apps which communicate to servers over HTTP, an exception must \n  be set using either the “NSExceptionAllowsInsecureHTTPLoads” or \n  “NSThirdPartyExceptionAllowsInsecureHTTPLoads” key.\n  \n  Important Note: While Apple currently allows exceptions for HTTP sites, \n  they will no longer accept exceptions by the end of 2016. All communications \n  must use TLS v.1.2 or higher by December 2016.\n  "
    },
    "severity": "medium",
    "description": "\n    Your application has globally disabled ATS, which will allow a \n    connection regardless of HTTP or HTTPS configuration, allow \n    connection to servers with lower TLS versions, and allow connection \n    using cipher suites that do not support forward secrecy (FS).\n  ",
    "recommendation": "For apps running on iOS 9.0 or higher, ATS must be \n  enabled globally by linking to the iOS 9.0 or later SDK, and avoid \n  setting the \"NSAllowsArbitraryLoads\" key to \"Yes\" or \"True.\" For any \n  existing apps which communicate to servers over HTTP, an exception must \n  be set using either the “NSExceptionAllowsInsecureHTTPLoads” or \n  “NSThirdPartyExceptionAllowsInsecureHTTPLoads” key.\n  \n  Important Note: While Apple currently allows exceptions for HTTP sites, \n  they will no longer accept exceptions by the end of 2016. All communications \n  must use TLS v.1.2 or higher by December 2016.\n  "
  }

Heartbleed Check

  • This test checks to see if your application is vulnerable to the Heartbleed vulnerability. This serious issue is caused by a vulnerable version of library called OpenSSL (1.0.1 with heartbeats support enabled). In this version, the tls1_process_heartbeat function does not validate its input properly and can lead to information disclosure due to buffer overreading, potentially allowing a malicious attacker to retrieve very sensitive information like credentials or encryption keys.

Example:

{
    "kind": "static",
    "key": "heartbleed_check",
    "title": "Heartbleed Check",
    "category": "code",
    "summary": "\n    This test checks to see if your 
lication is vulnerable to the Heartbleed\n    vulnerability. This serious issue is caused by a vulnerable version of\n    library called OpenSSL (1.0.1 with heartbeats support enabled). In this\n    version, the `tls1_process_heartbeat` function does not validate its input\n    properly and can lead to information disclosure due to buffer overreading,\n    potentially allowing a malicious attacker to retrieve very sensitive\n    information like credentials or encryption keys.\n  ",
    "cvss": 7.5,
    "regulatory": {
      "cwe": [
        {
          "id": 20,
          "url": "https://cwe.mitre.org/data/definitions/20.html"
        },
        {
          "id": 126,
          "url": "https://cwe.mitre.org/data/definitions/126.html"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M6-Broken Cryptography",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M6"
        }
      ]
    },
    "affected": false,
    "severity": "pass",
    "description": "\n    Your application was not found to be vulnerable to the Heartbleed vulnerability.\n  "
  }

Address Space Layout Random Check

  • ASLR (Address space layout randomization) is a security feature that randomizes the address space used in the application, making it difficult to execute malicious code without first causing the application to crash. It also complicates the process of dumping allocated memory of the application. This test checks to see if the application binary was compiled with the -PIE flag.

Example:

{
    "kind": "static",
    "key": "address_space_layout_rand_check",
    "title": "Address Space Layout Random Check",
    "category": "code",
    "summary": "\n    ASLR (Address space layout randomization) is a security feature\n    introduced in iOS 4.3 that randomizes how an app is loaded and maintained\n    in memory. ASLR randomizes the address space used in the application,\n    making it difficult to execute malicious code without first causing the\n    application to crash. It also complicates the process of dumping allocated\n    memory of the application. This test checks to see if the application\n    binary was compiled with the -PIE flag.\n  ",
    "cvss": 1.6,
    "regulatory": {},
    "affected": false,
    "severity": "pass",
    "description": "\n    Your application uses address space layout randomization (ASLR) to protect\n    itself against buffer overflow attacks.\n  "
  }

Change Cipher Spec Check

  • Certain versions of OpenSSL do not properly restrict the processing of ChangeCipherSpec messages during the SSL/TLS handshake, which could lead to a man-in-the-middle exploit. This is also referred to as the “CCS Injection” vulnerability.

Example:

  {
    "kind": "static",
    "key": "change_cipher_spec_check",
    "title": "Change Cipher Spec Check",
    "category": "code",
    "summary": "\n    Certain versions of OpenSSL do not properly restrict the processing of ChangeCipherSpec messages during the SSL/TLS handshake, which could lead to a man-in-the-middle exploit. This is also referred to as the \"CCS Injection\" vulnerability. For additional details, refer to CVE-2014-0224.\n  ",
    "cvss": 7.4,
    "regulatory": {},
    "affected": false,
    "severity": "pass",
    "description": "\n    The application was not found to be vulnerable to the Change Cipher Spec\n    vulnerability.\n  "
  }

Stack Smashing Protection Check

  • When an application is compiled with stack smashing protection, a known value or “canary” is placed on the stack directly before the local variables to protect the saved base pointer, saved instruction pointer, and function arguments. The value of the canary is verified upon the function return to see if it has been overwritten. The compiler uses a heuristic to intelligently apply stack protection to a function, typically functions using character arrays. This test checks if the application was compiled with flags preventing some stack overflow vulnerabilities.

Example:

{
    "kind": "static",
    "key": "stack_smashing_protection_check",
    "title": "Stack Smashing Check",
    "category": "code",
    "summary": "\n    When an application is compiled with stack smashing protection, a known value or “canary” is placed on the stack directly before the local variables to protect the saved base pointer, saved instruction pointer, and function arguments. The value of the canary is verified upon the function return to see if it has been overwritten. The compiler uses a heuristic to intelligently apply stack protection to a function, typically functions using character arrays.\n    This test checks if the application was compiled with flags preventing some stack\n    overflow vulnerabilities.\n  ",
    "cvss": 1.6,
    "regulatory": {},
    "affected": false,
    "severity": "pass",
    "description": "\n    Stack smashing protection has been implemented in your application.\n  "
  }

Automatic Reference Counting Check

  • Automatic Reference Counting is a memory management system that takes care at compile time of the reference count of objects automatically, instead of leaving this task to the developer.

Example:

{
    "kind": "static",
    "key": "address_reference_counting_check",
    "title": "Automatic Reference Counting Check",
    "category": "code",
    "summary": "\n    Automatic Reference Counting is a memory management system that takes care at compile time of the reference count of objects automatically, instead of leaving this task to the developer. This feature was introduced with iOS 5, but it can be backported to previous versions because the operations are performed at compile time. The compiler will insert the release and retain calls automatically, making the developer’s life easier, and eliminating risks of introducing vulnerabilities related to the object’s memory lifecycle. The process is completely done at compile time, so it does not introduce any runtime overhead, like a garbage collector for example, so there are no drawbacks for developers switching to Automatic Reference Counting.\n    This test checks if the application was compiled with flags improving its\n    performance and preventing some stack overflow vulnerabilities.\n  ",
    "cvss": 1.6,
    "regulatory": {},
    "affected": false,
    "severity": "pass",
    "description": "\n    Automatic Reference Counting (ARC) has been implemented with your application.\n  "
  }

Local Authentication Check

  • This check only applies to iOS apps that utilize Touch ID for authentication. It checks to determine if your application is using an insecure implementation of the Local Authentication framework, which makes it possible to bypass the authentication process through runtime analysis or patching the binary.

Example:

{
    "kind": "static",
    "key": "local_auth_check",
    "title": "Local Auth Check",
    "category": "code",
    "summary": "\n    This check only applies to iOS apps that utilize Touch ID for\n    authentication. It checks to determine if your application is using an\n    insecure implementation of the Local Authentication framework, which makes\n    it possible to bypass the authentication process through runtime analysis\n    or patching the binary.\n  ",
    "cvss": 3.8,
    "regulatory": {
      "cwe": [
        {
          "id": 288,
          "url": "https://cwe.mitre.org/data/definitions/288.html"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M5-Poor Authentication and Authorization",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M5"
        }
      ]
    },
    "affected": false,
    "severity": "pass",
    "description": "\n    Use of LocalAuthentication framework for Touch ID authentication was not\n    detected.\n  "
  }

Application Behaviors

  • The following table highlights a list of the potential behaviors that may be observed while interacting with the application, a brief description of each behavior and what it might be used for, and the applicable architecture (MACH-O slice) in which that behavior was detectable.

Example:

{
    "kind": "static",
    "key": "application_behaviors",
    "title": "Application Behaviors",
    "category": "artifact",
    "summary": "\n    The following table highlights a list of the potential behaviors that may be observed while interacting with the application, a brief description of each behavior and what it might be used for, and the applicable architecture (MACH-O slice) in which that behavior was detectable.",
    "regulatory": {},
    "affected": true,
    "context": {
      "rows": [
        {
          "behaviors": "webkit",
          "description": "Potentially uses WebKit JavaScriptCore.framework, WebKit.framework.",
          "architecture": "arm64"
        },
        {
          "behaviors": "tracking",
          "description": "Potentially tracks user/device/install via AdSupport.framework.",
          "architecture": "arm64"
        },
        {
          "behaviors": "network",
          "description": "Potentially performs network requests via CFNetwork.framework.",
          "architecture": "arm64"
        },
        {
          "behaviors": "social-network",
          "description": "Potentially uses and/or posts to social networks via Social.framework or Twitter.framework.",
          "architecture": "arm64"
        },
        {
          "behaviors": "telephony",
          "description": "Potentially accesses telephony services via CoreTelephony.framework.",
          "architecture": "arm64"
        },
        {
          "behaviors": "media",
          "description": "Potentially accesses media library e.g., songs, movies via MediaPlayer.framework.",
          "architecture": "arm64"
        },
        {
          "behaviors": "bluetooth",
          "description": "Potentially uses bluetooth via CoreBluetooth.framework.",
          "architecture": "arm64"
        },
        {
          "behaviors": "photos",
          "description": "Potentially accesses photo/video library e.g., via AssetsLibrary.framework, Photos.framework.",
          "architecture": "arm64"
        },
        {
          "behaviors": "camera",
          "description": "Potentially accesses device camera e.g., via AVFoundation.framework.",
          "architecture": "arm64"
        },
        {
          "behaviors": "accounts",
          "description": "Potentially uses the Accounts API to access accounts stored or configured on the device via Accounts.framework.",
          "architecture": "arm64"
        },
        {
          "behaviors": "location",
          "description": "Potentially obtains device location via CoreLocation.framework.",
          "architecture": "arm64"
        },
        {
          "behaviors": "accessory",
          "description": "Potentially accesses external accessories via ExternalAccessory.framework.",
          "architecture": "arm64"
        },
        {
          "behaviors": "in-app-purchases",
          "description": "Potentially supports in-app purchases via StoreKit.framework.",
          "architecture": "arm64"
        },
        {
          "behaviors": "sensors",
          "description": "Potentially uses device sensors, such as accelerometer, gyroscope, barometer, to obtain information about physical environment via CoreMotion.framework.",
          "architecture": "arm64"
        },
        {
          "behaviors": "audio",
          "description": "Potentially records audio e.g., via AudioToolbox.framework, AudioUnit.framework, AVFoundation.framework.",
          "architecture": "arm64"
        },
        {
          "behaviors": "ad",
          "description": "Potentially displays advertising via the iAd.framework.",
          "architecture": "arm64"
        },
        {
          "behaviors": "webkit",
          "description": "Potentially uses WebKit JavaScriptCore.framework, WebKit.framework.",
          "architecture": "armv7"
        },
        {
          "behaviors": "tracking",
          "description": "Potentially tracks user/device/install via AdSupport.framework.",
          "architecture": "armv7"
        },
        {
          "behaviors": "network",
          "description": "Potentially performs network requests via CFNetwork.framework.",
          "architecture": "armv7"
        },
        {
          "behaviors": "social-network",
          "description": "Potentially uses and/or posts to social networks via Social.framework or Twitter.framework.",
          "architecture": "armv7"
        },
        {
          "behaviors": "telephony",
          "description": "Potentially accesses telephony services via CoreTelephony.framework.",
          "architecture": "armv7"
        },
        {
          "behaviors": "media",
          "description": "Potentially accesses media library e.g., songs, movies via MediaPlayer.framework.",
          "architecture": "armv7"
        },
        {
          "behaviors": "bluetooth",
          "description": "Potentially uses bluetooth via CoreBluetooth.framework.",
          "architecture": "armv7"
        },
        {
          "behaviors": "photos",
          "description": "Potentially accesses photo/video library e.g., via AssetsLibrary.framework, Photos.framework.",
          "architecture": "armv7"
        },
        {
          "behaviors": "camera",
          "description": "Potentially accesses device camera e.g., via AVFoundation.framework.",
          "architecture": "armv7"
        },
        {
          "behaviors": "accounts",
          "description": "Potentially uses the Accounts API to access accounts stored or configured on the device via Accounts.framework.",
          "architecture": "armv7"
        },
        {
          "behaviors": "location",
          "description": "Potentially obtains device location via CoreLocation.framework.",
          "architecture": "armv7"
        },
        {
          "behaviors": "accessory",
          "description": "Potentially accesses external accessories via ExternalAccessory.framework.",
          "architecture": "armv7"
        },
        {
          "behaviors": "in-app-purchases",
          "description": "Potentially supports in-app purchases via StoreKit.framework.",
          "architecture": "armv7"
        },
        {
          "behaviors": "sensors",
          "description": "Potentially uses device sensors, such as accelerometer, gyroscope, barometer, to obtain information about physical environment via CoreMotion.framework.",
          "architecture": "armv7"
        },
        {
          "behaviors": "audio",
          "description": "Potentially records audio e.g., via AudioToolbox.framework, AudioUnit.framework, AVFoundation.framework.",
          "architecture": "armv7"
        },
        {
          "behaviors": "ad",
          "description": "Potentially displays advertising via the iAd.framework.",
          "architecture": "armv7"
        }
      ],
      "fields": {
        "behaviors": {
          "title": "Behaviors"
        },
        "description": {
          "title": "Description"
        },
        "architecture": {
          "title": "Architecture"
        }
      }
    }
  }

Background Modes

  • On iOS, applications are always in background, but most apps don’t have/require background processes to be run. However, if your app plays music, needs location, etc., background modes must be set. The following table highlights a list of the background modes that were detected in your application. It is recommended to review all enabled background modes and be sure to disable any that the app does not require.

Example:

{
    "kind": "static",
    "key": "background_modes",
    "title": "Background Modes",
    "category": "artifact",
    "summary": "On iOS, applications are always in background, but most apps don’t have/require background processes to be run. However, if your app plays music, needs location, etc., background modes must be set. The following table highlights a list of the background modes that were detected in your application. It is recommended to review all enabled background modes and be sure to disable any that the app does not require.",
    "regulatory": {},
    "affected": true,
    "context": {
      "rows": [
        {
          "background": "audio",
          "description": "The app plays audible content to the user or records audio while in the background. (This content includes streaming audio or video content using AirPlay.)\n        The user must grant permission for apps to use the microphone prior to the first use."
        },
        {
          "background": "external-accessory",
          "description": "The app works with a hardware accessory that needs to deliver updates on a regular schedule through the External Accessory framework."
        },
        {
          "background": "remote-notification",
          "description": "The app wants to start downloading content when a push notification arrives. Use this notification to minimize the delay in showing content related to the push notification."
        }
      ],
      "fields": {
        "background": {
          "title": "Background Mode"
        },
        "description": {
          "title": "Description"
        }
      }
    }
  }

App Transport Security

  • pp Transport Security (ATS) is new in iOS 9, and it helps ensure secure connections between an app and the back end server(s). It is on by default when an app is linked against iOS 9.0 SDK or later. With ATS enabled, HTTP connections are forced to use HTTPS (TLS v1.2), and any attempts to connect using insecure HTTP will fail.

Example:

{
    "kind": "static",
    "key": "app_transport_security",
    "title": "App Transport Security",
    "category": "network",
    "summary": "\n    App Transport Security (ATS) is new in iOS 9, and it helps ensure secure connections between an app and the back end server(s). It is on by default when an app is linked against iOS 9.0 SDK or later. With ATS enabled, HTTP connections are forced to use HTTPS (TLS v1.2), and any attempts to connect using insecure HTTP will fail. There are a couple of options when implementing ATS:\n    * ATS can be enabled globally (by linking to iOS 9.0 or later SDK), and the developer can choose to decrease ATS restrictions on a specific server using an exception key.\n    * ATS can be disabled globally (by settings the NSAllowsArbitraryLoads key to YES). An exception could then allow the developer to increase ATS restrictions on a specific server.\n  ",
    "cvss": 5.1,
    "regulatory": {
      "cwe": [
        {
          "id": 319,
          "url": "https://cwe.mitre.org/data/definitions/319.html"
        }
      ],
      "owasp": [
        {
          "id": "Mobile Top 10: M3-Insufficient Transport Layer Protection",
          "url": "https://www.owasp.org/index.php/Mobile_Top_10_2014-M3"
        }
      ]
    },
    "affected": false,
    "severity": "pass",
    "description": "\n    Your application has enabled ATS globally, ensuring all connections are using \n    secure SSL/TLS. This does not include any domains where an exception has been set. \n    If any exceptions have ben implemented for a specific domain, these are provided \n    in the table below.\n  ",
    "context": {
      "title": "Domain Exceptions",
      "fields": {
        "domain": {
          "title": "Domain"
        },
        "exception": {
          "title": "Exception"
        }
      },
      "rows": [
        {
          "domain": "ford.com",
          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSThirdPartyExceptionAllowsInsecureHTTPLoads\": \"YES\"\n}"
        },
        {
          "domain": "fbcdn.net",
          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSThirdPartyExceptionRequiresForwardSecrecy\": false\n}"
        },
        {
          "domain": "localhost",
          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSExceptionAllowsInsecureHTTPLoads\": true\n}"
        },
        {
          "domain": "api.gws.ph",
          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSThirdPartyExceptionAllowsInsecureHTTPLoads\": true\n}"
        },
        {
          "domain": "cf.scdn.co",
          "exception": "{\n    \"NSExceptionAllowsInsecureHTTPLoads\": true\n}"
        },
        {
          "domain": "akamaihd.net",
          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSThirdPartyExceptionRequiresForwardSecrecy\": false\n}"
        },
        {
          "domain": "facebook.com",
          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSThirdPartyExceptionRequiresForwardSecrecy\": false\n}"
        },
        {
          "domain": "cdn.spotify.com",
          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSExceptionAllowsInsecureHTTPLoads\": true\n}"
        },
        {
          "domain": "scorecardresearch.com",
          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSThirdPartyExceptionAllowsInsecureHTTPLoads\": true\n}"
        },
        {
          "domain": "clbn.cloud.spotify.net",
          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSThirdPartyExceptionAllowsInsecureHTTPLoads\": true\n}"
        },
        {
          "domain": "aws1-inviter-a1.shared.cloud.spotify.net",
          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSThirdPartyExceptionAllowsInsecureHTTPLoads\": true\n}"
        },
        {
          "domain": "com.spotify.car-web-dev.s3.amazonaws.com",
          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSExceptionAllowsInsecureHTTPLoads\": true\n}"
        },
        {
          "domain": "com.spotify.car-web-prod.s3.amazonaws.com",
          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSExceptionAllowsInsecureHTTPLoads\": true\n}"
        },
        {
          "domain": "awseu3-webgate-a1.shared.cloud.spotify.net",
          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSThirdPartyExceptionAllowsInsecureHTTPLoads\": true\n}"
        },
        {
          "domain": "com.spotify.car-web-staging.s3.amazonaws.com",
          "exception": "{\n    \"NSIncludesSubdomains\": true,\n    \"NSExceptionAllowsInsecureHTTPLoads\": true\n}"
        }
      ]
    }
  }