logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Technical information leak - Console functions - Swift

Need

Secure logging and information handling

Context

  1. Usage of Swift for iOS and macOS app development
  2. Usage of UIKit for building modern and responsive user interfaces

Description

Insecure Code Example

import UIKit

class ViewController: UIViewController {

    override func viewDidLoad() {
        super.viewDidLoad()
        
        // Vulnerable code
        print("User credentials: username - user123, password - pass123")
        print("API Key: 1234567890")
        NSLog("Database connection established")
    }

    override func didReceiveMemoryWarning() {
        super.didReceiveMemoryWarning()
    }
}

In the above Swift code snippet for an iOS application, we have a `ViewController` class with `viewDidLoad` and `didReceiveMemoryWarning` methods. The vulnerability lies in the `viewDidLoad` method where console functions such as `print` and `NSLog` are used. These functions are printing sensitive information like user credentials and API keys to the console. In a production environment, this could lead to a serious information leakage vulnerability. Attackers with access to the console logs can obtain this sensitive information, potentially leading to unauthorized access or other malicious activities. It's important to note that this is a serious security issue and such information should never be logged or printed to the console in a production environment.

Steps

  1. Remove or comment out the console functions (print, NSLog) that are printing sensitive information.
  2. Ensure that the application does not log any sensitive information in production environments.
  3. Implement a proper logging mechanism that only logs necessary information and does not leak sensitive data.
  4. Consider using a logging framework or library that provides more control over logging and allows for secure handling of sensitive information.

Secure Code Example

import UIKit

class ViewController: UIViewController {

    override func viewDidLoad() {
        super.viewDidLoad()
        
        // Fixed code
        // print("User credentials: username - user123, password - pass123")
        // print("API Key: 1234567890")
        // NSLog("Database connection established")
    }

    override func didReceiveMemoryWarning() {
        super.didReceiveMemoryWarning()
    }
}

The above code is a fixed version of the previously vulnerable code. The `print` and `NSLog` functions that were previously logging sensitive information such as user credentials and API keys have been commented out. In a production environment, it's crucial to avoid logging sensitive information to the console as it can lead to information leakages and reveal vulnerable methods, technologies, or logic. To further enhance the security of your application, consider implementing a proper logging mechanism that only logs necessary information and does not leak sensitive data. This could be achieved by using a logging framework or library that provides more control over what gets logged and allows for secure handling of sensitive information. Remember, the goal is to keep sensitive information secure and out of the hands of malicious actors. Therefore, always be mindful of what you log and where you log it.

References

  • 066 - Technical information leak - Console functions

    • Last updated

    2023/09/18