Swift Hardcoded Jwt Token Used
Description
Detects hardcoded JWT tokens and credentials exposed directly in Swift source code. Exposing sensitive authentication tokens in code is a security risk as it could allow attackers to obtain authentication credentials and gain unauthorized access.
Detection Strategy
• Scans Swift source code files for string literals and variable declarations
• Checks if string values match common credential patterns like JWT tokens, API keys, or authentication tokens
• Reports a vulnerability when credentials or tokens are found hardcoded in the code rather than stored securely
• Specifically looks for JWT token format patterns in string constants
• Excludes non-sensitive string constants and mock/test data patterns to reduce false positives
Vulnerable code example
import JWTDecode
// Security risk: Hardcoded JWT token containing sensitive credentials
let token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImpvaG4uZG9lIiwicm9sZSI6ImFkbWluIn0.z5NFl4GmBG8Xvs6PJKa39G0Z-jEr0oOp4ebH6zTwAkM"
let jwt = try decode(jwt: token)
print(jwt.claims)✅ Secure code example
import Foundation
import CryptoKit
import JWTDecode
do {
// Get token from environment instead of hardcoding
guard let token = ProcessInfo.processInfo.environment["JWT_TOKEN"] else {
throw NSError(domain: "jwt", code: 1, userInfo: ["message": "Missing JWT token"])...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.