Fluid Attacks Database

Description

Detects insecure storage of sensitive information in Apple's iCloud Key-Value Storage (NSUbiquitousKeyValueStore) in Swift applications using the Vapor framework. This vulnerability could lead to exposure of sensitive data if unencrypted or unsanitized data is synchronized to iCloud.

Weakness:

020 - Non-encrypted confidential information

Category: Information Collection

Detection Strategy

• Check if the Vapor framework is imported in the code

• Look for calls to NSUbiquitousKeyValueStore.default.set method

• Verify if sensitive or unsanitized data is being stored by examining the arguments passed to the set method

• Report a vulnerability if unsafe data is being synchronized to iCloud storage

Vulnerable code example

import Foundation

func storeCredentials(username: String, password: String) {
    let defaults = UserDefaults.standard
    // Vulnerable: Storing sensitive password in plaintext
    defaults.set(password, forKey: "userPassword")
    defaults.set(username, forKey: "userName")
}

✅ Secure code example

import Foundation
import CryptoKit

func storeCredentials(username: String, password: String) {
    let defaults = UserDefaults.standard
    
    // Generate encryption key if not exists
    let key: SymmetricKey = {...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.