Swift Hardcoded Password In Urlcredentials

Description

Detects hardcoded passwords used in Swift URLCredential objects. When credentials are hardcoded in source code, they can be exposed through code access or version control, leading to unauthorized access to protected resources.

Weakness:

359 - Sensitive information in source code - Credentials

Category: Information Collection

Detection Strategy

• Check if the Foundation framework is imported in the Swift code

• Look for URLCredential or Foundation.URLCredential constructor calls

• Examine the second parameter (password argument) of the URLCredential constructor

• Report a vulnerability if the password parameter contains a hardcoded string value

Vulnerable code example

import Foundation

func createCredentials() {
    // Vulnerable: Hardcoded password directly in URLCredential constructor
    let credential = URLCredential(
        user: "admin",
        password: "MySecret123",  // Security risk: Hardcoded credential in source code
        persistence: .forSession...

✅ Secure code example

import Foundation
import Security

func createCredentials() {
    // Safe: Load credentials from Keychain instead of hardcoding
    if let username = getCredentialFromKeychain(account: "api_username"),
       let password = getCredentialFromKeychain(account: "api_password") {
        let credential = URLCredential(...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.