Swift Insecure Http Request
Description
Detects insecure HTTP network requests in Swift applications that don't use HTTPS encryption. This exposes sensitive data to potential man-in-the-middle attacks since HTTP traffic can be intercepted and read. The vulnerability occurs when using Alamofire or Foundation frameworks to make unencrypted network calls.
Detection Strategy
• Check if Alamofire or Foundation frameworks are imported in the Swift source code
• Identify network request declarations using vulnerable configurations (e.g., using 'http://' URLs or allowing insecure connections)
• Look for variable declarations and expressions that configure network requests without proper TLS/SSL security
• Flag any detected network requests that don't enforce HTTPS-only communications
Vulnerable code example
import Foundation
import Alamofire
class NetworkManager {
func makeInsecureRequests() {
// VULNERABLE: Using HTTP instead of HTTPS exposes data to network attacks
let insecureURL = URL(string: "http://api.example.com/data")!
...✅ Secure code example
import Foundation
import Alamofire
class NetworkManager {
func makeSecureRequests() {
// SAFE: Using HTTPS ensures data is encrypted in transit
let secureURL = URL(string: "https://api.example.com/data")!
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.