Swift Hardcoded Jwt Secret
Description
Detects hardcoded secrets used for JWT token signing in Swift applications using HMAC algorithms (HS256/384/512). Using hardcoded JWT signing secrets in source code is a security risk as it can lead to token forgery if the secret is discovered.
Detection Strategy
• Identifies calls to JWT signing methods: JWTSigner.hs256, JWTSigner.hs384, or JWTSigner.hs512
• Examines the first argument passed to these signing methods
• Reports a vulnerability if the signing secret is a hardcoded value rather than being loaded from a secure configuration
• Example of vulnerable code: let signer = JWTSigner.hs256(key: "hardcoded-secret")
Vulnerable code example
import SwiftJWT
func generateToken() -> String {
let signer = JWTSigner.hs256(key: Data("secret123")) // Vulnerable: Hardcoded JWT secret key
let jwt = JWT(claims: [:])
return try! jwt.sign(using: signer).base64URLEncodedString()
}✅ Secure code example
import SwiftJWT
func generateToken(secretKey: String) throws -> String {
guard !secretKey.isEmpty else {
throw JWTError.invalidKey // Validate secret key is not empty
}
let signer = JWTSigner.hs256(key: Data(secretKey)) // Secret key passed as parameter instead of hardcoded...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.