Addressing Security Scan Findings In Mobile Foundation Apps

Most organizations mandate mobile apps to undergo code scanning and pen tests before they can be uploaded to public app stores. This post is aimed to be a primer for app developers in resolving some of the commonly reported findings of such scan results.

Given below is a non-comprehensive list of some such findings reported against Mobile Foundation SDKs.

CWE ID Vulnerability Description File Name Remediation Action
 117
Improper Output Neutralization for Logs
JSONStoreCollection.java Install iFix 8.0.0.0-MFPF-IF201808131120 or later. Fixed through APAR PI99443.
259 Use of Hard-coded Password  JSONStoreInitOptions.java Initialise JSONStore collection with password.
JSONStoreLogger.java This is a false positive. The hard coded string is not a password.
AESStringEncryption.java Install iFix 8.0.0.0-MFPF-IF201807180449-CDUpdate-02 or later. Fixed through APAR PI99445.
SecurityPlugin.java This is false positive. The hard coded string is not a password.
ProvisionActionDispatcher.java Initialise JSONStore collection with password.
297 Improper Validation of Certificate with Host Mismatch TLSEnabledSSLSocketFactory.java Make use of Mobile Foundation certificate pinning feature.
326 Inadequate Encryption Strength WLCertManager.java This is a false positive. The key in question is used to sign a JWT token and uses a key size of 512 bytes per industry standards.
331 Insufficient Entropy crypt.h Install iFix 8.0.0.0-MFPF-IF201901311547 or later.
WLRequest.java This is a false positive. The random number used in the code is not for any cryptographic operations.
321 Use of Hard-coded Cryptographic Key SecurityUtils.java This is a false positive. The key used in the code is for internal purpose and not used in any of security codes.
327 Use of a Broken or Risky Cryptographic Algorithm SecurityUtils.java Install iFix 8.0.0.0-MFPF-IF201811050432-CDUpdate-03 or later. Fixed through APAR PH03280.
AESStringEncryption.java Install iFix 8.0.0.0-MFPF-IF201811050432-CDUpdate-03 or later. Fixed through APAR PH03280.
HttpClientManager.java This is a false positive. The message digest generated using SHA1 algorithm is not transmitted over the wire.
Last modified on July 09, 2019