Addressing Security Scan Findings In Mobile Foundation Apps
Manjunath Kallannavar, Srihari Kulkarni July 09, 2019
MobileFirst_Platform MobileFirst_Foundation Android iOS Security Scan Vulnerability
Most organizations mandate mobile apps to undergo code scanning and pen tests before they can be uploaded to public app stores. This post is aimed to be a primer for app developers in resolving some of the commonly reported findings of such scan results.
Given below is a non-comprehensive list of some such findings reported against Mobile Foundation SDKs.
| CWE ID | Vulnerability Description | File Name | Remediation Action | |
| 117 |
Improper Output Neutralization for Logs |
JSONStoreCollection.java | Install iFix 8.0.0.0-MFPF-IF201808131120 or later. Fixed through APAR PI99443. | |
| 259 | Use of Hard-coded Password | JSONStoreInitOptions.java | Initialise JSONStore collection with password. | |
| JSONStoreLogger.java | This is a false positive. The hard coded string is not a password. | |||
| AESStringEncryption.java | Install iFix 8.0.0.0-MFPF-IF201807180449-CDUpdate-02 or later. Fixed through APAR PI99445. | |||
| SecurityPlugin.java | This is false positive. The hard coded string is not a password. | |||
| ProvisionActionDispatcher.java | Initialise JSONStore collection with password. | |||
| 297 | Improper Validation of Certificate with Host Mismatch | TLSEnabledSSLSocketFactory.java | Make use of Mobile Foundation certificate pinning feature. | |
| 326 | Inadequate Encryption Strength | WLCertManager.java | This is a false positive. The key in question is used to sign a JWT token and uses a key size of 512 bytes per industry standards. | |
| 331 | Insufficient Entropy | crypt.h | Install iFix 8.0.0.0-MFPF-IF201901311547 or later. | |
| WLRequest.java | This is a false positive. The random number used in the code is not for any cryptographic operations. | |||
| 321 | Use of Hard-coded Cryptographic Key | SecurityUtils.java | This is a false positive. The key used in the code is for internal purpose and not used in any of security codes. | |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | SecurityUtils.java | Install iFix 8.0.0.0-MFPF-IF201811050432-CDUpdate-03 or later. Fixed through APAR PH03280. | |
| AESStringEncryption.java | Install iFix 8.0.0.0-MFPF-IF201811050432-CDUpdate-03 or later. Fixed through APAR PH03280. | |||
| HttpClientManager.java | This is a false positive. The message digest generated using SHA1 algorithm is not transmitted over the wire. | |||
Inclusive terminology note: The Mobile First Platform team is making changes to support the IBM® initiative to replace racially biased and other discriminatory language in our code and content with more inclusive language. While IBM values the use of inclusive language, terms that are outside of IBM's direct influence are sometimes required for the sake of maintaining user understanding. As other industry leaders join IBM in embracing the use of inclusive language, IBM will continue to update the documentation to reflect those changes.
Last modified on July 09, 2019