Objective-C : Hardcoded password
Classification
Overview
Password is hardcoded. This may lead to an application data compromise.
Eliminating security risks related to hardcoded passwords is extremely difficult. These passwords are at least accessible to every developer of the application. Moreover, after the application is installed, removing password from its code is possible only via an update. Constant strings are easily extracted from the compiled application by decompilers. Therefore, an attacker does not necessarily need to have an access to the source code to know the parameters of the special account. If these parameters become known to an attacker, system administrators will be forced either to neglect the safety, or to restrict the access to the application.
In case of a mobile application, security threat is even higher, considering the risk of the device loss.
References
- Use of hard-coded password
- CWE-259: Use of Hard-coded Password
- OWASP Top 10 2013-A5-Security Misconfiguration
- OWASP Top 10 2013-A6-Sensitive Data Exposure
- How to securely hash passwords? - security.stackexchange.com
- OWASP Mobile Top 10 2016-M4-Insecure Authentication
- CWE-798: Use of Hard-coded Credentials