Skip to content

MASTG-DEMO-0084: Hardcoded HTTP URLs in iOS Binary

Download MASTG-DEMO-0084 IPA Open MASTG-DEMO-0084 Folder Build MASTG-DEMO-0084 IPA

Sample

The code snippet below shows sample code that uses hardcoded HTTP URLs:

../MASTG-DEMO-0083/MastgTest.swift
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import Foundation

struct MastgTest {
    // SUMMARY: This sample demonstrates the use of hardcoded HTTP URLs in iOS apps.

    static let httpEndpoint = "http://httpbin.org/get"  // FAIL: [MASTG-TEST-0321] Hardcoded HTTP URL
    static let httpApiUrl = "http://example.com/api"    // FAIL: [MASTG-TEST-0321] Hardcoded HTTP URL
    static let httpsEndpoint = "https://httpbin.org/get" // PASS: [MASTG-TEST-0321] HTTPS URL

    static func mastgTest(completion: @escaping (String) -> Void) {
        var result = "Testing HTTP URL connections:\n\n"

        // Attempt to connect to HTTP endpoint
        if let url = URL(string: httpEndpoint) {
            let task = URLSession.shared.dataTask(with: url) { data, response, error in
                if let error = error {
                    result += "HTTP request to \(httpEndpoint) failed: \(error.localizedDescription)\n"
                } else if let httpResponse = response as? HTTPURLResponse {
                    result += "HTTP request to \(httpEndpoint) returned status: \(httpResponse.statusCode)\n"
                }
                completion(result)
            }
            task.resume()
        } else {
            result += "Invalid URL: \(httpEndpoint)\n"
            completion(result)
        }
    }
}

Steps

  1. Unzip the app package and locate the main binary file ( Exploring the App Package), which in this case is ./Payload/MASTestApp.app/MASTestApp.
  2. Run radare2 (iOS) with the script to search for HTTP URLs in the binary.
http_urls.r2
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
e asm.bytes=false
e scr.color=false
e asm.var=false

?e Uses of http:// URLs:

iz~http://

?e

?e xrefs to http://httpbin.org/get:
axt @ 0x100006c60

?e

?e Use of http://httpbin.org/get:

pd 15 @ 0x100005130

?e ...

pd-- 5 @ 0x100005238
run.sh
1
2
#! /bin/bash
r2 -q -i http_urls.r2 -A MASTestApp > output.txt

Observation

The output contains a list of HTTP URLs found in the binary and locations in the app binary:

output.txt
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Uses of http:// URLs:
0   0x00006bd0 0x100006bd0 56  57   2.__TEXT.__cstring       ascii HTTP request to http://httpbin.org/get returned status:
1   0x00006c10 0x100006c10 47  48   2.__TEXT.__cstring       ascii HTTP request to http://httpbin.org/get failed:
3   0x00006c60 0x100006c60 22  23   2.__TEXT.__cstring       ascii http://httpbin.org/get
4   0x00006c80 0x100006c80 36  37   2.__TEXT.__cstring       ascii Invalid URL: http://httpbin.org/get\n

xrefs to http://httpbin.org/get:
sym.func.100005024 0x100005130 [STRN:r--] add x8, x8, str.http:__httpbin.org_get

Use of http://httpbin.org/get:
           0x100005130      add x8, x8, 0xc60                         ; 0x100006c60 ; "http://httpbin.org/get"
           0x100005134      sub x27, x8, 0x20
           0x100005138      mov x0, x24
           0x10000513c      bl sym.imp.swift_retain
           0x100005140      mov x0, x23                               ; void *arg0
           0x100005144      bl sym.imp.swift_bridgeObjectRetain       ; void *swift_bridgeObjectRetain(void *arg0)
           0x100005148      orr x1, x27, 0x8000000000000000
           0x10000514c      mov x8, x26
           0x100005150      mov x0, 0x16
           0x100005154      movk x0, 0xd000, lsl 48
           0x100005158      bl sym.imp.Foundation.URL.string_...cfC_  ; Foundation.URL.string(...cfC)
           0x10000515c      ldr x8, [x28, 0x30]
           0x100005160      mov x0, x26
           0x100005164      mov w1, 1
           0x100005168      mov x2, x22
...
           0x100005224      mov x0, x27
           0x100005228      mov x1, x26
           0x10000522c      mov x2, x22
           0x100005230      blr x8
           0x100005234      adrp x8, segment.__DATA                   ; 0x10000c000
           0x100005238      ldr x0, [x8, 0xc8]                        ; [0x10000c0c8:4]=158
                                                                      ; reloc.NSURLSession ; void *arg0
           0x10000523c      bl sym.imp.objc_opt_self                  ; void *objc_opt_self(void *arg0)
           0x100005240      adrp x8, segment.__DATA                   ; 0x10000c000
           0x100005244      ldr x1, [x8, 0xa0]                        ; [0x10000c0a0:4]=0x6e87 ; reloc.fixup.sharedSession ; char *selector
           0x100005248      bl sym.imp.objc_msgSend                   ; void *objc_msgSend(void *instance, char *selector)

Evaluation

The test fails because the hardcoded HTTP URL http://httpbin.org/get was found in the binary, and the app has an ATS configuration that allows cleartext HTTP traffic to that domain (see Insecure ATS Configuration Allowing Cleartext Traffic).

We know that the URL is actually used by the app because the string is used at 0x100005130 and passed to an URL instance at 0x100005158 which is then used in a URLSession at 0x100005238.