Need

Updating software and dependencies to versions without known vulnerabilities

Context

• Usage of Swift for iOS and macOS app development
• Usage of Alamofire for making network requests in iOS development

Description

Non compliant code

        import UIKit
import Alamofire // version 4.0.1

class ViewController: UIViewController {

    override func viewDidLoad() {
        super.viewDidLoad()
        // Do any additional setup after loading the view.
        Alamofire.request("https://httpbin.org/get").responseJSON { response in
            print(response)
        }
    }
}
        
        

In the above Swift code, the mobile application is using Alamofire version 4.0.1, which is a third-party library for handling HTTP requests. This version of Alamofire has known vulnerabilities that could potentially allow attackers to manipulate the application or even gain unauthorized access to sensitive data.

The vulnerability lies in the use of an outdated version of Alamofire. The developers of Alamofire have since released updates that patch the known vulnerabilities of version 4.0.1. Therefore, using this version of the library exposes the application to unnecessary risk.

It is crucial to keep all software components, including third-party libraries, up-to-date in order to minimize the risk of exploitation by attackers. This includes regularly checking for updates and patches, and applying them as soon as they become available. In the case of Alamofire, the developers should upgrade to the latest version to ensure they are not using a library with known vulnerabilities.

Steps

• Identify the software or dependency with known vulnerabilities
• Update the software or dependency to the latest version that does not have the known vulnerabilities
• Verify that the updated version is compatible with the application
• Update the code to use the updated version of the software or dependency

Compliant code

        import UIKit
import Alamofire // version 5.4.3

class ViewController: UIViewController {

    override func viewDidLoad() {
        super.viewDidLoad()
        // Do any additional setup after loading the view.
        AF.request("https://httpbin.org/get").responseJSON { response in
            print(response)
        }
    }
}
        
        

The original code was using Alamofire version 4.0.1, which is known to have vulnerabilities. The updated code now uses Alamofire version 5.4.3, which is the latest version at the time of writing and does not have the known vulnerabilities.

In addition to updating the version, the code for making a request has also been updated. In Alamofire 4.0.1, you would use Alamofire.request(), but in Alamofire 5.4.3, you should use AF.request().

Before updating the Alamofire version, it's important to verify that the new version is compatible with the rest of your application. This includes checking that the new version works with your current Swift and iOS versions, and that it doesn't break any existing functionality in your app.

After verifying compatibility, you can update the Alamofire version in your Podfile and run pod install to install the new version. Then, update your code to use the new Alamofire APIs.

Remember to always keep your dependencies up-to-date to avoid using software with known vulnerabilities. This not only keeps your app secure, but also lets you take advantage of new features and improvements in the dependencies you use.

References

• 011. Use of software with known vulnerabilities