Debugging enabled in production - Swift

Debugging enabled in production - Swift

Need

Disabling debugging mode in production environment

Context

  • Usage of Swift for iOS and macOS app development
  • Usage of UIKit for building modern and responsive user interfaces

Description

Non compliant code

        import UIKit

@UIApplicationMain
class AppDelegate: UIResponder, UIApplicationDelegate {
    var window: UIWindow?

    func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?) -> Bool {
        // Override point for customization after application launch.
        
        // Debugging enabled in production
        #if DEBUG
        print("Debugging mode is active")
        #endif

        return true
    }
}

The above Swift code is for an iOS application where debugging mode is enabled in the production environment. This is a security vulnerability because it can leak sensitive information when an error is generated.

In the AppDelegate class, inside the application(_:didFinishLaunchingWithOptions:) method, we have a conditional compilation block that checks if the DEBUG flag is active. If it is, it prints "Debugging mode is active". This means that the debugging mode is active in the production environment.

The DEBUG flag is usually set in the build settings of the Xcode project for the Debug configuration, and it should not be set for the Release (or production) configuration. However, in the above code, the DEBUG flag is checked, and if it's active, the debugging mode is enabled, even in the production environment.

This can lead to leakage of sensitive information, such as stack traces or other internal workings of the application, when an error is generated. This information can be used by attackers to understand the application and find ways to exploit it. Therefore, debugging should be disabled in the production environment to prevent such information leaks.

Steps

  • Disable debugging mode in production environment
  • Remove or comment out the code that enables debugging mode

Compliant code

        import UIKit

@UIApplicationMain
class AppDelegate: UIResponder, UIApplicationDelegate {
    var window: UIWindow?

    func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?) -> Bool {
        // Override point for customization after application launch.
        
        // Debugging enabled in production
        // #if DEBUG
        // print("Debugging mode is active")
        // #endif

        return true
    }
}

The above code is a fixed version of the previous code where the debugging mode was enabled in the production environment. This was a security vulnerability as it could lead to information leakage when an error is generated.

In the fixed code, the debugging mode is disabled in the production environment. This is done by commenting out the code that enables the debugging mode. The lines of code that were commented out are:

                // #if DEBUG
// print("Debugging mode is active")
// #endif


By commenting out these lines, the debugging mode will not be active in the production environment, thus preventing potential information leakage. This is a simple yet effective way to fix this security vulnerability.

References