Detailed findings & evidence
IMG-01 — App Transport Security allows arbitrary loads (High)
Evidence
MobSF flagged: App Transport Security AllowsArbitraryLoads is allowed
Why this is risky
Allowing arbitrary loads disables iOS ATS protections and can permit insecure HTTP connections or relaxed TLS checks across the app.
Remediation
Remove the global ATS exception from Info.plist. If an exception is absolutely required, add a domain-specific NSException with the narrowest allowed exceptions.
Suggested fix (Info.plist)
<key>NSAppTransportSecurity</key>
<dict>
<!-- Remove or avoid using NSAllowsArbitraryLoads at application level -->
<!-- Example: only allow an exception for a specific host if required -->
<key>NSExceptionDomains</key>
<dict>
<key>example.com</key>
<dict>
<key>NSIncludesSubdomains</key><true/>
<key>NSExceptionAllowsInsecureHTTPLoads</key><true/>
</dict>
</dict>
</dict>
Verification
Re-run MobSF and confirm the ATS high-severity warning is no longer reported.
IMG-02 — Possible hardcoded sensitive information (High)
Evidence
// MobSF highlighted a value that looks like an API key in:
ImageGalleryApp/Extension+Helper/Constants.swift
(from scan): f9cc014fa76b098f9e82f1c288379ea2
Why this is risky
API keys embedded in source or configuration included in the app binary can be extracted and misused. Even if the key is limited, secrets in the client increase risk and are hard to rotate.
Remediation
Remove the key from source and inject it at build-time from environment variables or use a server-side proxy to keep secrets out of the client. Rotate the key if it has been published.
Suggested code change (move key out of code)
// Bad (do not store keys in source)
let flickrKey = "f9cc014fa76b098f9e82f1c288379ea2"
// Better: read from Info.plist or environment-injected value
let flickrKey = Bundle.main.object(forInfoDictionaryKey: "FLICKR_API_KEY") as? String ?? ""
// Even better: do not call 3rd-party directly from client for privileged actions; use server-side proxy.
Verification
After removing the key from the repo, re-run MobSF. The hardcoded secret finding should be gone. Confirm the app still functions with the key provided securely at build time or via a backend service.
IMG-03 — Application logs information (Info)
Evidence
// MobSF flagged logging in these files:
ImageGalleryApp/Controller/FlickrCollectionViewController.swift
ImageGalleryApp/Controller/FullScreenViewController.swift
ImageGalleryApp/Networking/FlickrImageSource.swift
Why this is risky
Uncontrolled logging in release builds may leak URLs, parameters, or internal states that could aid attackers or expose user data.
Remediation
Remove debug prints from production or wrap them with build-time checks so they only appear in debug builds. Avoid logging tokens, keys, or personally identifiable information.
Suggested code pattern
// Example pattern: only log in debug builds
#if DEBUG
print("Loaded \(images.count) images from Flickr: \(someDebugInfo)")
#endif
// Or use a controlled logger with levels that are disabled in releases.
Verification
Re-run MobSF and verify the logging info message is reduced or absent. Validate that no sensitive values are logged in release builds by inspecting compiled release behavior or testing on a device.
