Title

The mobile application code must not contain hardcoded references to resources external to the application. (Cat II impact)

Discussion

Hardcoded resources include URLs and path references to files outside of the application environment. If an adversary is aware of such references, they can attack the application by breaching the external resource it calls. In most cases, such references may be placed in configuration files that may be updated when the resource reference is no longer valid. This also makes such references more transparent than they would be if they remained embedded in application code.

Check Content

Perform a static program analysis and search the source code for common URL prefixes and suffixes (i.e., "http://", "ftp://", ".mil", ".com"). Also, look for common file path references (e.g., /bin). If there are any such references referring to something other than a local application resources such as a configuration file, this is a finding.

Fix Text

Remove hardcoded resource references from the application code.

Additional Identifiers

Rule ID: SV-47033r1_rule

Vulnerability ID: V-35746

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.