IBM Support

PI99445: SECURITY SCAN OF MOBILEFIRST DETECTED A USE OF HARD-CODED PASSWORD

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Product components impacted: MobileFirst Android and Cordova
JSONStore SDKs
Mobile Devices Operating Systems impacted: Android
User roles impacted: Developer
Distribution: Fix Central
Versions affected: 8.0
There is a vulnerability in MFP v8.0 in regards to use of
Hard-coded Password in MobileFirst code:
password = "a23456790112345b";

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
* Developers of Mobile First apps for Android & Cordova using  *
* JSONStore                                                    *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* Security scan of a MobileFirst app using the JSONStore SDK   *
* detected a use of hard coded  password.This is seen only in  *
* Android. For more details                                    *
* https://cwe.mitre.org/data/definitions/259.html              *
* Although this is a false positive since the password is not  *
* used to protect any data, this string has been removed from  *
* the code.                                                    *
****************************************************************
* RECOMMENDATION:                                              *
* -                                                            *
****************************************************************

    



Problem conclusion


    

  • Fixed the false positive report of a hard-coded password by
removing the string from the code

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI99445
    • 

  • Reported component name
    MOBILE1ST PF EN
    • 

  • Reported component ID
    5725I4300
    • 

  • Reported release
    800
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2018-06-21
    • 

  • Closed date
    2018-07-26
    • 

  • Last modified date
    2018-07-26
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    MOBILE1ST PF EN
    • 

  • Fixed component ID
    5725I4300
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSZH4A","label":"IBM Worklight"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            26 July 2018
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback