mobsfscan icon indicating copy to clipboard operation
mobsfscan copied to clipboard
verified publisher icon MobSF

ios_hardcoded_secret produces too many false positives

Open biovolt opened this issue 4 months ago • 1 comments

This detects any string keys that is used just to store random values like "APP_VERSION_KEY" It is a common pattern to put key in the name when storing string kys that are used for value lookups

I believe this part of the regex "(key\s*=\s*[\'|\"].{1,100}[\'|\"]\s{0,5})" does more harm than good since it will cause most teams to disable the rule, or am I missing something?

e.g.

 private static let APP_VERSION_KEY = "AppVersionStringKey"
 private static let languageKey = "languageKey"
 private let leadsLoggedKey = "leadsLogged_Key"

biovolt avatar Oct 09 '25 10:10 biovolt