From 3458e235903c5a6c0dbd82ffa0cfc6dcc78c3a1c Mon Sep 17 00:00:00 2001
From: 0xh3rman <119309671+0xh3rman@users.noreply.github.com>
Date: Sat, 8 Nov 2025 08:04:35 +0900
Subject: [PATCH 1/3] Add MobSF static analysis integration and config

Introduces MobSF mobsfscan for static security analysis with a new GitHub Actions workflow, a .mobsf configuration file, and a justfile command for local usage. Updates the README with security scanning instructions and adds inline suppressions for specific MobSF rules. Also includes minor code cleanups and enum case renaming for consistency.
---
 .github/workflows/mobsfscan.yml               | 48 +++++++++++++++++++
 .mobsf                                        | 24 ++++++++++
 .../FiatTransactionTypeViewModel.swift        |  2 +-
 .../Sources/Types/WalletImportType.swift      |  6 +--
 .../Sources/LocalKeystorePassword.swift       |  2 +-
 Packages/Style/Sources/Emoji.swift            |  2 +-
 README.md                                     |  9 ++++
 justfile                                      |  8 +++-
 8 files changed, 94 insertions(+), 7 deletions(-)
 create mode 100644 .github/workflows/mobsfscan.yml
 create mode 100644 .mobsf

diff --git a/.github/workflows/mobsfscan.yml b/.github/workflows/mobsfscan.yml
new file mode 100644
index 000000000..de246eb0d
--- /dev/null
+++ b/.github/workflows/mobsfscan.yml
@@ -0,0 +1,48 @@
+name: MobSF Scan
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  mobsfscan:
+    name: mobsfscan static analysis
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install uv
+        run: |
+          curl -LsSf https://astral.sh/uv/install.sh | sh
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+
+      - name: Install mobsfscan
+        run: uv tool install mobsfscan
+
+      - name: Run mobsfscan
+        run: |
+          set +e
+          uv tool run mobsfscan -- --type ios --config .mobsf --sarif --output results.sarif --exit-warning
+          EXIT_CODE=$?
+          echo "MOBSF_EXIT=${EXIT_CODE}" >> "$GITHUB_ENV"
+          exit 0
+
+      - name: Upload mobsfscan SARIF
+        if: always() && hashFiles('results.sarif') != ''
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+
+      - name: Fail when mobsfscan finds issues
+        if: ${{ env.MOBSF_EXIT != '' && env.MOBSF_EXIT != '0' }}
+        run: |
+          echo "mobsfscan reported security findings. Review the SARIF upload for details."
+          exit 1
diff --git a/.mobsf b/.mobsf
new file mode 100644
index 000000000..abd9209f2
--- /dev/null
+++ b/.mobsf
@@ -0,0 +1,24 @@
+---
+- ignore-paths:
+  - build
+  - .build
+  - blockchains
+  - core
+  - Gem.xcodeproj
+  - Gem/Generated
+  - GemTests/Fixtures
+  - GemTests
+  - github.com
+  - Packages/Keystore/Tests
+  - Packages/Keychain/Tests
+  - Packages/Keychain/Sources/Types/Accessibility.swift
+  - Packages/Keystore/TestKit
+  - Packages/Gemstone
+  - Packages/GemstonePrimitives
+  - Packages/Primitives/Sources/Extensions/Color+Primitives.swift
+  - Packages/Primitives/Sources/TransactionLoadMetadata.swift
+  - scripts
+  - swiftgen.yml
+  severity-filter:
+  - WARNING
+  - ERROR
diff --git a/Features/FiatConnect/Sources/ViewModels/FiatTransactionTypeViewModel.swift b/Features/FiatConnect/Sources/ViewModels/FiatTransactionTypeViewModel.swift
index ac8ac2c26..7122d17c6 100644
--- a/Features/FiatConnect/Sources/ViewModels/FiatTransactionTypeViewModel.swift
+++ b/Features/FiatConnect/Sources/ViewModels/FiatTransactionTypeViewModel.swift
@@ -31,7 +31,7 @@ public extension FiatQuoteTypeViewModel {
 
     func randomAmount(maxAmount: Double) -> Double? {
         switch type {
-        case .buy: Double(Int.random(in: Int(defaultAmount)..<Int(maxAmount)))
+        case .buy: Double(Int.random(in: Int(defaultAmount)..<Int(maxAmount))) // mobsf-ignore: ios_insecure_random_no_generator (UI suggestion only)
         case .sell: .none
         }
     }
diff --git a/Features/Onboarding/Sources/Types/WalletImportType.swift b/Features/Onboarding/Sources/Types/WalletImportType.swift
index 32756959c..c3257bc50 100644
--- a/Features/Onboarding/Sources/Types/WalletImportType.swift
+++ b/Features/Onboarding/Sources/Types/WalletImportType.swift
@@ -7,9 +7,9 @@ import Localization
 enum WalletImportType: String, Hashable, CaseIterable, Identifiable {
     var id: String { rawValue }
     
-    case phrase = "Phrase"
-    case address = "Address"
-    case privateKey = "Private Key"
+    case phrase
+    case address
+    case privateKey
 }
 
 extension WalletImportType {
diff --git a/Packages/Keystore/Sources/LocalKeystorePassword.swift b/Packages/Keystore/Sources/LocalKeystorePassword.swift
index db7374ce8..098405d19 100644
--- a/Packages/Keystore/Sources/LocalKeystorePassword.swift
+++ b/Packages/Keystore/Sources/LocalKeystorePassword.swift
@@ -7,7 +7,7 @@ import Primitives
 
 public final class LocalKeystorePassword: KeystorePassword {
     private struct Keys {
-        static let password = "password"
+        static let password = "password" // mobsf-ignore: ios_hardcoded_secret
         static let passwordAuthentication = "password_authentication"
         static let passwordAuthenticationPeriod = "password_authentication_period"
         static let passwordAuthenticationPrivacyLock = "password_authentication_privacy_lock"
diff --git a/Packages/Style/Sources/Emoji.swift b/Packages/Style/Sources/Emoji.swift
index a4e4437c7..63e5fbc5f 100644
--- a/Packages/Style/Sources/Emoji.swift
+++ b/Packages/Style/Sources/Emoji.swift
@@ -89,7 +89,7 @@ public struct Emoji {
         case ninja = "🥷"
         case hacker = "👨‍💻"
         case vault = "🛢"
-        case key = "🔑"
+        case keyEmoji = "🔑"
         case shield = "🛡"
         case upChart = "📈"
         case downChart = "📉"
diff --git a/README.md b/README.md
index ef1eae03d..7acee53d4 100644
--- a/README.md
+++ b/README.md
@@ -68,6 +68,15 @@ If you want to contribute, you can use our [developers telegram](https://t.me/ge
 
 If you're using a legacy Intel Mac, you need to pull latest `core` submodule and run `just generate-stone` to build `x86_64` arch Gemstone, the core library used by Gem iOS.
 
+## 🔐 Security Scanning
+
+We run [MobSF mobsfscan](https://github.com/MobSF/mobsfscan) to catch insecure patterns in Swift and Objective-C code.
+
+- **Local usage**: Install [`uv`](https://docs.astral.sh/uv/getting-started/installation/) and run `uv tool install mobsfscan` once. After that, `just mobsfscan` (internally `uv tool run mobsfscan -- --type ios --config .mobsf --exit-warning`) scans the iOS source tree with the repo-wide `.mobsf` configuration and fails when it encounters `WARNING` or `ERROR` level findings.
+- **CI enforcement**: `.github/workflows/mobsfscan.yml` installs mobsfscan on every push/PR to `main`, uploads a SARIF report to GitHub code scanning, and fails the workflow when findings remain.
+
+Suppress individual findings only when you fully understand the risk—either update the code or add a `// mobsf-ignore: rule_id` inline comment with context.
+
 ## 👨‍👧‍👦 Contributors
 
 We love contributors! Feel free to contribute to this project but please read the [Contributing Guidelines](CONTRIBUTING.md) first!
diff --git a/justfile b/justfile
index eac5b8874..291439e2d 100644
--- a/justfile
+++ b/justfile
@@ -115,6 +115,12 @@ test TARGET: show-simulator
     -jobs {{BUILD_THREADS}} \
     test | xcbeautify {{XCBEAUTIFY_ARGS}}
 
+mobsfscan:
+    @command -v uv >/dev/null || { \
+        echo "uv is not installed. Install it via 'curl -LsSf https://astral.sh/uv/install.sh | sh'."; \
+        exit 1; }
+    uv tool run mobsfscan -- --type ios --config .mobsf --exit-warning
+
 localize:
     @sh core/scripts/localize.sh ios Packages/Localization/Sources/Resources
     just generate-model
@@ -138,4 +144,4 @@ generate-stone:
 bump-version:
     @sh ./scripts/bump-version-and-commit.sh patch
 
-mod core
\ No newline at end of file
+mod core

From 8d2df19bb253eb2ddda5bdf6d732e58543c4d8a6 Mon Sep 17 00:00:00 2001
From: 0xh3rman <119309671+0xh3rman@users.noreply.github.com>
Date: Sat, 8 Nov 2025 08:16:55 +0900
Subject: [PATCH 2/3] Update .mobsf

---
 .mobsf | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.mobsf b/.mobsf
index abd9209f2..7fb125352 100644
--- a/.mobsf
+++ b/.mobsf
@@ -2,13 +2,11 @@
 - ignore-paths:
   - build
   - .build
-  - blockchains
   - core
   - Gem.xcodeproj
   - Gem/Generated
   - GemTests/Fixtures
   - GemTests
-  - github.com
   - Packages/Keystore/Tests
   - Packages/Keychain/Tests
   - Packages/Keychain/Sources/Types/Accessibility.swift

From 63b8c7305d70e5a2ba8f339a98528c1bf8ec580b Mon Sep 17 00:00:00 2001
From: 0xh3rman <119309671+0xh3rman@users.noreply.github.com>
Date: Sat, 8 Nov 2025 08:26:58 +0900
Subject: [PATCH 3/3] Update .mobsf

---
 .mobsf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.mobsf b/.mobsf
index 7fb125352..c259cc41e 100644
--- a/.mobsf
+++ b/.mobsf
@@ -15,7 +15,6 @@
   - Packages/GemstonePrimitives
   - Packages/Primitives/Sources/Extensions/Color+Primitives.swift
   - Packages/Primitives/Sources/TransactionLoadMetadata.swift
-  - scripts
   - swiftgen.yml
   severity-filter:
   - WARNING