objective c - Why is my string potentially unsecure in my iOS application?

Question

I am initializing a mutable string and then logging it as follows.

NSMutableString* mStr = [[NSMutableString alloc] init];
mStr = (NSMutableString*) someTextFieldIbOutlet.text;
NSLog((NSString *) mStr);

The code works and runs, but I am getting a strange warning (in yellow):

Format string is not a string literal (potentially insecure).

Why?

Answer 1

Well, there are a few problems here.

The first one (and not the one that you asked about) is that you are allocating a new NSMutableString and then simply throwing it away in the second line when you set it to someTextFieldIbOutlet.text. Also, you are casting a non-mutable string to a mutable one which won't actually work. Instead, combine the first two lines like this:

NSMutableString* mStr = [NSMutableString stringWithString:someTextFieldIbOutlet.text];

The actual error that you are getting is caused because the first argument to NSLog is supposed to be the "format" string which tells NSLog how you want to format the data that follows in later arguments. This should be a literal string (created like @"this is a literal string") so that it can not be used to exploit your program by making changes to it.

Instead, use this:

NSLog(@"%@", mStr );

In this case, the format string is @"%@" which means "Create a NSString object set to %@". %@ means that the next argument is an object, and to replace %@ with the object's description (which in this case is the value of the string).