Important: Couchbase.framework using an insecure listening address

[Jens Alfke]

I just realized that the server configuration in current development builds of Couchbase Mobile for iOS is set to the wrong listening address — it’s currently using 0.0.0.0, which means “all interfaces”, when it should be 127.0.0.1 for “loopback only”.

This has security implications, since it means that, while the app is running and in the foreground, the server will accept HTTP requests from outside, meaning that someone on your WiFi network who knows your device’s IP address and can guess (or scan for) the CouchDB server port can access the server. (But at least this can only be done while the app is active.)

I’ve filed a bug report, and I’ll be fixing the problem today and releasing a new build. If you want to patch it immediately, all you have to do is edit Couchbase.framework/CouchbaseResources/default_ios.ini, and change “0.0.0.0” to “127.0.0.1”. (It’ll be on line 40 as the value for the “bind_address” key.)

Sorry about this, and pardon our dust. It does highlight the fact that nobody should be shipping any apps incorporating prerelease builds of Couchbase Mobile for iOS! We’re still planning on a high-quality 1.0 release around the end of September.

—Jens