I received the MOBSF security check result PDF, where I found some "High" severity issues. 1.Binary makes use of insecure API(s) with high CWE: CWE-676: Use of Potentially Dangerous Function OWASP Top 10: M7: Client Code Quality OWASP MASVS: MSTG-CODE-8. The binary may contain the following insecure API(s): _sscanf, _memcpy, _fopen. 2.Binary makes use of the malloc function with high CWE: CWE-789: Uncontrolled Memory Allocation OWASP Top 10: M7: Client Code Quality OWASP MASVS: MSTG-CODE-8. The binary may use the _malloc function instead of calloc. I have utilized a static analyzer, but I am unable to identify the APIs such as _sscanf and others in my codebase. This issue is not being shown in Xcode IDE either. I have attempted static analysis in Xcode using the approach: Product -> Analyze, but I am still unable to identify the mentioned issues. Can anyone please help me overcome this scenario and successfully pass the MOBSF test? Thanks in Advance

I got MOBSF security check result pdf where i found some "High" - SEVERITY issues Binary makes use of insecure API(s) high CWE: CWE-676: Use of Potentially Dangerous Function OWASP Top 10: M7: Client Code Quality OWASP MASVS: MSTG-CODE-8 The binary may contain the following insecure API(s) _sscanf , _memcpy , _fopen Binary makes use of malloc function high CWE: CWE-789: Uncontrolled Memory Allocation OWASP Top 10: M7: Client Code Quality OWASP MASVS: MSTG-CODE-8 The binary may use _malloc function instead of calloc Anyone who knows about it, please comment it out. Your input would be appreciated. Thanks in Advance

I have a safari webkit inside my mobile app which renders a webpage. The webpage has File upload option. when I click on it 3 options are shown as in screenshot. I am trying to make the safari kit to only allow Camera capture and hide Upload already existing files.  Is there any safari permission which I can remove to configuration that hide the options of upload from files.

I am using appauth pods for authentication (https://github.com/openid/AppAuth-iOS) and was wondering how Safari webkit is managing the application context for the cookies saved while authentication. I made sure I have a successful authentication then I tried few combinations to understand failed authentication behavior and tried to compare with my mac safari developer tools. What caught me off guard was that the safari webkit cookies were not visible to me programmatically. I am using below code to get the cookies. HTTPCookieStorage.shared.cookies(for: URL(string: "https://(targetDomain)")!) I also tried using developer console for mobile safari kit but as soon as the authentication flow gets completed the view is destroyed and information gets lost. So has anyone have come across this situation and figured how safari web kit isolates the cookies visibility.

Hello, guys! I am stuck in generating IPA using the command-line interface (CLI). I have a scenario where I'm learning to automate the IPA generation by passing the necessary values through the CLI. I have created a separate keychain for this purpose. However, I am facing a situation where even if I pass a specific keychain value in the CLI, it still appears to be looking in the default keychain. I already have the iOS distribution certificate and Apple distribution certificate installed in the Login keychain. I won't delete them because I need them for generating IPA files from Xcode. I want to avoid adding them again and repeating the same steps. iPhone Distribution: “Team_Name” (Team_ID) Apple Distribution: Team_Name” (Team_ID) When I have the above two certificates installed in the login keychain, and I try to build using the 'iPhone Distribution' option, I receive an error stating that the provisioning profile 'Adhov' doesn't include the signing certificate 'Apple Distribution:'. I don't understand why it is pointing to the distribution certificate. My main issue is that even though I have specified to pick the certificates from the custom keychain, when both certificates are installed in the login keychain. I am able to import the certificate into the custom keychain. When I try to codesign using these below commands , it throws an error stating that it doesn't include the signing certificate for the Apple distribution certificate in my iOS distribution profile. Here are the code snippets I am trying to work on. #Unlock the custom keychain security unlock-keychain -p “Password” ~/Library/Keychains/customKeychain.keychain #importing the p12 certificate to custom keychain security import "${16}"."p12" -P ${17} -A -k ~/Library/Keychains/customKeychain.keychain #allow all applications to access this item security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k “password” ~/Library/Keychains/customKeychain.keychain #Check for valid identity security find-identity -v -p codesigning ~/Library/Keychains/customKeychain.keychain #generating the archive file xcodebuild -workspace "$1" -scheme "$2" -configuration Release -archivePath $6/$9."xcarchive" archive #codesigning for the archive file codesign -s ${18} $6/$9."xcarchive" #exporting IPA file xcodebuild -exportArchive -archivePath ${6}/${9}."xcarchive" -exportPath ${6}/${9} -exportOptionsPlist ${8} #delete the certificate after successfull build generation security delete-certificate -c ${18} ~/Library/Keychains/dws.keychain

I am generating the IPA file using command line tools for custom IPA generation. Each time, it asks for login credentials during code signing. However, this doesn't work for me because I always use a different developer's profile to generate the IPA. Consequently, I am unable to enter the login passcode for each developer's profile. Please let me know if there are any other steps to avoid code signing while generating the IPA file. The scripts as follows: xcodebuild -workspace -scheme -archivePath archive xcodebuild -exportArchive -archivePath -exportPath -exportOptionsPlist.

guys, I am new to VPN-related things. to use the Personal VPN feature in IOS Application, is it sufficient to enable the capability in Signing and Capabilities, adding the Personal VPN capability created an entitlement with the allow-VPN parameter on the entitlement file. will enable this, is App is capable of handling this feature. I am not able to understand the significance of adding the Personal VPN capability in Signing and Capabilities please help in understanding it. or do we have to write a code to enable and Handle this feature manually? Links: Apple Developer Documentation

i) is it possible to inject the Developer's Profile and bundle id into the project while generating an IPA file? ii) change the bundle id and Application Name while generating an "Archive file and IPA file " using Command-line Tools. any sort of help in this regard is appreciated, thanks in advance.

Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x00000 00000000000 Triggered by Thread: 6 Application Specific Information: abort() called Thread 6 name: Dispatch queue: com.apple.root.default-qos Thread 6 Crashed: 0 libsystem_kernel.dylib 0x1fe908200 __pthread_kill + 8 1 libsystem_pthread.dylib 0x20ed6a1ac pthread_kill + 268 2 libsystem_c.dylib 0x1c933dc8c abort + 180 3 libc++abi.dylib 0x20ecaab8c abort_message + 132 4 libc++abi.dylib 0x20ec9aa80 demangling_terminate_handler() + 336 5 libobjc.A.dylib 0x1bb03dd3c _objc_terminate() + 144 6 libc++abi.dylib 0x20eca9f28 std::__terminate(void (*)()) + 20 7 libc++abi.dylib 0x20eca9ec4 std::terminate() + 56 8 libdispatch.dylib 0x1c92d9ff0 _dispatch_client_callout + 40 9 libdispatch.dylib 0x1c92dd0c8 _dispatch_queue_override_invoke + 788 10 libdispatch.dylib 0x1c92eba6c _dispatch_root_queue_drain + 396 11 libdispatch.dylib 0x1c92ec284 _dispatch_worker_thread2 + 164 12 libsystem_pthread.dylib 0x20ed63dbc _pthread_wqthread + 228 13 libsystem_pthread.dylib 0x20ed63b98 start_wqthread + 8

I have an external Plist file and some images. If I have copied manually using an Xcode, I can read the values inside my Application. It will be available in the Bundle. but I cannot do it manually every time, so I am looking forward to finding any ways to add the files /copy the files to the bundle, so I can able to read the Values inside the application. if anybody knows about this, please share with me the steps to overcome this problem.

frameworks don't support provisional profiles while generating an IPA from the Command line tool. syntax followed are: . Cd "Project Folder" 2. xcodebuild -scheme "" archive  -archivePath "" DEVELOPMENT_TEAM="" PRODUCT_BUNDLE_IDENTIFIER="" PROVISIONING_PROFILE="" 3 .xcodebuild  -exportArchive  -archivePath "" -exportPath "" -exportOptionsPlist  "" in exportoptionsplist : providing the "Team id and provisional UUID and Bundle identifier" please help me fix this issue,