How to fix: IPA BINARY CODE ANALYSIS in iOS swift

Question

Bhargav_Subbarao OP

Created Nov ’23

Replies 1

Boosts 0

Views 2.2k

Participants 2

I received the MOBSF security check result PDF, where I found some "High" severity issues.

1.Binary makes use of insecure API(s) with high CWE: CWE-676: Use of Potentially Dangerous Function OWASP Top 10: M7: Client Code Quality OWASP MASVS: MSTG-CODE-8. The binary may contain the following insecure API(s): _sscanf, _memcpy, _fopen.

2.Binary makes use of the malloc function with high CWE: CWE-789: Uncontrolled Memory Allocation OWASP Top 10: M7: Client Code Quality OWASP MASVS: MSTG-CODE-8. The binary may use the _malloc function instead of calloc.

I have utilized a static analyzer, but I am unable to identify the APIs such as _sscanf and others in my codebase.

This issue is not being shown in Xcode IDE either. I have attempted static analysis in Xcode using the approach: Product -> Analyze, but I am still unable to identify the mentioned issues.

Can anyone please help me overcome this scenario and successfully pass the MOBSF test?

Thanks in Advance

Boost

Answer 1

DTS Engineer OP

Apple

Nov ’23

I am unable to identify the APIs such as _sscanf and others in my codebase.

It’s hard to offer concrete advice without knowing more about how this security audit tool works. However, I suspect it’s just looking at the symbols being imported by your Mach-O images (executables, frameworks, and dynamic libraries). If so, the first step is to identify which Mach-O is importing the symbol you’re concerned about. You can do that with nm.

Once you’ve found the right Mach-O image, the next step depends on how that image is built:

If you’re building this Mach-O image yourself, use the techniques described in Using a Link Map to Track Down a Symbol’s Origin to work out where it’s coming from.
If you’re using a dynamic library or framework built by some other developer, discuss this with the library’s vendor.

With regards that second point, one potential issue here is the Swift runtime libraries, when the vendor is Apple. There’s very little point contacting Apple about our libraries calling, say, malloc. So, if you track this down to an Apple library, my advice is that you discuss that finding with your security audit tool’s vendor.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0