How to fix: IPA BINARY CODE ANALYSIS in iOS swift

I received the MOBSF security check result PDF, where I found some "High" severity issues.

1.Binary makes use of insecure API(s) with high CWE: CWE-676: Use of Potentially Dangerous Function OWASP Top 10: M7: Client Code Quality OWASP MASVS: MSTG-CODE-8. The binary may contain the following insecure API(s): _sscanf, _memcpy, _fopen.

2.Binary makes use of the malloc function with high CWE: CWE-789: Uncontrolled Memory Allocation OWASP Top 10: M7: Client Code Quality OWASP MASVS: MSTG-CODE-8. The binary may use the _malloc function instead of calloc.

I have utilized a static analyzer, but I am unable to identify the APIs such as _sscanf and others in my codebase.

This issue is not being shown in Xcode IDE either. I have attempted static analysis in Xcode using the approach: Product -> Analyze, but I am still unable to identify the mentioned issues.

Can anyone please help me overcome this scenario and successfully pass the MOBSF test?

Thanks in Advance

Up vote post of Bhargav_Subbarao Down vote post of Bhargav_Subbarao
1.1k views
Posted by
Bhargav_Subbarao
Reply
Add a Comment

Replies

I am unable to identify the APIs such as _sscanf and others in my codebase.

It’s hard to offer concrete advice without knowing more about how this security audit tool works. However, I suspect it’s just looking at the symbols being imported by your Mach-O images (executables, frameworks, and dynamic libraries). If so, the first step is to identify which Mach-O is importing the symbol you’re concerned about. You can do that with nm.

Once you’ve found the right Mach-O image, the next step depends on how that image is built:

  • If you’re building this Mach-O image yourself, use the techniques described in Using a Link Map to Track Down a Symbol’s Origin to work out where it’s coming from.

  • If you’re using a dynamic library or framework built by some other developer, discuss this with the library’s vendor.

With regards that second point, one potential issue here is the Swift runtime libraries, when the vendor is Apple. There’s very little point contacting Apple about our libraries calling, say, malloc. So, if you track this down to an Apple library, my advice is that you discuss that finding with your security audit tool’s vendor.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment