The customer requested a pen-test for this app, and they reported some issues related to buffer overflow and weak randomness functions

The customer requested a pen-test for this app, and they reported some issues related to buffer overflow and weak randomness functions. I reviewed the identified methods, but I couldn't find them in the code or third-party SDKs. We would like to know if you can review these methods to see if there is a possible solution or if you can guarantee that these functions are safe.

They say that they applied a reverse engineering tool and it delivered our app compiled using this c/c++ functions that are considered unsafe.

The tool used is: Ghidra (https://ghidra-sre.org/)

These are methods reported by Ciber security team:

Related to buffer overflow:

Related to weak randomness functions:

Answered by DTS Engineer in 797670022

I see questions like this a lot. Honestly, I’m inclined to agree with endecotp’s advice (-: However, as this crops up again and again, I figured I should write up something more extensive.

The result of that effort is Security Audit Thoughts. Please read it through and then post back here if you have specific questions.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

They have wasted their money on this so-called pen-test.

Suggestion: find out how much they paid, and you charge them twice that much to write your own report explaining how your use of malloc(), random() etc. is actually safe.

Accepted Answer

I see questions like this a lot. Honestly, I’m inclined to agree with endecotp’s advice (-: However, as this crops up again and again, I figured I should write up something more extensive.

The result of that effort is Security Audit Thoughts. Please read it through and then post back here if you have specific questions.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

The customer requested a pen-test for this app, and they reported some issues related to buffer overflow and weak randomness functions
 
 
Q