We recently had an external pentest for one of our company's macOS applications and they brought up the topic of library validation. Our app has hardened runtime enabled and passes notarization. The codesign verification output includes:
flags=0x10000(runtime)
The pentesters brought up that both validation and runtime should be present, so I discovered that you could also add library validation by augmenting our flags with:
OTHER_CODE_SIGN_FLAGS = --timestamp -o library
which changes the flags to:
flags=0x12000(library-validation,runtime)
The pentesters insist that both options are necessary, especially to avoid library injection when SIP is off, but Apple's docs say that hardened runtime already implies library validation (see here )
My question is: does explicitly specifying library validation provide something that hardened runtime does not already? Or is it correct that hardened runtime already imply library validation?
For what it's worth, I did a quick scan of some of the apps on my system, interesting some of the Apple system apps have only library validation (e.g. Safari, Photos), some have both (e.g. Podcasts), some have only hardened runtime (e.g. Mail). So that didn't help answer the question.
Thank you!