facebook / react-native

A framework for building native applications using React
https://reactnative.dev
MIT License
119.16k stars 24.32k forks source link

App security test reports Insecure API for React Native iOS App - Binary Analysis (IPA) #25414

Closed kamalyzl closed 4 years ago

kamalyzl commented 5 years ago

after a static analysis performed on the ipa obtained from the compilation from native react,

Captura de pantalla 2019-06-27 a la(s) 11 04 38 a  m

This is the result of a static analysis of the IPA file of an iOS-based application

Version react info info React Native Environment Info: System: OS: macOS High Sierra 10.13.6 CPU: (4) x64 Intel(R) Core(TM) i5-7267U CPU @ 3.10GHz Memory: 82.13 MB / 8.00 GB Shell: 3.2.57 - /bin/bash Binaries: Node: 8.11.3 - /usr/local/bin/node Yarn: 1.9.4 - /usr/local/bin/yarn npm: 6.9.0 - /usr/local/bin/npm Watchman: 4.9.0 - /usr/local/bin/watchman SDKs: iOS SDK: Platforms: iOS 12.1, macOS 10.14, tvOS 12.1, watchOS 5.1 Android SDK: API Levels: 23, 25, 26, 27, 28 Build Tools: 23.0.1, 26.0.2, 26.0.3, 27.0.3, 28.0.2, 28.0.3 System Images: android-28 | Google Play Intel x86 Atom IDEs: Android Studio: 3.1 AI-173.4907809 Xcode: 10.1/10B61 - /usr/bin/xcodebuild npmPackages: react: 16.8.3 => 16.8.3 react-native: 0.59.8 => 0.59.8

Versions of current libraries. "react-native-android-sms-listener": "^0.7.0", "react-native-calendars": "^1.115.0", "react-native-camera": "^2.7.0", "react-native-contacts": "^4.0.2", "react-native-dotenv": "^0.2.0", "react-native-firebase": "5.3.1", "react-native-gesture-handler": "^1.2.1", "react-native-languages": "^3.0.2", "react-native-maps": "0.24.2", "react-native-qrcode": "^0.2.7", "react-native-share": "^1.1.3", "react-native-snap-carousel": "^3.7.5", "react-native-svg": "^9.4.0", "react-native-swipeout": "^2.3.6", "react-native-view-shot": "^2.6.0", "react-navigation": "3.9.1", "react-redux": "^7.0.3", "readdirp": "^3.0.1", "redux": "^4.0.1", "redux-actions": "^2.6.5", "rn-sliding-up-panel": "^2.2.0", "simple-grep": "0.0.1", "yup": "^0.27.0"

How could you change the variables found by those suggested by apple from react native? https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/BufferOverflows.html#//apple_ref/doc/uid/TP40002577-SW1

Thanks

react-native-bot commented 5 years ago

Can you run react-native info and edit your issue to include these results under the React Native version: section?

If you believe this information is irrelevant to the reported issue, you may write `[skip envinfo]` alongside an explanation in your Environment: section.
kamalyzl commented 5 years ago

@react-native-bot ready

Zahikusa commented 5 years ago

I have a very similar problem after running a scan on my .ipa file. Below is my 'react-native info' output:

React Native Environment Info: System: OS: macOS High Sierra 10.13.6 CPU: (8) x64 Intel(R) Core(TM) i7-4870HQ CPU @ 2.50GHz Memory: 6.69 GB / 16.00 GB Shell: 3.2.57 - /bin/bash Binaries: Node: 11.8.0 - /usr/local/bin/node npm: 6.7.0 - /usr/local/bin/npm Watchman: 4.9.0 - /usr/local/bin/watchman SDKs: iOS SDK: Platforms: iOS 12.1, macOS 10.14, tvOS 12.1, watchOS 5.1 Android SDK: API Levels: 23, 26, 28 Build Tools: 23.0.1, 26.0.3, 28.0.2 System Images: android-23 | Intel x86 Atom_64, android-23 | Google APIs Intel x86 Atom_64, android-28 | Google APIs Intel x86 Atom IDEs: Xcode: 10.1/10B61 - /usr/bin/xcodebuild npmPackages: react: 16.5.0 => 16.5.0 react-native: https://github.com/expo/react-native/archive/sdk-32.0.0.tar.gz => 0.57.1 npmGlobalPackages: create-react-native-app: 1.0.0 react-native-cli: 2.0.1

Did you already manage to find any solution to this issue @author?

mayurssoni2456 commented 5 years ago

Same issue .. any thoughts?

ghost commented 5 years ago

Same this issue, but I used swift -> any thoughts?

ebiba-dp commented 5 years ago

Any update for this?

ManigandanRaamanathan commented 4 years ago

@kamalyzl any update?

pratikg711 commented 4 years ago

Any update?

stale[bot] commented 4 years ago

Hey there, it looks like there has been no activity on this issue recently. Has the issue been fixed, or does it still require the community's attention? This issue may be closed if no further activity occurs. You may also label this issue as a "Discussion" or add it to the "Backlog" and I will leave it open. Thank you for your contributions.

stale[bot] commented 4 years ago

Closing this issue after a prolonged period of inactivity. If this issue is still present in the latest release, please feel free to create a new issue with up-to-date information.

annkiitagrawaal-gep commented 3 years ago

Any updates on this?

sambheaduplabs commented 3 years ago

I've also had this issue.

yogendrajs commented 3 years ago

Hey everyone, any updates on this?

matteodanelli commented 3 years ago

Hello everyone, any updates on this? It's blocking my release.

abarisic86 commented 3 years ago

Is it maybe related to RN version? I can see that initial post is RN 0.58 and maybe it was fixed later?

@mayurssoni2456 @ebiba-dp @ManigandanRaamanathan @pratikg711 @annkiitagrawaal-gep @sambheaduplabs @yogendrajs @matteodanelli can you help with posting your version with react-native info? or maybe you already resolved this somehow?

matteodanelli commented 3 years ago

in my case

react: 16.13.1 => 16.13.1 
react-native: 0.63.4 => 0.63.4 

Not solved yet.

yogendrajs commented 3 years ago

My configuration

"react": "17.0.1",
"react-native": "0.64.2"

Have used Appdome to resolve this issue.

AmorimRob commented 2 years ago

Any update? Same problem here

Reported by MobSF tool

cemocanon commented 2 years ago

Hey everyone, any updates on this?

thitoo-yf commented 1 year ago

any update on this? we have faced this issue after scanning with MOBSF.

tkud04 commented 1 year ago

Any update on this? We are facing a similar issue on React Native 0.70.5

sebastianpenamatrix commented 1 year ago

Hi @yogendrajs can you share how did you use Appdome to solved this issue please?

yogendrajs commented 1 year ago

Yeah, you’ll have to buy a plan from Appdome and rest are the steps on their portal to get your app wrapped up with their security features.

On Fri, 8 Sep 2023 at 02:08, sebastianpenamatrix @.***> wrote:

Hi @yogendrajs https://github.com/yogendrajs can you share how did you use Appdome to solved this issue please?

— Reply to this email directly, view it on GitHub https://github.com/facebook/react-native/issues/25414#issuecomment-1710741425, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKKCYCGW6BI4SJFS3UQXQ73XZIWE5ANCNFSM4H35WBWQ . You are receiving this because you were mentioned.Message ID: @.***>

HannahCarney commented 4 months ago

Has this been fixed?