App security test reports Insecure API for React Native iOS App - Binary Analysis (IPA)

[kamalyzl]

after a static analysis performed on the ipa obtained from the compilation from native react,

• Prohibited binary API (s) The binary may contain the following prohibited APIs _strcpy, _strncat, _strlen, _alloca, _printf, _sscanf, _stat, _memcpy, _fopen, _vsnprintf, _gets.

• Binary makes use of the following weak HASH APIs The binary can use the following weak hash APIs CC_SHA1, CC_MD5.

• Binary make use of the insecure Random Function(s) The binary can use the following unsafe random functions _random.

• Binary make use of malloc Function The binary can use the malloc function instead of calloc.

This is the result of a static analysis of the IPA file of an iOS-based application

Version react info info React Native Environment Info: System: OS: macOS High Sierra 10.13.6 CPU: (4) x64 Intel(R) Core(TM) i5-7267U CPU @ 3.10GHz Memory: 82.13 MB / 8.00 GB Shell: 3.2.57 - /bin/bash Binaries: Node: 8.11.3 - /usr/local/bin/node Yarn: 1.9.4 - /usr/local/bin/yarn npm: 6.9.0 - /usr/local/bin/npm Watchman: 4.9.0 - /usr/local/bin/watchman SDKs: iOS SDK: Platforms: iOS 12.1, macOS 10.14, tvOS 12.1, watchOS 5.1 Android SDK: API Levels: 23, 25, 26, 27, 28 Build Tools: 23.0.1, 26.0.2, 26.0.3, 27.0.3, 28.0.2, 28.0.3 System Images: android-28 | Google Play Intel x86 Atom IDEs: Android Studio: 3.1 AI-173.4907809 Xcode: 10.1/10B61 - /usr/bin/xcodebuild npmPackages: react: 16.8.3 => 16.8.3 react-native: 0.59.8 => 0.59.8

Versions of current libraries. "react-native-android-sms-listener": "^0.7.0", "react-native-calendars": "^1.115.0", "react-native-camera": "^2.7.0", "react-native-contacts": "^4.0.2", "react-native-dotenv": "^0.2.0", "react-native-firebase": "5.3.1", "react-native-gesture-handler": "^1.2.1", "react-native-languages": "^3.0.2", "react-native-maps": "0.24.2", "react-native-qrcode": "^0.2.7", "react-native-share": "^1.1.3", "react-native-snap-carousel": "^3.7.5", "react-native-svg": "^9.4.0", "react-native-swipeout": "^2.3.6", "react-native-view-shot": "^2.6.0", "react-navigation": "3.9.1", "react-redux": "^7.0.3", "readdirp": "^3.0.1", "redux": "^4.0.1", "redux-actions": "^2.6.5", "rn-sliding-up-panel": "^2.2.0", "simple-grep": "0.0.1", "yup": "^0.27.0"

How could you change the variables found by those suggested by apple from react native? https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/BufferOverflows.html#//apple_ref/doc/uid/TP40002577-SW1

Thanks

[react-native-bot]

Can you run react-native info and edit your issue to include these results under the React Native version: section?

If you believe this information is irrelevant to the reported issue, you may write `[skip envinfo]` alongside an explanation in your Environment: section.

[kamalyzl]

@react-native-bot ready

[Zahikusa]

I have a very similar problem after running a scan on my .ipa file. Below is my 'react-native info' output:

React Native Environment Info: System: OS: macOS High Sierra 10.13.6 CPU: (8) x64 Intel(R) Core(TM) i7-4870HQ CPU @ 2.50GHz Memory: 6.69 GB / 16.00 GB Shell: 3.2.57 - /bin/bash Binaries: Node: 11.8.0 - /usr/local/bin/node npm: 6.7.0 - /usr/local/bin/npm Watchman: 4.9.0 - /usr/local/bin/watchman SDKs: iOS SDK: Platforms: iOS 12.1, macOS 10.14, tvOS 12.1, watchOS 5.1 Android SDK: API Levels: 23, 26, 28 Build Tools: 23.0.1, 26.0.3, 28.0.2 System Images: android-23 | Intel x86 Atom_64, android-23 | Google APIs Intel x86 Atom_64, android-28 | Google APIs Intel x86 Atom IDEs: Xcode: 10.1/10B61 - /usr/bin/xcodebuild npmPackages: react: 16.5.0 => 16.5.0 react-native: https://github.com/expo/react-native/archive/sdk-32.0.0.tar.gz => 0.57.1 npmGlobalPackages: create-react-native-app: 1.0.0 react-native-cli: 2.0.1

Did you already manage to find any solution to this issue @author?

[mayurssoni2456]

Same issue .. any thoughts?

[ghost]

Same this issue, but I used swift -> any thoughts?

[ebiba-dp]

Any update for this?

[ManigandanRaamanathan]

@kamalyzl any update?

[pratikg711]

Any update?

[stale[bot]]

Hey there, it looks like there has been no activity on this issue recently. Has the issue been fixed, or does it still require the community's attention? This issue may be closed if no further activity occurs. You may also label this issue as a "Discussion" or add it to the "Backlog" and I will leave it open. Thank you for your contributions.

[stale[bot]]

Closing this issue after a prolonged period of inactivity. If this issue is still present in the latest release, please feel free to create a new issue with up-to-date information.

[annkiitagrawaal-gep]

Any updates on this?

[sambheaduplabs]

I've also had this issue.

[yogendrajs]

Hey everyone, any updates on this?

[matteodanelli]

Hello everyone, any updates on this? It's blocking my release.

[abarisic86]

Is it maybe related to RN version? I can see that initial post is RN 0.58 and maybe it was fixed later?

@mayurssoni2456 @ebiba-dp @ManigandanRaamanathan @pratikg711 @annkiitagrawaal-gep @sambheaduplabs @yogendrajs @matteodanelli can you help with posting your version with react-native info? or maybe you already resolved this somehow?

[matteodanelli]

in my case

react: 16.13.1 => 16.13.1 
react-native: 0.63.4 => 0.63.4 

Not solved yet.

[yogendrajs]

My configuration

"react": "17.0.1",
"react-native": "0.64.2"

Have used Appdome to resolve this issue.

[AmorimRob]

Any update? Same problem here

Reported by MobSF tool

[cemocanon]

Hey everyone, any updates on this?

[thitoo-yf]

any update on this? we have faced this issue after scanning with MOBSF.

[tkud04]

Any update on this? We are facing a similar issue on React Native 0.70.5

[sebastianpenamatrix]

Hi @yogendrajs can you share how did you use Appdome to solved this issue please?

[yogendrajs]

Yeah, you’ll have to buy a plan from Appdome and rest are the steps on their portal to get your app wrapped up with their security features.

On Fri, 8 Sep 2023 at 02:08, sebastianpenamatrix @.***> wrote:

Hi @yogendrajs https://github.com/yogendrajs can you share how did you use Appdome to solved this issue please?

— Reply to this email directly, view it on GitHub https://github.com/facebook/react-native/issues/25414#issuecomment-1710741425, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKKCYCGW6BI4SJFS3UQXQ73XZIWE5ANCNFSM4H35WBWQ . You are receiving this because you were mentioned.Message ID: @.***>

[HannahCarney]

Has this been fixed?