App security test reports Insecure API for React Native iOS App - Binary Analysis (IPA)

[annkiitagrawaal-gep]

Please provide all the information requested. Issues that do not follow this format are likely to stall.

Description

• Binary make use of malloc Function
The binary can use the malloc function instead of calloc. This is the result of a static analysis of the IPA file of an iOS-based application

React Native version:

System: OS: macOS Mojave 10.14.5 CPU: (12) x64 Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz Memory: 273.91 MB / 16.00 GB Shell: 3.2.57 - /bin/bash Binaries: Node: 12.8.0 - /usr/local/bin/node Yarn: Not Found npm: 6.10.2 - /usr/local/bin/npm Watchman: 4.9.0 - /usr/local/bin/watchman Managers: CocoaPods: 1.9.1 - /usr/local/bin/pod SDKs: iOS SDK: Platforms: iOS 12.4, macOS 10.14, tvOS 12.4, watchOS 5.3 Android SDK: API Levels: 23, 24, 25, 26, 27, 28, 29 Build Tools: 28.0.3, 29.0.2, 29.0.3 System Images: android-28 | Google Play Intel x86 Atom, android-29 | Google APIs Intel x86 Atom Android NDK: Not Found IDEs: Android Studio: 3.4 AI-183.6156.11.34.5692245 Xcode: 10.3/10G8 - /usr/bin/xcodebuild Languages: Java: 1.8.0_221 - /usr/bin/javac Python: 2.7.10 - /usr/bin/python npmPackages: @react-native-community/cli: Not Found react: 16.11.0 => 16.11.0 react-native: 0.62.2 => 0.62.2 react-native-macos: Not Found npmGlobalPackages: react-native: Not Found

react-native-cli: 2.0.1 react-native: 0.62.2

Expected Results

How could you change the variables found by those suggested by apple from react native?


The issue has been raised by a client and is being considered as a High priority vulnerability.

[annkiitagrawaal-gep]

Hi @react-native-bot Any updates on this?

[annkiitagrawaal-gep]

The client has raised this as a high priority issue. Security teams want a resolution at the earliest. Need some help here:

https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/BufferOverflows.html#//apple_ref/doc/uid/TP40002577-SW1

[jarnakantaria-gep]

Hi,

Please let us know if there's any specific reason for using malloc, even we are facing similar issue. Thank you.

[Manikanta-GEP]

Hi, Any update on this issue?

[dulmandakh]

Could you please check if issue persists on latest version or 0.63.x. Thanks

[annkiitagrawaal-gep]

Hi @dulmandakh , Thanks for your reply.

The scan was done by a client using MobSF. We cannot go back to them without confirmation that the issue does not exist n 0.63.x . Also upgrading to a higher version generally leads to breaking changes and bugs and is atleast a 2-3 sprint job. Hence, request you confirm if the above issue is fixed in 0.63.x so that we can plan the same and pick it up at the earliest.

[annkiitagrawaal-gep]

Hi @dulmandakh

Please let me know if there are any updates on this. As I mentioned we cannot move to react native version 0.63 without confirmation that the issue is resolved in the said version.

[shaikhaffan]

Hi @annkiitagrawaal-gep I am also facing similar problem where-the security is reporting similar security issues

[ghost]

Hi @annkiitagrawaal-gep Im also facing this problem, any update on this?

[annkiitagrawaal-gep]

Hi @annkiitagrawaal-gep Im also facing this problem, any update on this?

No @JaysonTeano no updates from the React Native team on this. There was just one reply from @dulmandakh on the 17th of Jan which does not confirm but asks us to verify on 0.63.x

[cristiancristache1]

Any updates on this issue?

[yogendrajs]

Hi @annkiitagrawaal-gep Im also facing this problem, any update on this?

No @JaysonTeano no updates from the React Native team on this. There was just one reply from @dulmandakh on the 17th of Jan which does not confirm but asks us to verify on 0.63.x

Hey guys, I've scanned my app in MobSF at RN v0.64.2, but this issue still persists. Any workaround for this?

[stale[bot]]

Hey there, it looks like there has been no activity on this issue recently. Has the issue been fixed, or does it still require the community's attention? This issue may be closed if no further activity occurs. You may also label this issue as a "Discussion" or add it to the "Backlog" and I will leave it open. Thank you for your contributions.

[encosw]

Hi @annkiitagrawaal-gep Im also facing this problem, any update on this?

No @JaysonTeano no updates from the React Native team on this. There was just one reply from @dulmandakh on the 17th of Jan which does not confirm but asks us to verify on 0.63.x

Hey guys, I've scanned my app in MobSF at RN v0.64.2, but this issue still persists. Any workaround for this?

Scanned with RN v0.67.2 but still reporting these issues. Any solution? @dulmandakh

[guncebektas]

we are still getting it with RN 0.68. The security team is considering the issue as a High priority vulnerability. Is anyone working on it? Thanks.

[GirishVC86]

Any update on this issue. Security Vulnerability still persist.

[paul-castro]

Any update?

[yogendrajs]

Nope

[mlev]

We are still seeing this issue with our Expo app with React Native 0.70.5 and raised as high severity during the app security review.

Issue: Binary makes use of malloc function Severity: High Description: The binary may use _malloc function instead of calloc

Has anyone found a way to get rid of this vulnerability?

Note - we also get a related issue "Binary makes use of insecure API(s)", which is mentioned in this closed issue https://github.com/facebook/react-native/issues/25414 - but again no fix outlined.

[yogendrajs]

Using Appdome.com for the same in the app

[mlev]

Ok thanks @yogendrajs - can you explain a little? Do you run appdome against your existing app binaries and then the result passes the MobSF analysis. Or are you using appdome as a replacement for MobSF?

[yogendrajs]

Appdome is another platform which does something internally with your app binaries (kinda security layer) and then provides you with the updated build either apk or ipa and then you can use that apk/ipa in MobSF to get your analysis done.

On Tue, 6 Dec 2022 at 12:12, mlev @.***> wrote:

Ok thanks - can you explain a little? Do you run appdome against your existing app binaries and then the result passes the MobSF analysis. Or are you using appdome as a replacement for MobSF?

— Reply to this email directly, view it on GitHub https://github.com/facebook/react-native/issues/30494#issuecomment-1338863080, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKKCYCCEKOBI2TLCTVI3BWDWL3N5DANCNFSM4UGSGSOQ . You are receiving this because you commented.Message ID: @.***>

[thitoo-yf]

how can I resolve this issue from the native code? I have use MobSF and get the report.

[MskShahrukh]

Seems like no resolution to this issue ? Facing the same problem, was anyone able to come up with a solution?

[Rananjaya]

Same issue here also, any solution ?

[jignesh-joshi]

I have the same issue. I am using react-native: 0.68.4

Is anyone able to come up with a solution?

[chunghn]

same issue

[bhaskardekaraja-techolution]

Hey Guys Facing similar issue

Is there a way to solve this. Using React Native version 0.72.6

[HannahCarney]

Same issue using 0.71.13, but upgraded to latest and same issue there too...

[sharad-incapsulate]

Same issue even in "react-native": "0.74.2"

[BatDroid]

any fix gonna happen on this?

[popudev]

Same issue even in "react-native": "0.73.8"