The empty iOS project carries two security vulnerabilities in the MobSF scan results

git2321231 commented 1 year ago

After creating an empty project with Flutter and packing it into an IPA file, I used MobSF security tool to scan the IPA package, and two high-risk security vulnerabilities were reported:

Binary makes use of insecure API(s)
Binary makes use of malloc function

They violated the following standards: 1. CWE: CWE-676: Use of Potentially Dangerous Function OWASP Top 10: M7: Client Code Quality OWASP MASVS: MSTG-CODE-8

2. CWE: CWE-789: Uncontrolled Memory Allocation OWASP Top 10: M7: Client Code Quality OWASP MASVS: MSTG-CODE-8

How can we solve these two problems? My company requires all produced apps to pass MobSF security detection...

MobSF report Link: https://mobsf.live/static_analyzer_ios/?name=blank_project.ipa&checksum=f395c7607d45a971981b05cd74e307a3&type=ipa#binary_code_analysis

截屏2023-06-01 16 35 00

[!] Flutter (Channel master, 3.10.0-6.0.pre.27, on macOS 13.3.1 22E261
    darwin-arm64, locale zh-Hans-CN)
    • Flutter version 3.10.0-6.0.pre.27 on channel master at
      /Users/hanshow/flutter_gitee/Flutter
    ! Upstream repository https://gitee.com/mirrors/Flutter.git is not a
      standard remote.
      Set environment variable "FLUTTER_GIT_URL" to
      https://gitee.com/mirrors/Flutter.git to dismiss this error.
    • Framework revision 2d57261069 (7 weeks ago), 2023-04-15 20:34:24 -0400
    • Engine revision da0805a9cf
    • Dart version 3.1.0 (build 3.1.0-11.0.dev)
    • DevTools version 2.23.1
    • Pub download mirror https://pub.flutter-io.cn
    • Flutter download mirror https://storage.flutter-io.cn
    • If those were intentional, you can disregard the above warnings; however
      it is recommended to use "git" directly to perform update checks and
      upgrades.

[✓] Android toolchain - develop for Android devices (Android SDK version 30.0.3)
    • Android SDK at /Users/hanshow/Library/Android/sdk
    • Platform android-33, build-tools 30.0.3
    • Java binary at: /Users/hanshow/Documents/AndroidStudio/Android
      Studio.app/Contents/jbr/Contents/Home/bin/java
    • Java version OpenJDK Runtime Environment (build
      11.0.15+0-b2043.56-8887301)
    • All Android licenses accepted.

[✓] Xcode - develop for iOS and macOS (Xcode 14.3)
    • Xcode at /Applications/Xcode.app/Contents/Developer
    • Build 14E222b
    • CocoaPods version 1.11.2

[✓] Android Studio (version 4.2)
    • Android Studio at /Applications/Android Studio.app/Contents
    • Flutter plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/9212-flutter
    • Dart plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/6351-dart
    • Java version OpenJDK Runtime Environment (build 11.0.8+10-b944.6916264)

[✓] Android Studio (version 2022.1)
    • Android Studio at /Users/hanshow/Documents/AndroidStudio/Android
      Studio.app/Contents
    • Flutter plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/9212-flutter
    • Dart plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/6351-dart
    • Java version OpenJDK Runtime Environment (build
      11.0.15+0-b2043.56-8887301)

[✓] VS Code (version 1.78.2)
    • VS Code at /Applications/Visual Studio Code.app/Contents
    • Flutter extension version 3.64.0

[✓] Connected device (5 available)
    • PDA (mobile)                • 750422080660                         •
      android-arm64 • Android 10 (API 29)
    • sdk gphone64 arm64 (mobile) • emulator-5554                        •
      android-arm64 • Android 12 (API 31) (emulator)
    • sdk gphone64 arm64 (mobile) • emulator-5556                        •
      android-arm64 • Android 12 (API 31) (emulator)
    • iPhone 14 Pro (mobile)      • 594957A8-F4F6-43F2-A3D4-36C527A8629F • ios
      • com.apple.CoreSimulator.SimRuntime.iOS-16-4 (simulator)
    • iPhone 14 Pro Max (mobile)  • ADA820FC-732B-4F8E-AE71-D449035F4AD6 • ios
      • com.apple.CoreSimulator.SimRuntime.iOS-16-4 (simulator)

danagbemava-nc commented 1 year ago

I see a similar report when I upload a new ipa to the mobsf scanner.

https://mobsf.live/static_analyzer_ios/?name=vulner.ipa&checksum=7e54b298fba3cfef2890e6bf078f3aeb&type=ipa

Labeling based on the report above.

flutter doctor -v

``` [✓] Flutter (Channel stable, 3.10.2, on macOS 13.4 22F66 darwin-arm64, locale en-GB) • Flutter version 3.10.2 on channel stable at /Users/nexus/dev/sdks/flutter • Upstream repository https://github.com/flutter/flutter.git • Framework revision 9cd3d0d9ff (9 days ago), 2023-05-23 20:57:28 -0700 • Engine revision 90fa3ae28f • Dart version 3.0.2 • DevTools version 2.23.1 [✓] Android toolchain - develop for Android devices (Android SDK version 33.0.0) • Android SDK at /Users/nexus/Library/Android/sdk • Platform android-33, build-tools 33.0.0 • Java binary at: /Users/nexus/Library/Application Support/JetBrains/Toolbox/apps/AndroidStudio/ch-0/222.4459.24.2221.9971841/Android Studio.app/Contents/jbr/Contents/Home/bin/java • Java version OpenJDK Runtime Environment (build 17.0.6+0-17.0.6b802.4-9586694) • All Android licenses accepted. [✓] Xcode - develop for iOS and macOS (Xcode 14.3) • Xcode at /Applications/Xcode-14.3.0.app/Contents/Developer • Build 14E222b • CocoaPods version 1.12.1 [✓] Chrome - develop for the web • Chrome at /Applications/Google Chrome.app/Contents/MacOS/Google Chrome [✓] Android Studio (version 2022.2) • Android Studio at /Users/nexus/Library/Application Support/JetBrains/Toolbox/apps/AndroidStudio/ch-0/222.4459.24.2221.9971841/Android Studio.app/Contents • Flutter plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/9212-flutter • Dart plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/6351-dart • Java version OpenJDK Runtime Environment (build 17.0.6+0-17.0.6b802.4-9586694) [✓] Android Studio (version 2022.2) • Android Studio at /Users/nexus/Library/Application Support/JetBrains/Toolbox/apps/AndroidStudio/ch-0/222.4459.24.2221.9862592/Android Studio.app/Contents • Flutter plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/9212-flutter • Dart plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/6351-dart • Java version OpenJDK Runtime Environment (build 17.0.6+0-17.0.6b802.4-9586694) [✓] IntelliJ IDEA Ultimate Edition (version 2023.1.2) • IntelliJ at /Users/nexus/Applications/JetBrains Toolbox/IntelliJ IDEA Ultimate.app • Flutter plugin version 73.1.1 • Dart plugin version 231.9065 [✓] IntelliJ IDEA Ultimate Edition (version 2023.1.2) • IntelliJ at /Users/nexus/Library/Application Support/JetBrains/Toolbox/apps/IDEA-U/ch-0/231.9011.34/IntelliJ IDEA.app • Flutter plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/9212-flutter • Dart plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/6351-dart [✓] IntelliJ IDEA Ultimate Edition (version 2023.1.1) • IntelliJ at /Users/nexus/Library/Application Support/JetBrains/Toolbox/apps/IDEA-U/ch-0/231.8770.65/IntelliJ IDEA.app • Flutter plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/9212-flutter • Dart plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/6351-dart [✓] VS Code (version 1.78.2) • VS Code at /Applications/Visual Studio Code.app/Contents • Flutter extension version 3.64.0 [✓] Connected device (2 available) • macOS (desktop) • macos • darwin-arm64 • macOS 13.4 22F66 darwin-arm64 • Chrome (web) • chrome • web-javascript • Google Chrome 114.0.5735.90 [✓] Network resources • All expected network resources are available. • No issues found! ``` ``` [!] Flutter (Channel master, 3.11.0-18.0.pre.57, on macOS 13.4 22F66 darwin-arm64, locale en-GB) • Flutter version 3.11.0-18.0.pre.57 on channel master at /Users/nexus/dev/sdks/flutters ! Warning: `flutter` on your path resolves to /Users/nexus/dev/sdks/flutter/bin/flutter, which is not inside your current Flutter SDK checkout at /Users/nexus/dev/sdks/flutters. Consider adding /Users/nexus/dev/sdks/flutters/bin to the front of your path. ! Warning: `dart` on your path resolves to /Users/nexus/dev/sdks/flutter/bin/dart, which is not inside your current Flutter SDK checkout at /Users/nexus/dev/sdks/flutters. Consider adding /Users/nexus/dev/sdks/flutters/bin to the front of your path. • Upstream repository https://github.com/flutter/flutter.git • Framework revision 60a87d0798 (2 hours ago), 2023-06-01 21:27:17 -0700 • Engine revision 3a453f2ccb • Dart version 3.1.0 (build 3.1.0-160.0.dev) • DevTools version 2.24.0 • If those were intentional, you can disregard the above warnings; however it is recommended to use "git" directly to perform update checks and upgrades. [✓] Android toolchain - develop for Android devices (Android SDK version 33.0.0) • Android SDK at /Users/nexus/Library/Android/sdk • Platform android-33, build-tools 33.0.0 • Java binary at: /Users/nexus/Library/Application Support/JetBrains/Toolbox/apps/AndroidStudio/ch-0/222.4459.24.2221.9971841/Android Studio.app/Contents/jbr/Contents/Home/bin/java • Java version OpenJDK Runtime Environment (build 17.0.6+0-17.0.6b802.4-9586694) • All Android licenses accepted. [✓] Xcode - develop for iOS and macOS (Xcode 14.3) • Xcode at /Applications/Xcode-14.3.0.app/Contents/Developer • Build 14E222b • CocoaPods version 1.12.1 [✓] Chrome - develop for the web • Chrome at /Applications/Google Chrome.app/Contents/MacOS/Google Chrome [✓] Android Studio (version 2022.2) • Android Studio at /Users/nexus/Library/Application Support/JetBrains/Toolbox/apps/AndroidStudio/ch-0/222.4459.24.2221.9971841/Android Studio.app/Contents • Flutter plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/9212-flutter • Dart plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/6351-dart • Java version OpenJDK Runtime Environment (build 17.0.6+0-17.0.6b802.4-9586694) [✓] Android Studio (version 2022.2) • Android Studio at /Users/nexus/Library/Application Support/JetBrains/Toolbox/apps/AndroidStudio/ch-0/222.4459.24.2221.9862592/Android Studio.app/Contents • Flutter plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/9212-flutter • Dart plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/6351-dart • Java version OpenJDK Runtime Environment (build 17.0.6+0-17.0.6b802.4-9586694) [✓] IntelliJ IDEA Ultimate Edition (version 2023.1.2) • IntelliJ at /Users/nexus/Applications/JetBrains Toolbox/IntelliJ IDEA Ultimate.app • Flutter plugin version 73.1.1 • Dart plugin version 231.9065 [✓] IntelliJ IDEA Ultimate Edition (version 2023.1.2) • IntelliJ at /Users/nexus/Library/Application Support/JetBrains/Toolbox/apps/IDEA-U/ch-0/231.9011.34/IntelliJ IDEA.app • Flutter plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/9212-flutter • Dart plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/6351-dart [✓] IntelliJ IDEA Ultimate Edition (version 2023.1.1) • IntelliJ at /Users/nexus/Library/Application Support/JetBrains/Toolbox/apps/IDEA-U/ch-0/231.8770.65/IntelliJ IDEA.app • Flutter plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/9212-flutter • Dart plugin can be installed from: 🔨 https://plugins.jetbrains.com/plugin/6351-dart [✓] VS Code (version 1.78.2) • VS Code at /Applications/Visual Studio Code.app/Contents • Flutter extension version 3.64.0 [✓] Connected device (3 available) • Nexus (mobile) • 00008020-001875E83A38002E • ios • iOS 16.5 20F66 • macOS (desktop) • macos • darwin-arm64 • macOS 13.4 22F66 darwin-arm64 • Chrome (web) • chrome • web-javascript • Google Chrome 114.0.5735.90 ! Error: Nexus is busy: Waiting to connect and unlock the device. Xcode will continue when Nexus is finished. (code -10) [✓] Network resources • All expected network resources are available. ! Doctor found issues in 1 category. ```

mraleph commented 1 year ago

Please refer to https://docs.flutter.dev/reference/security-false-positives

github-actions[bot] commented 1 year ago

This thread has been automatically locked since there has not been any recent activity after it was closed. If you are still experiencing a similar issue, please open a new bug, including the output of flutter doctor -v and a minimal reproduction of the issue.

flutter / flutter

The empty iOS project carries two security vulnerabilities in the MobSF scan results #128030