Open omninode opened 3 months ago
brustolin
commented
3 months ago Hello @omninode, thanks for reaching out.
This makes it easier for potential attackers to reverse engineer the app
This is not a concern since our SDK is open source, but I do agree we don't need to ship it with debug symbols, in order to save some bytes.
How are you using Sentry (SPM, cocoapods, pre-build framework)?
Stack Canaries
Im not familiar with this, we need to investigate.
darthsteff
commented
3 months ago Hi,
on behalf of @omninode, who is on vacation this week: we're using Sentry via SPM.
kind regards, Steffen
kahest
commented
3 months ago We're gonna investigate if stripping debug symbols has a potential to deteriorate ability to symbolicate Sentry stack frames.
We're currently not planning to auto-enable stack canaries for all builds. If you want/need to use it, you currently need to build the SDK yourself with the desired compiler flags and settings.
Description
Hello, during the last pen test of our app, the testers noticed that some compiler settings do not comply with best practices.
Debugging symbols: During the compilation process of the app, debugging symbols are not removed. This makes it easier for potential attackers to reverse engineer the app by exposing internal information about the app. To remove debugging symbols, the following 3 options should be set to “Yes” for the release version in the build settings of the Xcode project:
Stack Canaries: The stack canaries are deactivated. This facilitates the use of so-called buffer overflows, with which it is possible to change the behavior of the application at runtime. Using the compiler option fstack-protector-all activates the stack canaries.
Request: Is there something against completing these pen test recommendations in the release configuration of the SDK?