Libraries found in the app were not compiled using ARC, a free feature of Objective-C and Swift.
Enabling it has no discernable downsides, and prevents memory corruption attacks such as object-use-after-free exploits.
If those exploits are possible, attackers can potentially gain access to a wide variety of information and access with potentially severe consequences.
Evaluation Criteria
This is a warning because the components in question may be outside of your control.
The context table below should be checked and if libraries that can be controlled are listed it should be considered a vulnerability and remediated.
Steps to Reproduce
This check examines the compiled binary for libraries that do not have Automatic Reference Counting (ARC) enabled.
Business Impact
This app has components that do not protect against a specific type of attack that can expose the app to an attacker performing custom actions. These custom actions could potentially give them access to sensitive information from the app or the device.
Remediation Resources
All newer apps will have ARC enabled by default.
However, if it has become disabled you can go to the Build Settings for the App and make sure that "Objective-C Automatic Reference Counting" is set to YES.
It may be necessary to migrate existing projects to ARC with the Refactoring tool provided by Apple in Xcode that helps the developer in the process.
This will enable automatic memory management in your app as described in the
iOS Developer Library.
Finding Description
Libraries found in the app were not compiled using ARC, a free feature of Objective-C and Swift. Enabling it has no discernable downsides, and prevents memory corruption attacks such as object-use-after-free exploits. If those exploits are possible, attackers can potentially gain access to a wide variety of information and access with potentially severe consequences.
Evaluation Criteria
This is a warning because the components in question may be outside of your control. The context table below should be checked and if libraries that can be controlled are listed it should be considered a vulnerability and remediated.
Steps to Reproduce
This check examines the compiled binary for libraries that do not have Automatic Reference Counting (ARC) enabled.
Business Impact
This app has components that do not protect against a specific type of attack that can expose the app to an attacker performing custom actions. These custom actions could potentially give them access to sensitive information from the app or the device.
Remediation Resources
All newer apps will have ARC enabled by default. However, if it has become disabled you can go to the Build Settings for the App and make sure that "Objective-C Automatic Reference Counting" is set to YES. It may be necessary to migrate existing projects to ARC with the Refactoring tool provided by Apple in Xcode that helps the developer in the process. This will enable automatic memory management in your app as described in the iOS Developer Library.
Risk and Regulatory Information
Severity: low CVSS: 1.6
Application
See more detail in the NowSecure Report