NowSecure static analysis: Not Using Built-in Binary Protection (ARC) Exposes Components to Memory Corruption Attacks

lcimeni commented 3 years ago

Finding Description

Libraries found in the app were not compiled using ARC, a free feature of Objective-C and Swift. Enabling it has no discernable downsides, and prevents memory corruption attacks such as object-use-after-free exploits. If those exploits are possible, attackers can potentially gain access to a wide variety of information and access with potentially severe consequences.

Evaluation Criteria

This is a warning because the components in question may be outside of your control. The context table below should be checked and if libraries that can be controlled are listed it should be considered a vulnerability and remediated.

Steps to Reproduce

This check examines the compiled binary for libraries that do not have Automatic Reference Counting (ARC) enabled.

Business Impact

This app has components that do not protect against a specific type of attack that can expose the app to an attacker performing custom actions. These custom actions could potentially give them access to sensitive information from the app or the device.

Remediation Resources

All newer apps will have ARC enabled by default. However, if it has become disabled you can go to the Build Settings for the App and make sure that "Objective-C Automatic Reference Counting" is set to YES. It may be necessary to migrate existing projects to ARC with the Refactoring tool provided by Apple in Xcode that helps the developer in the process. This will enable automatic memory management in your app as described in the iOS Developer Library.

Risk and Regulatory Information

Severity: low CVSS: 1.6

CWE: 121
NIAP: FPT_AEX_EXT.1.5
ioXt: SD114
FISMA LOW: SI-3 MALICIOUS CODE PROTECTION
FISMA MED: SI-16 MEMORY PROTECTION
Risk OWASP: Mobile Top 10: M7-Client Code Quality
GDPR: Risks violating Article 25, Risks violating Article 32
FFIEC: May violate D3.PC.Im.I.6, May violate D3.PC.Se.B.1
PCI: May violate requirement 6.5
HIPAA: May violate §164.312(c)(1): Standard: Integrity.
CCPA: Risks violating CCPA: exfiltration, theft, or disclosure of PII
CWE Top 25: 2019 CWE Top 25 Most Dangerous Software Errors

Application

Platform: ios
Package: net.appox.github.GithubProjects

See more detail in the NowSecure Report

lcimeni commented 3 years ago

Update: This finding has been marked as ‘Pass’ by Lorenz Cimeni, so no additional action required.

Powered by NowSecure Platform

lcimeni commented 3 years ago

Update: This finding has been permanently hidden by Lorenz Cimeni, so no additional action required.

Powered by NowSecure Platform

lcimeni / youtube