Provide a way to avoid weak linked dylib libraries

[Oxoproline]

Why is it issue

Our ios app must pass penetration testing. As part of the procedure they found three weakly linked DYLIB libraries. This can be used to so called "Dylib hijacking". For details see: https://www.virusbulletin.com/virusbulletin/2015/03/dylib-hijacking-os-x

Background infromation

I tried to play with project and build settings, going thru documentation and playing with mtouch. But with no luck so far.

I noticed similair line in the build log of multiple apps:

        /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang++ -framework Security -framework SafariServices -framework OpenGLES -framework MediaPlayer -framework ImageIO -framework GLKit -framework CoreText -framework CoreSpotlight -framework CoreLocation -framework CoreGraphics -framework QuartzCore -framework AudioToolbox -framework WebKit -framework UIKit -framework Foundation -framework CoreVideo -framework CoreMedia -framework AVKit -framework AVFoundation -framework AuthenticationServices -framework CoreTelephony -framework SystemConfiguration -weak_framework CoreFoundation -weak_framework CFNetwork -weak_framework GSS /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/registrar.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/main.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/meetingrecording.iOS.exe.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/mscorlib.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/Xamarin.Forms.Core.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/System.Core.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/System.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/Mono.Security.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/System.Xml.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/System.Numerics.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/System.Data.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/System.Drawing.Common.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/System.Net.Http.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/Xamarin.iOS.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/System.Runtime.Serialization.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/System.ServiceModel.Internals.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/System.Web.Services.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/System.Xml.Linq.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/Xamarin.Forms.Platform.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/Xamarin.Forms.Platform.iOS.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/meetingrecording.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/Xamarin.Forms.Xaml.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/SegmentedControl.FormsPlugin.Abstractions.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/Plugin.AudioRecorder.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/BouncyCastle.Crypto.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/Xamarin.Essentials.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/OpenTK-1.0.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/Newtonsoft.Json.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/SegmentedControl.FormsPlugin.iOS.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/Microsoft.AppCenter.Analytics.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/Microsoft.AppCenter.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/Microsoft.AppCenter.iOS.Bindings.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/Microsoft.AppCenter.Analytics.iOS.Bindings.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/Microsoft.AppCenter.Crashes.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/Microsoft.AppCenter.Crashes.iOS.Bindings.dll.o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/AppCenter.a /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/AppCenterAnalytics.a /Library/Frameworks/Xamarin.iOS.framework/Versions/13.18.3.2/SDKs/MonoTouch.iphoneos.sdk/usr/lib/libmonosgen-2.0.a /Library/Frameworks/Xamarin.iOS.framework/Versions/13.18.3.2/SDKs/MonoTouch.iphoneos.sdk/usr/lib/libxamarin.a /Library/Frameworks/Xamarin.iOS.framework/Versions/13.18.3.2/SDKs/MonoTouch.iphoneos.sdk/usr/lib/libmono-native-unified.a -force_load /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/AppCenterCrashes.a -force_load /Library/Frameworks/Xamarin.iOS.framework/Versions/13.18.3.2/SDKs/MonoTouch.iphoneos.sdk/usr/lib/libapp.a -lsqlite3 -lc++ -Wl,-pie -arch arm64 -miphoneos-version-min=12.0 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS13.6.sdk -lz -liconv -lz -o /Users/fmokry001/Documents/Repositories/coutts-ios-app/meetingrecording.iOS/obj/iPhone/Release/mtouch-cache/arm64/meetingrecording.iOS -u _xamarin_find_protocol_wrapper_type -u _xamarin_release_block_on_main_thread -u _xamarin_get_block_descriptor -u _xamarin_IntPtr_objc_msgSend_IntPtr -u _xamarin_IntPtr_objc_msgSendSuper_IntPtr -u _UIApplicationMain

There are specified the three problematic libraries with -weak_framework

I think this command has to be modified to change linking behavior, but I have not found a way how to do it or even if there is a way.

Steps to Reproduce

Build xamarin ios app and examine appName.ios bundle with otool using -L command and path to appName.iOS

some of the frameworks are linked using LC_LOAD_WEAK_DYLIB instead of LC_LOAD_DYLIB in my case this is the export from otool:

    /System/Library/Frameworks/Security.framework/Security (compatibility version 1.0.0, current version 59306.142.1)
    /System/Library/Frameworks/SafariServices.framework/SafariServices (compatibility version 1.0.0, current version 1.0.0)
    /System/Library/Frameworks/OpenGLES.framework/OpenGLES (compatibility version 1.0.0, current version 1.0.0)
    /System/Library/Frameworks/MediaPlayer.framework/MediaPlayer (compatibility version 1.0.0, current version 1.0.0)
    /System/Library/Frameworks/ImageIO.framework/ImageIO (compatibility version 1.0.0, current version 0.0.0)
    /System/Library/Frameworks/GLKit.framework/GLKit (compatibility version 1.0.0, current version 106.0.0)
    /System/Library/Frameworks/CoreText.framework/CoreText (compatibility version 1.0.0, current version 1.0.0)
    /System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlight (compatibility version 1.0.0, current version 1.0.0)
    /System/Library/Frameworks/CoreLocation.framework/CoreLocation (compatibility version 1.0.0, current version 2394.0.33)
    /System/Library/Frameworks/CoreGraphics.framework/CoreGraphics (compatibility version 64.0.0, current version 1355.22.0)
    /System/Library/Frameworks/QuartzCore.framework/QuartzCore (compatibility version 1.2.0, current version 1.11.0)
    /System/Library/Frameworks/AudioToolbox.framework/AudioToolbox (compatibility version 1.0.0, current version 1000.0.0)
    /System/Library/Frameworks/WebKit.framework/WebKit (compatibility version 1.0.0, current version 609.3.5)
    /System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 61000.0.0)
    /System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1677.104.0)
    /System/Library/Frameworks/CoreVideo.framework/CoreVideo (compatibility version 1.2.0, current version 1.5.0)
    /System/Library/Frameworks/CoreMedia.framework/CoreMedia (compatibility version 1.0.0, current version 1.0.0)
    /System/Library/Frameworks/AVKit.framework/AVKit (compatibility version 1.0.0, current version 1.0.0)
    /System/Library/Frameworks/AVFoundation.framework/AVFoundation (compatibility version 1.0.0, current version 2.0.0)
    /System/Library/Frameworks/AuthenticationServices.framework/AuthenticationServices (compatibility version 1.0.0, current version 609.3.5)
    /System/Library/Frameworks/CoreTelephony.framework/CoreTelephony (compatibility version 1.0.0, current version 0.0.0)
    /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration (compatibility version 1.0.0, current version 1061.140.1)
    /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1677.104.0, weak)
    /System/Library/Frameworks/CFNetwork.framework/CFNetwork (compatibility version 1.0.0, current version 0.0.0, weak)
    /System/Library/Frameworks/GSS.framework/GSS (compatibility version 1.0.0, current version 1.0.0, weak)
    /usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 308.5.0)
    /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 902.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.11)
    /usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1281.100.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)

problematic are CoreFoundation, CFNetwork, GSS

Expected Behavior

Provide option to explicitly specify linking behavior.

Actual Behavior

There is no way how to modify clang++ command.

Environment

=== Visual Studio Enterprise 2019 for Mac ===

Version 8.6.8 (build 2)
Installation UUID: 16b1ec2a-b1c1-43dd-b190-52f0dffc0ae7
    GTK+ 2.24.23 (Raleigh theme)
    Xamarin.Mac 6.18.0.23 (d16-6 / 088c73638)

    Package version: 610000106

=== Mono Framework MDK ===

Runtime:
    Mono 6.10.0.106 (2019-12/77769615db1) (64-bit)
    Package version: 610000106

=== Roslyn (Language Service) ===

3.6.0-3.20210.9+4eafdcb1bcbd8d3573f2ba6065e56d9b9ce4f8a3

=== NuGet ===

Version: 5.6.0.6591

=== .NET Core SDK ===

SDK: /usr/local/share/dotnet/sdk/3.1.302/Sdks
SDK Versions:
    3.1.302
    3.1.300
    3.1.200
    3.1.102
    3.1.101
    3.1.100
    3.0.101
    3.0.100
    3.0.100-preview8-013656
    2.2.300
    2.2.107
    2.2.101
    2.1.505
    2.1.302
    2.1.4
MSBuild SDKs: /Library/Frameworks/Mono.framework/Versions/6.10.0/lib/mono/msbuild/Current/bin/Sdks

=== .NET Core Runtime ===

Runtime: /usr/local/share/dotnet/dotnet
Runtime Versions:
    3.1.6
    3.1.4
    3.1.2
    3.1.1
    3.1.0
    3.0.1
    3.0.0
    3.0.0-preview8-28405-07
    2.2.5
    2.2.0
    2.1.20
    2.1.18
    2.1.17
    2.1.16
    2.1.15
    2.1.14
    2.1.13
    2.1.9
    2.1.2
    2.0.5

=== Xamarin.Profiler ===

Version: 1.6.15.68
Location: /Applications/Xamarin Profiler.app/Contents/MacOS/Xamarin Profiler

=== Updater ===

Version: 11

=== Apple Developer Tools ===

Xcode 11.6 (16141)
Build 11E708

=== Xamarin.Mac ===

Version: 6.18.3.2 (Visual Studio Enterprise)
Hash: ce0cc74a3
Branch: d16-6-xcode11.6
Build date: 2020-07-16 18:15:27-0400

=== Xamarin.iOS ===

Version: 13.18.3.2 (Visual Studio Enterprise)
Hash: ce0cc74a3
Branch: d16-6-xcode11.6
Build date: 2020-07-16 18:15:27-0400

=== Xamarin Designer ===

Version: 16.6.0.329
Hash: d4f8bcd13
Branch: remotes/origin/d16-6
Build date: 2020-04-24 02:16:02 UTC

=== Xamarin.Android ===

Version: 10.3.1.4 (Visual Studio Enterprise)
Commit: xamarin-android/d16-6/3a10de9
Android SDK: /Users/fmokry001/Library/Developer/Xamarin/android-sdk-macosx
    Supported Android versions:
        4.4 (API level 19)
        7.0 (API level 24)
        7.1 (API level 25)
        8.0 (API level 26)
        8.1 (API level 27)

SDK Tools Version: 26.1.1
SDK Platform Tools Version: 29.0.5
SDK Build Tools Version: 29.0.2

Build Information: 
Mono: 165f4b0
Java.Interop: xamarin/java.interop/d16-6@2cab35c
ProGuard: xamarin/proguard/master@905836d
SQLite: xamarin/sqlite/3.31.1@49232bc
Xamarin.Android Tools: xamarin/xamarin-android-tools/d16-6@bfb66f3

=== Microsoft OpenJDK for Mobile ===

Java SDK: /Users/fmokry001/Library/Developer/Xamarin/jdk/microsoft_dist_openjdk_8.0.25
1.8.0-25
Android Designer EPL code available here:
https://github.com/xamarin/AndroidDesigner.EPL

=== Android SDK Manager ===

Version: 16.6.0.50
Hash: 5901879
Branch: remotes/origin/d16-6
Build date: 2020-06-10 22:42:50 UTC

=== Android Device Manager ===

Version: 16.6.0.96
Hash: 6e8b80b
Branch: remotes/origin/d16-6
Build date: 2020-06-10 22:43:28 UTC

=== Build Information ===

Release ID: 806080002
Git revision: e999e2934e8c771fdf6494b80361dacef9427565
Build date: 2020-07-24 15:17:52-04
Build branch: release-8.6
Xamarin extensions: e999e2934e8c771fdf6494b80361dacef9427565

=== Operating System ===

Mac OS X 10.15.6
Darwin 19.6.0 Darwin Kernel Version 19.6.0
    Sun Jul  5 00:43:10 PDT 2020
    root:xnu-6153.141.1~9/RELEASE_X86_64 x86_64

=== Enabled user installed extensions ===

DeepClean 1.2.5
Stack Overflow Search 0.7.1
XAML Styler 2.0.1
MFractor 4.2.3
NuGet Package Management Extensions 0.20
MvvmCross Template pack 2.1.0

Build Logs

https://gist.github.com/Oxoproline/425559cd87fcf421f131a66f24fcccbb

[rolfbjarne]

You're building an iOS app, and that article refers to macOS (OS X) apps, which means it doesn't apply because:

• On iOS every app is in its own sandbox. This means that each app can only load dynamic libraries from either the system, or its own app bundle, but nowhere else.
• The system is not writeable for any app, thus it's not possible to inject a malicious dynamic library there.
• The app bundle is restricted in that executable code can only be placed in a few specific directories (such as the Frameworks subdirectory), and that location is not writeable either (not even for the app itself). The dynamic library loader will refuse to load dynamic libraries from anywhere else (this means that it's not possible to download a dynamic library and execute it). Thus there's no way to inject a malicious dynamic library into the app either after it's been installed.
• If someone could inject a malicious dynamic library into the app before it's published to the app store, you'd have a much worse problem on your hands, because then the entire app bundle would be compromised.

The end result is that weakly linked libraries is not a security issue on iOS.

That being said, there's no reason for these frameworks to be weakly linked, and that will be fixed (CoreFoundation and GSS will be fixed in PR #9338, CFNetwork has already been fixed).