Insecure source code functions have been used in the binary
HariIDPal opened this issue · 2 comments
Environment
Xcode version: 12.5
Branch Pod version: 1.39.3
Language: Swift
Issue:
We are using the branch for Deep linking in our application.
Our penetration testing team have found out that some insecure source code functions are being used in the application: strlen() and malloc() functions which is from Branch SDK in the following files:
BNCEncodingUtils
BNCNetworkInterface
BNCDeviceSystem
Could you remove these from the Branch SDK in your upcoming release or if it is required, could you let us know why it is required?
I'll take a look at it, but those are generally C utility methods or places we use C libraries.
BNCNetworkInterface uses INET_ADDRSTRLEN and INET6_ADDRSTRLEN which are definitions and not calls to strlen().
BNCEncodingUtils uses strlen when using CC_SHA256 to hash data. CryptoKit is better, but only available on iOS 13+. This could be wrapped in an if available for newer devices. I'll make a ticket to do this.
BNCDeviceSystem uses malloc when using sysctlbyname, which is the way that C api works. It is safe as you need to call it once to find out how much memory you need to alloc, then you call it again to fill the buffer. Finally you free it after making a NSString out of it.
Just to update about switching to CryptoKit, we can't do it yet since CryptoKit is intended for Swift and we do not require Swift to use our SDK. We may come back to it in the future.
Closing this ticket since there's no action at the moment.