On iOS the Runner have the user and folder location where ir was generated

Question

On iOS the Runner have the user and folder location where ir was generated

cancio952 opened this issue 6 months ago · 5 comments

cancio952 commented 6 months ago

Describe the bug

Raíced by security scan they found embeved on the Runner the ubication of the library on the local machine

/User/axcUser/Projects/

/DatadogCrashReporting/Source/CrashContext/CrashContextProvider.swift
/User/axcUser/Projects/

/DatadogCrashReporting/Source/CrashReportingFeature.swift

This can be a security issue because a hacker can found the user info of the developer on the code of the Runner

Reproduction steps

Build a Runner ipa on the device running the comand
flutter build ipa --no-codesign --release --flavor prod --dart-define-form-file=<phat_file> --dart-define=flutter.memory_allocations=true --obfuscate

SDK logs

No response

Expected behavior

To no expose the user where it was generated or the path

Affected SDK versions

2.4.0

Latest working SDK version

No response

Did you confirm if the latest SDK version fixes the bug?

Yes

Flutter Version

3.16.9

Setup Type

No response

Device Information

No response

Other relevant information

No response

Answer 1 · 2024-06-27T18:18:11.000Z

Hi @cancio952

Can you fill out your Steps to Reproduce a bit better? As a potential bad actor, how would I get this information from a built IPA?

Is this specific to our SDK, or something you can reproduce in other Flutter applications?

Answer 2 · 2024-06-28T16:47:07.000Z

Hi yes

if you generate the ipa file and decompress it
the path were it was generated

step 1 change the extension of the .ipa to .zip
step 2 extract the .zip
step 3 then on the folder extracted *.ipa/Payload/Runner.app/Runner
step 4 run the command below $ strings Runner | grep '/User/'

This data can typically be found by scanning the binary for strings. For example, to find potential user paths the following command can be used $ strings Runner | grep '/User/'

if you generate the app on the user folder you will be able to see it using this command

Ragars

Answer 3 · 2024-06-28T17:00:44.000Z

That happens to me too. When doing a text string search in binary, these two classes are exposed. The security problem is not in the exposed classes. Otherwise, in the path, the user of the session that generated the artifact clearly appears.

Answer 4 · 2024-07-08T14:51:26.000Z

This is part of the iOS SDK and fixed with DataDog/dd-sdk-ios#1938

It will be part of the next Flutter SDK release.

Answer 5 · 2024-08-15T16:11:38.000Z

This should be fixed in 2.7.0 with the inclusion of the iOS SDK 2.15.0