Insecure API when using in React Native iOS app
master4-2021 opened this issue · comments
There are some insecure APIs that exists in this repository that Apple considered insecure and recommended not using:
https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/BufferOverflows.html#//apple_ref/doc/uid/TP40002577-SW1
These are reported when using Mobile Security Framework (https://github.com/MobSF/Mobile-Security-Framework-MobSF) to scan the IPA.
strlen:
I understand that the use of these function does not definitely leads to security issues, but I want to bring this to your attention, and check if these are safe to use within our application.
The GTLRBase64.m call is fine, this is in some UTF-8 conversion code from Foundation, if someone wants to look a submitting a PR it might be possible to tweak it to do the conversion and get the length at the same time.
The two calls in GTLRRuntimeCommon.m are from apis that only vend cstrings, so strlen is the correct call and the way the value is used is correct.