Please provide the following:
- SDK Version: 34
- Platforms(Android/iOS/web/all): iOS
Our security team encountered a security vulnerability in our expo app where the Fstack-protector-all flag is not found. This means the App is not compiled with Stack Smashing Protector (SSP) flag. This is basically a protection against the possibility of overrunning a buffer on a function’s stack.
The basic idea behind stack protection is to push a “canary” (a randomly chosen integer) on the stack just after the function return pointer has been pushed. The canary value is then checked before the function returns; if it has changed, the program will abort.
To solve this problem the GCC has on option to turn on “-fstack-protector”.
The expo documentation does not mention this flag in the app.json.
IS there a way for us to make a build with this flag on?
If not, is there a plan to integrate it in future.