Please provide the following:
- SDK Version: 48
- Platforms(Android/iOS/web/all): iOS
- Add the appropriate “Tag” based on what Expo library you have a question on.
A security team has performed a penetration test on our mobile app developed in Expo SDK v48 and they’ve discovered several findings. One of which is the use of unsafe standard functions, which they’ve classified as medium risk.
Several standard library functions are considered unsafe as they do not perform any length or bounds
checking or input validation. Examples are strlen, fopen, vsnprintf, memcpy, sscanf, stat, strcpy, printf,
strncat. It is up to the programmer to carefully check the input sent to these functions. However, in practice
user supplied data is not always properly checked and sanitised, which could lead to memory corruption
vulnerabilities. Memory corruption vulnerabilities are mentioned in the SANS top 256 of most dangerous
software errors.
In the worst case situation, an attacker could abuse the memory corruption vulnerabilities to influence the
flow of the executed instructions within the program and let the program perform unintended actions by
executing the programmers code. This requires a skilled attacker with enough time and resources, as there
are many defence mechanisms in mobile operating systems, which make exploitation of memory
corruption vulnerabilities harder.
Nonetheless Northwave recommends switching to safer default standard functions where possible. Please
be aware that sometimes these unsafe functions may be used by the frameworks used to develop mobile
applications.
I’ve done a search to see if this issue had been raised before, but could only find it for a cordova plugin: iOS Binary Make Use Of Insecure APIs · Issue #988 · storesafe/cordova-sqlite-storage · GitHub.
This code is generated when Expo builds the actual app. Is this something that can and will be addressed at some point? And if not, could you provide reasoning/argumentation that we can use to report back to our security team?