4

I have done a Quality scan analysis for my IOS app. I got the below warning:

The binary has Runpath Search Path (@rpath) set. In certain cases an attacker can abuse this feature to run arbitrary executable for code execution and privilege escalation. Remove the compiler option -rpath to remove @rpath.

I searched @rpath and found in my pod-framework.sh and below code I found:

# Embed linked Swift runtime libraries. No longer necessary as of Xcode 7.
  if [ "${XCODE_VERSION_MAJOR}" -lt 7 ]; then
    local swift_runtime_libs
    swift_runtime_libs=$(xcrun otool -LX "$binary" | grep --color=never @rpath/libswift | sed -E s/@rpath\\/\(.+dylib\).*/\\1/g | uniq -u)
    for lib in $swift_runtime_libs; do
      echo "rsync -auv \"${SWIFT_STDLIB_PATH}/${lib}\" \"${destination}\""
      rsync -auv "${SWIFT_STDLIB_PATH}/${lib}" "${destination}"
      code_sign_if_enabled "${destination}/${lib}"
    done
  fi

So can I remove this code? Will it affect my project?

Thanks in advance.

Mihir Oza
  • 2,768
  • 3
  • 35
  • 61

3 Answers3

3

Given that Xcode 7 is over five years old and at least Xcode 11 is required for app store submissions, it would seem safe to delete that code.

However, given that the script code should not be run, the @rpath in the binary is probably coming from something else.

Paul Beusterien
  • 27,542
  • 6
  • 83
  • 139
1

Vulnerabilities involving @rpath don’t apply in mobile settings, as attackers don’t have access to the file system and can’t arbitrarily swap out these frameworks. Even if an attacker somehow could swap out the framework with a malicious one, the app would crash on launch due to code signing violations.

https://docs.flutter.dev/resources/security-false-positives#the-ios-binary-has-a-runpath-search-path-rpath-set

If you still need a fix follow the steps listed in MobSF "IPA Binary Analysis"

grassyburrito
  • 1,213
  • 22
  • 32
-1

u can use this tool to analyse ur apk or ipa file or do the check via cli:

unzip MyApp.ipa
cd Payload/
cd MyApp.app/
otool -L MyApp | head -n 30

~ unzip MyApp.ipa ~ cd Payload/ ~ cd MyApp.app/ ~ otool -L MyApp | head -n 30

browser cli

Adil Ben Moussa
  • 9
  • 1
  • 1
    As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Apr 08 '22 at 13:17