8

We tested one of our iOS app with MobSF and the report highlighted that the binary has Runpath Search Path (@rpath) set. In certain cases an attacker can abuse this feature to run arbitrary executable for code execution and privilege escalation.

I ran otool -L against the binary to check which dependencies are concerned. It turns out that all pods (Cocaopod) and and some system libraries are concerned.

name @rpath/Alamofire.framework/Alamofire (offset 24)
name @rpath/libswiftCoreAudio.dylib (offset 24)
name @rpath/libswiftCoreData.dylib (offset 24)
name @rpath/libswiftCoreFoundation.dylib (offset 24)

I wonder how to fix this issue. Cocoapods prints a warning if the project build setting Runpath Search Paths does not include $(inherited).

Is using @rpath considered harmful? Any help/information appreciated.

Markus
  • 81
  • 1
  • 2

1 Answers1

4

The Runpath Search Path instructs the dynamic linker to search for a dynamic library (dylib) on an ordered list of paths, sort of like how Unix looks for binaries on $PATH.

If your application uses the Swift Package Manager, in order to compile the libraries without rpath you need to use some hidden build flags. On your local command line run:

enter image description here

Note the swift compiler option no-stdlib-rpath which disables rpath entries during compilation. Configure your build settings so that the application is built with this configuration flag, e.g.: swift build -c release -Xswiftc -no-toolchain-stdlib-rpath.

Alternatively, if your application uses Cocoapods, you can first check the install directory of the pods:

enter image description here

And then use the following configuration on your Podfile: enter image description here

For reference - MobSF IPA Binary Analysis

Irtaza fayaz
  • 383
  • 4
  • 11