Uploaded image for project: 'Titanium SDK/CLI'
  1. Titanium SDK/CLI
  2. TIMOB-27151

Alloy applications - Security Penetration test

    Details

      Description

      Hello Appcelerator team,

      One of our client's security team has done penetration test on our appcelerator application and they have shared few concerns with us to patch.

      Our mobile team have gone through those points and found that those issues are related to native Xcode build generated from appcelerator studio.

      Please go through below points with description and severity:
      1. Binary make use of banned API(s)_CWE-676

      Severity: Medium
      Description:The binary may contain the following banned API(s) _sprintf, _gets, _alloca, _strlen, _stat, _memcpy, _strncpy, _printf, _fopen, _vsnprintf, _sscanf, _strcpy.

      2. Binary make use of the following Weak HASH API(s)_CWE-327

      Severity: Medium
      Description:The binary may use the following weak hash API(s) CC_SHA1, CC_MD5

      3. Binary make use of malloc Function_CWE-789

      Severity: Medium
      Description:The binary may use malloc function instead of calloc

      4. Weak Jaibroken Device Detection
      Description: A developer can incorporate different checks in his application to examine whether the device on which the application is running is jailbroken or not. Most of these checks are naive and could be easily bypassed.
      for point 4, is there any feature or functionality available to bind extra layer of security to detect whether device is jail broken or rooted through appcelerator coding environment?

        Attachments

          Activity

            People

            • Assignee:
              emerriman Eric Merriman
              Reporter:
              ios.admin@investis.com ios.admin@investis.com
            • Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:

                Backbone Issue Sync

                • Backbone Issue Sync is enabled for your project, but we do not have any synchronization info for this issue.

                  Git Source Code