I have supposedly 2 security vulnerabilities in the iOS app I developed. This medium article enlisted both issues I faced.
Look for:
Usage of Insecure Random Number Generator
and
Usage of Banned/Deprecated APIs
Those are the two issues I faced in my iOS app as well. I used Xcode's and ran the terminal command like shown in the link above and saw that these deprecated methods like _random and insecure methods like _memcpy and _strlen are being used in the app.
What I want to do here is to understand where in my source code I am using these methods. I have searched my entire source code of my Xcode Project, I don't have it used or called directly.
otool outputs in assembly language format and shows random address
How can I find out in source code where I must be using these methods? or decipher the assembly code to ObjC source code? so that I can remove that code and use a better alternative which in turn will remove the security vulnerability.
This app is verified to contain mangled selectors such as [h8uVi5M7
h2KfZCbl] and [n5SkqdHO i4g0IDLa:]. This is the exclusive cause of
this app's continued 2.3.1 rejection. We recommend that you use the
"nm" tool or the command line tools "strings" or "otool -ov" to find
the entities that are causing this rejection. It would be appropriate
to remove all obfuscation from this app or to explain in detail the
reason for its inclusion.
By the way, i do not use any extra obfuscation tool.
Is "connected" a private API? apple told me so.
Appstore was saying I have used a private API when I submit my app :
Performance - 2.5.1
Your app still uses or references the following non-public APIs:
connected
The use of non-public APIs is not permitted on the App Store because
it can lead to a poor user experience should these APIs change.
Next Steps
Please revise your app to remove any non-public APIs. If you have
defined methods in your source code with the same names as the
above-mentioned APIs, we suggest altering your method names so that
they no longer collide with Apple's private APIs to avoid your
application being flagged in future submissions.
Additionally, if you are using third party libraries, please update to
the most recent version of those libraries. If you do not have access
to the libraries' source, you may be able to search the compiled
binary using the "strings" or "otool" command line tools. The
"strings" tool can output a list of the methods that the library calls
and "otool -ov" will output the Objective-C class structures and their
defined methods. These tools can help you narrow down where the
problematic code resides. You could also use the "nm" tool to verify
if any third-party libraries are calling these APIs.
Is this sure? or they made a mistake?
Thank you very much!
My app is rejected because of the issue given below. i didnt find "imageWithName" in my code.kindly suggest me what should i do now??
i am searching this from last 2 days but i am not getting where the prblem is...
For info i would like to tell you that i am using google carboard plugin in this only.No ads at all.
Looking foward to your suggestions...
==============================
Performance - 2.5.1
Your app still uses or references the following non-public APIs:
imageWithName:
The use of non-public APIs is not permitted on the App Store because it can lead to a poor user experience should these APIs change.
Next Steps
Please revise your app to remove any non-public APIs. If you have defined methods in your source code with the same names as the above-mentioned APIs, we suggest altering your method names so that they no longer collide with Apple's private APIs to avoid your application being flagged in future submissions.
Additionally, if you are using third party libraries, please update to the most recent version of those libraries. If you do not have access to the libraries' source, you may be able to search the compiled binary using the "strings" or "otool" command line tools. The "strings" tool can output a list of the methods that the library calls and "otool -ov" will output the Objective-C class structures and their defined methods. These tools can help you narrow down where the problematic code resides. You could also use the "nm" tool to verify if any third-party libraries are calling these APIs.
Resources
For information on the "nm" tool, please see the "nm tool" Xcode manual page.
If there are no alternatives for providing the functionality your app requires, you may wish to file an enhancement request.
If you have difficulty reproducing a reported issue, please try testing the workflow described in Technical Q&A QA1764: How to reproduce bugs reported against App Store submissions.
If you have code-level questions after utilizing the above resources, you may wish to consult with Apple Developer Technical Support. When the DTS engineer follows up with you, please be ready to provide:
- complete details of your rejection issue(s)
- screenshots
- steps to reproduce the issue(s)
- symbolicated crash logs - if your issue results in a crash log
please help me!!!
Thanks in advance
I am working with a fat static library that uses dlopen() to load interal modules(.so) files inside the static library. On stackoverflow, developers says dlopen() is a private API.
In this case is it fine to use dlopen() or being an private API it shouldn't be used in user libraries irrespective of the library nature i.e static/dynamic.
If I can't use the dlopen() then can someone point to any resource for alternative way to accomplish the same task.
Note: This is regarding baresip BSD library. (http://www.creytiv.com/)
Update: The library is first trying to load all configured modules statically and if it fails then it is trying to load them dynamically using dlopen(). so removing the dynamic loading code will resolve my problem.
dlopen is not allowed on the iOS versions < iOS 8. See e.g. here.
Using dlopen with literal parameters has always been OK.
dlopen is documented, so it’s not a private API. Just type man dlopen in your terminal, or see App Extension Programming Guide > Handling Common Scenarios, or Dynamic Library Usage Guideline >1, 2.
If you try to use dlopen with code signed by you but not included in the app reviewed, you are infringing App Review Guidelines 2.5.2:
2.5.2 Apps should be self-contained in their bundles, and may not read or write data outside the designated container area, nor may they download, install, or execute code, including other apps.
and you may get a message like this:
Your app, extension, and/or linked framework appears to contain code designed explicitly with the capability to change your app’s behavior or functionality after App Review approval, which is not in compliance with App Store Review Guideline 2.5.2 and section 3.3.2 of the Apple Developer Program License Agreement.
This code, combined with a remote resource, can facilitate significant changes to your app’s behavior compared to when it was initially reviewed for the App Store. While you may not be using this functionality currently, it has the potential to load private frameworks, private methods, and enable future feature changes. This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts in order to change app behavior and/or call SPI, based on the contents of the downloaded script. Even if the remote resource is not intentionally malicious, it could easily be hijacked via a Man In The Middle (MiTM) attack, which can pose a serious security vulnerability to users of your app.