Details
-
Bug
-
Resolution: Done
-
Not Evaluated
-
None
-
6.3.0
-
None
-
iOS/tvOS/watchOS
Description
I ran a simple empty app both iOS simple ipa and iOS simple QT ipa
but in simple IPA without QT library only
only EXPOSURE OF POTENTIALLY SENSITIVE DATA[DAST][M2][CWE-200] is exist but can convince the Infosec team that this is just a False positive ,
please see link for the reference
https://www.immuniweb.com/mobile/com.ncvix.Sample/i3JTPVLE/
but when i scan simple QT iPA file
there is added vulnerability found on the iPA built with QT libraries together with the common exposure of potentially sensitive data
1. PREDICTABLE RANDOM NUMBER GENERATOR[SAST][M5][CWE-338]
i think the QT libraries uses srand and random function on its code . that makes them vulnerable and its in MEDIUM risk
2. HARDCODED DATA[SAST][M2][CWE-200]
this is a low risk
please see link for reference
https://www.immuniweb.com/mobile/my.example.com/VbnGysxQ/
because of that vulnerabilities , i can't convince our INFOsec team that this is just a false positive because actually it can be prevented .
hoping that on the next release of ios QT library of those VA findings will be resolved.
Edit : Android ,
Android has unresolvable tapjacking vulnerability
yes I know that this can be a False positive , since the detected issue is not where the file used but where Android views was extended into a class. but our infosec is requiring us to send Documentation that backed my claim
I need a documentation that can prove that this is just a False positive, or if you have a way to fix it is great.
Edit:
I Attached the IPA file that was built with QT (Test.ipa)
