Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

On iOS the Runner have the user and folder location where ir was generated #630

Closed
cancio952 opened this issue Jun 27, 2024 · 5 comments
Closed

On iOS the Runner have the user and folder location where ir was generated #630

cancio952 opened this issue Jun 27, 2024 · 5 comments
Labels
bug Something isn't working pending-native-sdk This issue is dependent on the release of a native SDK.

Comments

@cancio952
Copy link

cancio952 commented Jun 27, 2024
edited
Loading

Describe the bug

Raíced by security scan they found embeved on the Runner the ubication of the library on the local machine

/User/axcUser/Projects/

/DatadogCrashReporting/Source/CrashContext/CrashContextProvider.swift
/User/axcUser/Projects/

/DatadogCrashReporting/Source/CrashReportingFeature.swift

This can be a security issue because a hacker can found the user info of the developer on the code of the Runner

Reproduction steps

Build a Runner ipa on the device running the comand
flutter build ipa --no-codesign --release --flavor prod --dart-define-form-file=<phat_file> --dart-define=flutter.memory_allocations=true --obfuscate

SDK logs

No response

Expected behavior

To no expose the user where it was generated or the path

Affected SDK versions

2.4.0

Latest working SDK version

No response

Did you confirm if the latest SDK version fixes the bug?

Yes

Flutter Version

3.16.9

Setup Type

No response

Device Information

No response

Other relevant information

No response
@cancio952 cancio952 added the bug Something isn't working label Jun 27, 2024
@fuzzybinary
Copy link
Member

Hi @cancio952

Can you fill out your Steps to Reproduce a bit better? As a potential bad actor, how would I get this information from a built IPA?

Is this specific to our SDK, or something you can reproduce in other Flutter applications?

@cancio952
Copy link
Author

cancio952 commented Jun 28, 2024
edited
Loading

Hi yes

if you generate the ipa file and decompress it
the path were it was generated

step 1 change the extension of the .ipa to .zip
step 2 extract the .zip
step 3 then on the folder extracted *.ipa/Payload/Runner.app/Runner
step 4 run the command below $ strings Runner | grep '/User/'

This data can typically be found by scanning the binary for strings. For example, to find potential user paths the following command can be used $ strings Runner | grep '/User/'

if you generate the app on the user folder you will be able to see it using this command

Ragars

@AMarturelo
Copy link

That happens to me too. When doing a text string search in binary, these two classes are exposed. The security problem is not in the exposed classes. Otherwise, in the path, the user of the session that generated the artifact clearly appears.

@fuzzybinary
Copy link
Member

This is part of the iOS SDK and fixed with DataDog/dd-sdk-ios#1938

It will be part of the next Flutter SDK release.

@fuzzybinary fuzzybinary added the pending-native-sdk This issue is dependent on the release of a native SDK. label Jul 8, 2024
@fuzzybinary
Copy link
Member

This should be fixed in 2.7.0 with the inclusion of the iOS SDK 2.15.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working pending-native-sdk This issue is dependent on the release of a native SDK.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fuzzybinary @AMarturelo @cancio952