{ "id": "173624", "key": "TIMOB-27151", "fields": { "issuetype": { "id": "1", "description": "A problem which impairs or prevents the functions of the product.", "name": "Bug", "subtask": false }, "project": { "id": "10153", "key": "TIMOB", "name": "Titanium SDK/CLI", "projectCategory": { "id": "10100", "description": "Titanium and related SDKs used in application development", "name": "Client" } }, "fixVersions": [], "resolution": null, "resolutiondate": null, "created": "2019-05-14T11:11:04.000+0000", "priority": null, "labels": [ "alloy", "appcelerator", "assesment", "engReviewed", "penetration", "securtiy" ], "versions": [ { "id": "20183", "description": "", "name": "Release 7.4.0", "archived": false, "released": true, "releaseDate": "2018-09-17" } ], "issuelinks": [], "assignee": { "name": "emerriman", "key": "emerriman", "displayName": "Eric Merriman ", "active": true, "timeZone": "America/Los_Angeles" }, "updated": "2019-07-17T10:44:19.000+0000", "status": { "description": "The issue is open and ready for the assignee to start work on it.", "name": "Open", "id": "1", "statusCategory": { "id": 2, "key": "new", "colorName": "blue-gray", "name": "To Do" } }, "components": [ { "id": "10206", "name": "iOS", "description": "iOS Platform" } ], "description": "Hello Appcelerator team,\r\n\r\nOne of our client's security team has done penetration test on our appcelerator application and they have shared few concerns with us to patch.\r\n\r\nOur mobile team have gone through those points and found that those issues are related to native Xcode build generated from appcelerator studio.\r\n\r\nPlease go through below points with description and severity:\r\n1. Binary make use of banned API(s)_CWE-676 \r\n\r\nSeverity: Medium\r\nDescription:The binary may contain the following banned API(s) _sprintf, _gets, _alloca, _strlen, _stat, _memcpy, _strncpy, _printf, _fopen, _vsnprintf, _sscanf, _strcpy.\r\n\r\n2. Binary make use of the following Weak HASH API(s)_CWE-327\r\n\r\nSeverity: Medium\r\nDescription:The binary may use the following weak hash API(s) CC_SHA1, CC_MD5\r\n\r\n3. Binary make use of malloc Function_CWE-789\r\n\r\nSeverity: Medium\r\nDescription:The binary may use malloc function instead of calloc\r\n\r\n4. Weak Jaibroken Device Detection\r\nDescription: A developer can incorporate different checks in his application to examine whether the device on which the application is running is jailbroken or not. Most of these checks are naive and could be easily bypassed.\r\nfor point 4, is there any feature or functionality available to bind extra layer of security to detect whether device is jail broken or rooted through appcelerator coding environment?\r\n", "attachment": [], "flagged": false, "summary": "Alloy applications - Security Penetration test", "creator": { "name": "ios.admin@investis.com", "key": "ios.admin@investis.com", "displayName": "ios.admin@investis.com", "active": true, "timeZone": "Asia/Kolkata" }, "subtasks": [], "reporter": { "name": "ios.admin@investis.com", "key": "ios.admin@investis.com", "displayName": "ios.admin@investis.com", "active": true, "timeZone": "Asia/Kolkata" }, "environment": "Ti SDK 7.4.0.GA\r\nProject Appcelerator Alloy project\r\n", "comment": { "comments": [ { "id": "449859", "author": { "name": "ios.admin@investis.com", "key": "ios.admin@investis.com", "displayName": "ios.admin@investis.com", "active": true, "timeZone": "Asia/Kolkata" }, "body": "Dear Team,\r\n\r\nIn addition to previously reported bugs, please check the below one as well:\r\n\r\n\r\n||Bug||Severity||Description||\r\n|Binary make use of the insecure Random Function(s)_ CWE-338|Low|The binary may use the following insecure Random Function(s) _srand.|\r\n\r\nKindly review and share the action plan on the same.", "updateAuthor": { "name": "ios.admin@investis.com", "key": "ios.admin@investis.com", "displayName": "ios.admin@investis.com", "active": true, "timeZone": "Asia/Kolkata" }, "created": "2019-07-17T10:44:19.000+0000", "updated": "2019-07-17T10:44:19.000+0000" } ], "maxResults": 1, "total": 1, "startAt": 0 } } }