-
Notifications
You must be signed in to change notification settings - Fork 24.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Getting Security Issues in Android Signed apk #22427
Comments
Can you run If you believe this information is irrelevant to the reported issue, you may write |
It looks like you are using an older version of React Native. Please update to the latest release, v0.57 and verify if the issue still exists. The "⏪Old Version" label will be removed automatically once you edit your original post with the results of running |
We are using react-native version 0.55.4. It is not the solution to update react-native version. It is not too old. It should work on 0.55.4 version too. |
The reason behind asking bug reports to use the latest version is to verify this is an issue that is not yet fixed in the latest release. If this cannot be replicated on 0.57, the issue will be closed. |
Sure @hramos, we're updating RN and will get back to you 👍 |
Hello there 👋 this issue has been reported for an old version of React Native. Ideally we'd like everyone to be using 0.59 (see the awesome changes it brought) but we know updating can be a pain. We are going to close this issue because it's from a version before 0.57, which is really old. But please, if it's actually still an issue with 0.59 please comment below and we can reopen it 😊 |
Darn, totally forgot to reply! After updating React-native (to |
@ferrannp when i try to run my project in the simulator, no issues (except for some known warning messages). Info
|
Environment
OS: macOS High Sierra 10.13.4
Node: 10.1.0
Yarn: Not Found
npm: 5.6.0
Watchman: 4.9.0
Xcode: Xcode 9.3.1 Build version 9E501
Android Studio: 3.2 AI-181.5540.7.32.5014246
Packages: (wanted => installed)
react: 16.3.1 => 16.3.1
react-native: 0.55.4 => 0.55.4
Description
We are using the tool Codified Security to find out the security issues in the signed apk and we are getting the following security issues:
1. App creates a temp file :
You need to fix this because:
Sensitive data might be written into a temp file.
You can fix this by changing this in your code.
Avoid creating temp files.
Common Weakness Enumeration
CWE-295 — The software does not validate, or incorrectly validates, a
certificate.
Problem has been found in:
com/facebook/cache/disk/DefaultDiskStorage.java
try { paramString = new InserterImpl(paramString, paramObject.createTempFile(localFile)); return paramString; localStringBuilder.append(resourceId); localStringBuilder.append("."); return File.createTempFile(localStringBuilder.toString(), ".tmp", paramFile); }
com/facebook/react/modules/camera/ImageEditingManager.java
paramContext = localFile; } return File.createTempFile("ReactNative_cropped_image_", getFileExtensionForType(paramString), paramContext); } if ((localObject != null) && (! ((String)localObject).isEmpty())) { File localFile = ImageEditingManager.createTempFile(mContext, (String)localObject); ImageEditingManager.writeCompressedBitmapToFile(paramVarArgs, (String)localObject, localFile);
com/google/android/gms/common/data/BitmapTeleporter.java
try { localFile = File.createTempFile("teleporter", ".tmp", zali); }
2. TCP socket usage detected
You need to fix this because:
TCP sockets need to be encrypted otherwise it may be vulnerable to the following attack mechanisms: DoS attacks, replay attacks, man in the middle (MITM) attacks, eavesdropping and subsequent impersonation. It's highly recommended to use TLS or other methods to secure your connection.
Common Weakness Enumeration
CWE-941 — The software creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.
More information can be seen on the CWE website
# PCI compliance.
This app may be in breach of PCI-DSS 2.2.3, 2.3 and 4.1.
SSL and early TLS (versions lower than 1.2) are not considered strong cryptography.
HIPAA compliance.
Transmission Security
This app may be in breach of HIPAA encryption requirements.
SSL and early TLS (versions lower than 1.2) are not considered strong cryptography.
GDPR compliance.
This app may be in breach of GDPR encryption requirements.
SSL and early TLS (versions lower than 1.2) are not considered strong cryptography.
OWASP compliance.
OWASP M3: Insufficient Transport Layer Protection
This app may be in breach of OWASP encryption requirements.
SSL and early TLS (versions lower than 1.2) are not considered strong cryptography.
Problem has been found in:
okio/Okio.java
okhttp3/Connection.java
package okhttp3; import java.net.Socket;
okhttp3/ConnectionPool.java
okhttp3/OkHttpClient.java
okhttp3/interal/Internal.java
okhttp3/internal/Util.java
okhttp3/internal/connection/RealConnection.java
okhttp3/internal/connection/StreamAllocation.java
okhttp3/internal/http2/Http2Connection.java
okhttp3/internal/platform/AndroidPlatform.java
okhttp3/internal/platform/Platform.java
okhttp3/internal/ws/RealWebSocket.java
com/facebook/react/modules/network/TLSSocketFactory.java
Please suggest how we can resolve these issues.
Thanks
The text was updated successfully, but these errors were encountered: