Insecure APIs/Functions Used

Summary : It was observed that insecure APIs and functions algorithms were used in the application.

OWASP Category: M7: Client Code Quality

Severity :   Low  

Complexity : Easy 

From : Remote / External

Steps to Reproduce:

Proof of Concept : Attached in the Video

Impact : malloc () function is used for dynamic assignment of the memory. Its presence indicates that the application has its own memory management which is the opposite to ARC (automatic referencing count). As the memory assignment is uninitialized, it poses memory corruption threat. Use of such banned API like fopen(), memcpy(), asprintf(), sscanf() lead to buffer, stack and heap overflow.

Affected Path: Entire Application

Recommendations : It is recommended to: 

Use calloc() instead of malloc() function.
Use APIs like fopen_s()instead of fopen(), 
Use memcpy_s() or memecpy_chk() instead of _memcpy
Use vaspritf() instead of _asprintf(). 
Use vaspritf() instead ofsscanf().
 
References : 
https://developer.apple.com/library/content/documentation/Security/Conceptual/SecureCodingGuide/Articles/BufferOverflows.html

Proof of Concept :