Implement Protections Against Buffer Overflow Attacks

Automatic Reference Counting (ARC) is a memory management system that handles the reference count of objects automatically at compile time, instead of leaving this task to the developer. This feature was introduced with iOS 5, but it can be backported to previous versions because the operations are performed at compile time.

• The compiler will insert the release and retain calls automatically, making the developer’s life easier, and reduce the risk of introducing vulnerabilities related to the object’s memory lifecycle.
• Because the process occurs at compile time it does not introduce any runtime overhead, unlike a garbage collector for example. So there are no obvious drawbacks in switching to ARC.

ASLR (Address space layout randomization) is a security feature introduced in iOS 4.3 that randomizes how an app is loaded and maintained in memory. ASLR randomizes the address space used in the application, making it difficult to execute malicious code without first causing the application to crash. It also complicates the process of dumping allocated memory of the application. This test checks to see if the application binary was compiled with the -PIE (position-independent executable) flag.

Enable ARC - Enable ARC in the Xcode project, or migrate existing projects to ARC using the refactoring tool in Xcode.

Implement full ASLR protection - Compile the application with support for PIE. PIE can be enabled when compiling by command line with option (on iOS 4.3 or later).

• Address Space Layout Randomization -

• M7 - Client Code Quality
• CWE: , CWE-200 - Information Exposure