MobSF: Solve @rpath violation

Question

We tested one of our iOS app with MobSF and the report highlighted that the binary has Runpath Search Path (@rpath) set. In certain cases an attacker can abuse this feature to run arbitrary executable for code execution and privilege escalation.

I ran otool -L against the binary to check which dependencies are concerned. It turns out that all pods (Cocaopod) and and some system libraries are concerned.

name @rpath/Alamofire.framework/Alamofire (offset 24)
name @rpath/libswiftCoreAudio.dylib (offset 24)
name @rpath/libswiftCoreData.dylib (offset 24)
name @rpath/libswiftCoreFoundation.dylib (offset 24)

I wonder how to fix this issue. Cocoapods prints a warning if the project build setting Runpath Search Paths does not include $(inherited).

Is using @rpath considered harmful? Any help/information appreciated.

Answer 1

The Runpath Search Path instructs the dynamic linker to search for a dynamic library (dylib) on an ordered list of paths, sort of like how Unix looks for binaries on $PATH.

If your application uses the Swift Package Manager, in order to compile the libraries without rpath you need to use some hidden build flags. On your local command line run:

Note the swift compiler option no-stdlib-rpath which disables rpath entries during compilation. Configure your build settings so that the application is built with this configuration flag, e.g.: swift build -c release -Xswiftc -no-toolchain-stdlib-rpath.

Alternatively, if your application uses Cocoapods, you can first check the install directory of the pods:

And then use the following configuration on your Podfile:

For reference - MobSF IPA Binary Analysis