Checking for Weaknesses in Third Party Libraries (MSTG-CODE-5) - Add manual check

[rsenet]

In https://mas.owasp.org/MASTG/iOS/0x06i-Testing-Code-Quality-and-Build-Settings/#dynamic-analysis_3, it is specify that we can use list_bundles (from objection) to analyze the app dependencies.

However, it is also easy to do it without objection and localy using otool with the following command:

$ otool -L DVIA-v2
DVIA-v2:
	/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 400.9.1)
	/usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 274.6.0)
	/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.11)
	@rpath/Bolts.framework/Bolts (compatibility version 1.0.0, current version 1.0.0)
	/System/Library/Frameworks/CFNetwork.framework/CFNetwork (compatibility version 1.0.0, current version 893.14.0)
	/System/Library/Frameworks/CoreData.framework/CoreData (compatibility version 1.0.0, current version 849.2.0)
	@rpath/Flurry_iOS_SDK.framework/Flurry_iOS_SDK (compatibility version 1.0.0, current version 1.0.0)
	/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore (compatibility version 1.0.0, current version 604.4.7)
	@rpath/Parse.framework/Parse (compatibility version 1.0.0, current version 1.0.0)
	@rpath/Realm.framework/Realm (compatibility version 1.0.0, current version 1.0.0)
	@rpath/RealmSwift.framework/RealmSwift (compatibility version 1.0.0, current version 1.0.0)
	/System/Library/Frameworks/Security.framework/Security (compatibility version 1.0.0, current version 58286.32.2)
	/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration (compatibility version 1.0.0, current version 963.30.1)
	/System/Library/Frameworks/Foundation.framework/Foundation (compatibility version 300.0.0, current version 1450.14.0)
	/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
	/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.0.0)
	/System/Library/Frameworks/AVFoundation.framework/AVFoundation (compatibility version 1.0.0, current version 2.0.0)
	/System/Library/Frameworks/CloudKit.framework/CloudKit (compatibility version 1.0.0, current version 735.0.0)
	/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation (compatibility version 150.0.0, current version 1450.14.0)
	/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics (compatibility version 64.0.0, current version 1129.2.1)
	/System/Library/Frameworks/CoreImage.framework/CoreImage (compatibility version 1.0.0, current version 5.0.0)
	/System/Library/Frameworks/CoreMedia.framework/CoreMedia (compatibility version 1.0.0, current version 1.0.0)
	/System/Library/Frameworks/CoreVideo.framework/CoreVideo (compatibility version 1.2.0, current version 1.5.0)
	/System/Library/Frameworks/LocalAuthentication.framework/LocalAuthentication (compatibility version 1.0.0, current version 425.30.30)
	/System/Library/Frameworks/QuartzCore.framework/QuartzCore (compatibility version 1.2.0, current version 1.11.0)
	/System/Library/Frameworks/UIKit.framework/UIKit (compatibility version 1.0.0, current version 3698.33.6)
	/System/Library/Frameworks/WebKit.framework/WebKit (compatibility version 1.0.0, current version 604.4.7)
	@rpath/libswiftAVFoundation.dylib (compatibility version 1.0.0, current version 900.0.74)
	@rpath/libswiftCore.dylib (compatibility version 1.0.0, current version 900.0.74)
	@rpath/libswiftCoreAudio.dylib (compatibility version 1.0.0, current version 900.0.74)
	@rpath/libswiftCoreData.dylib (compatibility version 1.0.0, current version 900.0.74)
	@rpath/libswiftCoreFoundation.dylib (compatibility version 1.0.0, current version 900.0.74)
	@rpath/libswiftCoreGraphics.dylib (compatibility version 1.0.0, current version 900.0.74)
	@rpath/libswiftCoreImage.dylib (compatibility version 1.0.0, current version 900.0.74)
	@rpath/libswiftCoreLocation.dylib (compatibility version 1.0.0, current version 900.0.74)
	@rpath/libswiftCoreMedia.dylib (compatibility version 1.0.0, current version 900.0.74)
	@rpath/libswiftDarwin.dylib (compatibility version 1.0.0, current version 900.0.74)
	@rpath/libswiftDispatch.dylib (compatibility version 1.0.0, current version 900.0.74)
	@rpath/libswiftFoundation.dylib (compatibility version 1.0.0, current version 900.0.74)
	@rpath/libswiftMetal.dylib (compatibility version 1.0.0, current version 900.0.74)
	@rpath/libswiftObjectiveC.dylib (compatibility version 1.0.0, current version 900.0.74)
	@rpath/libswiftQuartzCore.dylib (compatibility version 1.0.0, current version 900.0.74)
	@rpath/libswiftSwiftOnoneSupport.dylib (compatibility version 1.0.0, current version 900.0.74)
	@rpath/libswiftUIKit.dylib (compatibility version 1.0.0, current version 900.0.74)
	@rpath/libswiftos.dylib (compatibility version 1.0.0, current version 900.0.74)
	@rpath/libswiftsimd.dylib (compatibility version 1.0.0, current version 900.0.74)

[cpholguera]

Hi @rsenet,

The test also mentions otool. See here:

When performing app analysis, it is important to also analyze the app dependencies (usually in form of libraries or so-called iOS Frameworks) and ensure that they don't contain any vulnerabilities. Even when you don't have the source code, you can still identify some of the app dependencies using tools like objection, MobSF or otool. Objection is the recommended tool, since it provides the most accurate results and it is easy to use.

Unless the outputs of the tools are fundamentally different we tend to write the examples using just one.

If you'd like to see the otool -L command instead of only the mention feel free to open a PR including the following change:

When performing app analysis, it is important to also analyze the app dependencies (usually in form of libraries or so-called iOS Frameworks) and ensure that they don't contain any vulnerabilities. Even when you don't have the source code, you can still identify some of the app dependencies using tools like objection, MobSF or the `otool -L` command. Objection is the recommended tool, since it provides the most accurate results and it is easy to use.

[rsenet]

Hey @cpholguera
Thanks for the answer.

What is the good way to create PR here?

I tried the follwoing:

git checkout -b OWASP_20230202
git status
git diff Document/0x06i-Testing-Code-Quality-and-Build-Settings.md
git commit -a -m " Add otool command line for Listing Application Libraries"
git push --set-upstream origin OWASP_20230202

But received the following error:

remote: Permission to OWASP/owasp-mastg.git denied to rsenet.
fatal: unable to access 'https://github.com/OWASP/owasp-mastg.git/': The requested URL returned error: 403

[cpholguera]

You can follow the instructions here (if you want to do it all from your browser):

https://mas.owasp.org/contributing/2_Getting_Started/#contribute-online

Or here (if you want to work on your IDE):

https://mas.owasp.org/contributing/2_Getting_Started/#contribute-offline

[cpholguera]

#2362