Insecure iOS Functions Detected in Flutter App Dependencies

Hello Flutter Community,

Our team recently conducted a security audit on our Flutter app, which runs on web, iOS, and Android platforms. The audit report highlighted some high-priority vulnerabilities related to the use of potentially insecure functions on iOS:

  • _fopen
  • _printf
  • _memcopy
  • _sscanf
  • _malloc

We do not directly use these functions in our codebase. However, they were detected when scanning our compiled iOS binary, and seem to originate from dependencies such as Firebase, the Flutter framework, various libswift***.dylib files, and other Flutter plugins we utilize for specific features.

We are reaching out to the community to:

  • Ask if anyone has encountered similar findings during security audits.
  • Learn how others have addressed or mitigated these reported vulnerabilities.
  • Gather best practices for handling such references originating from third-party libraries or the Flutter framework.

We are committed to ensuring the security of our app and would greatly appreciate any insights or advice from those who have faced similar challenges.

Apologies if I’m breaking some rule I overlooked on the guidelines

Thank you!

3 Likes

Hi joaojuby,

These aren’t vunerabilities. Many of these “security scan” tools are just looking for the usage of certain functions but can’t identify if there is a problem with their usage that makes them unsafe.

Consider that it is flagging the Swift standard library dylibs, meaning either every single Swift using application on iOS has a severe vunerability or … the tool isn’t working correctly.

7 Likes