Ensuring the secure utilization of the _fopen, _memcpy, _random, and _strlen functions in SQLCipher:

Mugil_Prince · April 17, 2024, 10:18am

Greetings, Zetetic community!
We’ve incorporated SQLCipher into an iOS application. However, during a security audit conducted with the MobSF tool, alerts were raised regarding the usage of certain functions.

Issue: Binary makes use of insecure API(s)
Severity: High
Description: The binary may contain the following insecure API(s) _fopen , _memcpy , _strlen

Issue: Binary makes use of the insecure Random function(s)
Severity: High
Description: The binary may use the following insecure Random function(s) _random.

Issue: Binary makes use of malloc function
Severity: High
Description: The binary may use _malloc function.

Is the implementation of the above functions is free of vulnerabilities?. Furthermore, can it be confirmed that the implementations of the aforementioned functions are secure within this context?

Thank you in advance.

sjlombardo · April 17, 2024, 3:10pm

Hello @Mugil_Prince, yes, SQLCipher is a low level library. It does make use of fopen, memcpy, strlen, random, and malloc. This is both within the context of the upstream SQLite source code as well as within our library extensions. The use of the random function is limited to the SQLite random() function, it is not used by SQLCipher for any cryptographic purposes. To the best of our knowledge the use of these functions is consistent with good practices.

Topic		Replies	Views
CVE-2021-36690 in v4.5.0	1	454	November 15, 2021
Use of 'net.zetetic:android-database-sqlcipher:4.5.1@aar' give OpenSSL 1.1.1m vulnerability SQLCipher	3	411	June 1, 2022
New vulnerabilities in openssl SQLCipher	3	53	July 8, 2024
Cve-2021-3711, cve-2021-3712, cve-2021-3450 & cve-2021-3449 SQLCipher	2	495	November 1, 2021
New vulnerabilities detected in openssl SQLCipher	1	376	August 3, 2023

Ensuring the secure utilization of the _fopen, _memcpy, _random, and _strlen functions in SQLCipher:

Related Topics