In our Android application, we implemented the SQLCipher library with version “net.zetetic:android-database-sqlcipher:4.4.2”. However, during the VAPT testing, we discovered the following issue. Could you please provide some possible solutions for this problem?
Description:
It was found that a number of binaries embedded into the Android application are currently not leveraging the available compiler flags to mitigate potential memory corruption vulnerabilities. This unnecessarily puts the application more at risk for such issues. Binaries missing usage of -D_FORTIFY_SOURCE=2 Missing this flag means common libc functions are missing buffer overflow checks, so
the application is more prone to memory corruption vulnerabilities. Please note that most binaries are affected, the following is a reduced list of examples for the sake of brevity.
Binaries (from decompiled production app):
lib/armeabi-v7a/libsqlcipher.so
lib/x86_64/libsqlcipher.so
lib/x86/libsqlcipher.so
lib/arm64-v8a/libsqlcipher.so
We would greatly appreciate your assistance.