Staging URLs present in production code - Security Issue - For our Customer #1107
Comments
|
@samfriedmanfuji thank you for logging this issue. This is impacting several of our tier 1 carriers that use braintree/paypal services. This is a security issue that Staging URLs are present within the client. Without the removal of these URLs we cannot submit our application to the App Store as it is directly against the Security Office requirements. Please treat this with priority please. |
|
thanks @samfriedmanfuji for logging this. Good to get this fixed quickly. |
|
This was raised as a security vulnerability by one of our clients. We would appreciate BrainTree addressing this issue as quickly as possible. Thanks. |
|
This issue is blocking me with store submission, It will be helpful if team address this issue asap. |
|
Hello all - We will reach out to the 3rd party dependency and pass over your concern. I will reach back out when we have an update from that team. |
|
The PR looks to be approved but it is now marked as BLOCKED. We are still waiting on a build; is there an expected date for a release? |
|
Hi @samfriedmanfuji - we plan on having this released by the end of the week. There were some issues with the backend service that hosts our xcframework assets that we are hoping will be ironed out soon. |
|
Hey all - Version 6.8.0 of the SDK has been released with staging URLs removed. Please let us know if you continue to run into any issues after updating. |
Thank you. However, we are using version 5.23 of the Braintree SDK. Can we get a build of the 5.x branch? |
Hey @samfriedmanfuji, thanks for letting us know. We will work on getting a new internal build with stage removed for 5.x. I will reopen this issue for the time being to track that this work still needs to be completed on the 5.x branch. |
|
Hello @samfriedmanfuji - Version 5.24.0 of the SDK has been released with the staging URLs removed. Please let us know if you run into any issues! |
|
@jaxdesmarais Thanks, unfortunately I am encountering several issues with this version. I can still build and run just fine with 5.23, but when I update to 5.24 I am getting 100 "Undefined symbol" build errors - the first 10 are as follows:
What's even more concerning, however, is that regardless of whether I am able to build, the original bug is not resolved. I am checking the latest version of PPRiskMagnes from Carthage, and I also downloaded the framework directly from https://assets.braintreegateway.com/mobile/ios/carthage-frameworks/pp-risk-magnes/PPRiskMagnes.5.4.1.xcframework.zip for comparison. In both cases, I am still seeing both stage urls present in the code. Can we please ensure that this is the actual latest version that has the stage urls removed? |
|
Update: I resolved the Undefined symbol errors by simply adding a blank swift file to my project. Now the app builds, but immediately crashes on startup with the error I am using XCode 14.2 and I am targeting iOS 12. |
|
Hey @samfriedmanfuji - We can certainly reach out to our 3rd party provider of the Magnes framework to let them know not all of the URLs have been removed as expected. They had assured us stage was fully removed so I will reach back out once we hear back from them. Regarding the build errors you are seeing, I am not seeing the same warnings on Xcode 14.2 targeting iOS 12. I am using our Demo app from our repo and am able to build for both simulator and device without issue. Are you able to share more about your setup so we can troubleshoot further? |
|
Hello @samfriedmanfuji - It looks like some of the frameworks uploaded were mixed up and an older version was uploaded for |
|
@jaxdesmarais would you have an update to this problem? Hope this is going to be resolved soon. Thanks |
|
Hey @gjegadesh - I have a PR up here for the 5.x changes: #1127. Our Carthage asset cache is intermittently not populating the expected files which we have escalated internally. Once that is resolved we should be able to get the release over to you all. In the meantime if you'd like to confirm that branch works as expected for you all please feel free. As soon as we resolve the asset cache issue we will get the released version over to you all. Thanks for your patience. |
|
Hey all - This was released in version 5.24.1. Thanks again for your patience and once you've confirmed things are working as expected I will close out this issue. |
Braintree SDK Version
5.23.0
Environment
Production
Xcode Version
N/A
OS Version & Device
No response
Integration type
CocoaPods
Development Processor
Both
Describe the bug
Using iOS Braintree SDK v 5.23, Stage URLS are present within the code for PPRiskMagnes.framework. The same issue was resolved earlier this year for the Android SDK (Staging URLs present in production code - Security Issue - For our Customer · Issue #657 · braintree/braintree_android (github.com)) Our customers have a zero tolerance policy for staging urls in production mobile clients that are submitted via the App Store and/or preloaded in the latest iOS devices. Would it be possible to remove the staging URLs from the library? The tool they are using to scan is proprietary (they will not reveal the scanning tool to us). This is a tier 1 telecom customer.
Scanning tool aside, inspecting PPRiskMagnes SDK it is very clear that staging URLs are present within the SDK and this breaches their security policy since "staging" urls are showing up in "production" application.
The PPRiskMagnes.framework contains the following stage URLs:
https://www.stage2du13.stage.paypal.com/r/v1/device/mg-audit
https://www.stage2du13.stage.paypal.com/r/v1/device/client-metadata
Please let us know if it is possible to remove these URLs. Our customer will not submit the app to the App Store unless the URLs are removed.
To reproduce
The stage URLs were found by running
strings PPRiskMagnes.framework/PPRiskMagnes | grep "stage"Expected behavior
No stage URLs present in production code
Screenshots
No response
The text was updated successfully, but these errors were encountered: