MASTG-KNOW-0060: Memory Corruption Bugs

Modern iOS applications are largely written in Swift or Objective-C, which both provide mechanisms that reduce the likelihood of memory corruption. Swift in particular enforces memory safety by design, preventing common issues such as buffer overflows and use-after-free conditions through strong type checking and automatic memory management. However, these protections are not absolute.

Memory corruption vulnerabilities can still occur when applications or SDKs rely on native components written in C or C++. Such code, often accessed through bridging or wrappers in Objective-C or Swift, falls outside the guarantees of automatic reference counting (ARC) and Swift's safety model. These native modules are subject to traditional risks such as buffer overflows, out-of-bounds reads or writes, integer overflows, and use-after-free errors. Examples of similar issues have been observed in iOS system services and third-party frameworks implemented in C or C++.

Memory management issues can also arise at the Objective-C or Swift layer, most often in the form of memory leaks or retain cycles. These occur when strong references between objects prevent proper deallocation, leading to increased memory usage and potential performance degradation.

Learn more:

• https://developer.ibm.com/tutorials/mo-ios-memory/
• https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/MemoryMgmt/Articles/MemoryMgmt.html
• https://medium.com/zendesk-engineering/ios-identifying-memory-leaks-using-the-xcode-memory-graph-debugger-e84f097b9d15

Why doesn't the OWASP MASTG have tests for this anymore?

The tests for memory corruption vulnerabilities were removed from the OWASP MASTG because these issues are best addressed during development rather than through black box penetration testing. Memory corruption flaws such as buffer overflows, out-of-bounds access, integer overflows, use-after-free, and format string vulnerabilities should typically be identified by developers during the development process through static or dynamic code analysis, compiler protections, and secure coding practices.

Detecting these flaws in compiled mobile applications is highly complex and unreliable without access to source code or debug symbols. Moreover, modern mobile platforms implement robust memory safety features, including address space layout randomization (ASLR), stack canaries, and runtime protections that significantly reduce the exploitability of such bugs.

OWASP now prioritizes proactive prevention through secure development and automated analysis rather than manual runtime testing. The OWASP Software Assurance Maturity Model (SAMM) and NIST Special Publication (SP) 800-218, Secure Software Development Framework (SSDF) provide structured guidance for integrating security into the development lifecycle, ensuring that developers run the necessary tools and checks to detect and mitigate memory safety issues early through proper coding standards, compiler configurations, and continuous security testing.