[iOS] MASTG-TEST-0229 - Lack of Stack Canaries when using fstack-protector-all

[Azulath]

I am facing an issue with an iOS application that is purely Swift, but uses Objective-C libraries. When I perform a check with otool for the presence of a stack canary no output is returned. Unfortunately, adding fstack-protector-all to Other C Flags / Other C++ Flags did not solve the issue.

A way to get the desired outcome is to add a dummy Obj-C as described here on StackOverflow:
https://stackoverflow.com/questions/38564924/swift-and-stack-smashing-protection/60151692#60151692

However, I would argue that this offers no security improvement whatsoever and its only intent is to pass vulnerability assessments.

Digging a bit deeper (swiftc --help-hidden) reveals the -stack-check flag but adding it did not seem to change anything. (It might be enabled by defautt?)

Additionally, I have noticed that it seems like swiftpm projects have the stack canary enabled again, without any particular flag being used, which also contributes to my confusion.

As a result, any help or input in this regard would be greatly appreciated, especially on how the flag can be reliably added to projects.

[cpholguera]

Hi @Azulath, please take a look at the new version of the corresponding MASTG test:

https://mas.owasp.org/MASTG/tests-beta/ios/MASVS-CODE/MASTG-TEST-0229/

We have added some clarifications that may help you. Please let me know if you think the test isn't clear enough and if you have any suggestions for improving it.