High level security issues identified by Veracode during the static analysis scan of the Android app.

Question

Hi,Our app uses a static analysis tool called Veracode to analyze the source code and all third-party libraries for both Android and iOS apps.Veracode has detected 9 high-level security issues in the Android version of the Intercom SDK.The following issue was identified by Veracode in 9 places: Issue Description:This call contains a path manipulation flaw. The argument to the function is a filename constructed using untrusted input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level of exposure depends on the effectiveness of input validation routines, if any.Recommendations:Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters.  Instances found by static scan: Please note that we started seeing these issues after upgrading Intercom from v15.6.0 to v15.9.1Could you please assign someone from your team to investigate these high-level issues? If you think these issues are false positives, please provide an explanation so we can share it with our security team.

mateusz.leszkiewicz · Accepted Answer

HiOsama Taha,It’s Mat from the Support Engineering Team 😀Thank you for flagging this issue to us. I’ve created an Intercom conversation for you so our team will have a chance to look into this.Please continue this thread there.

Join the Intercom Community 🎉

Intercom Customers and Employees

Login to the community

Intercom Customers and Employees

Scanning file for viruses.

This file cannot be downloaded