AIR IOS Automatic Reference Counting (ARC) and Stack Smashing Protector (SSP) flags How-To

Greetings,

For reference:

- using AIR SDK 32

- using a Windows machine to build the IOS IPA file with AIR ADT

- The AIR IOS app also uses our own custom IOS Air Native Extension (ANE)

Our AIR IOS App was flagged under a security audit for not using Automatic Reference Counting (ARC) and Stack Smashing Protector (SSP).

ARC is a compiler feature that provides automatic memory management of Objective-C objects and protects from memory corruption vulnerabilities.

SSP is a feature to protect the application from Stack Overflows/Stack Smashing/Buffer Overflow Attacks.

The recommendation by the auditor was to enable the -fobjc-arc flag

https://developer.apple.com/library/archive/releasenotes/ObjectiveC/RN-TransitioningToARC/Introducti...

and -fstack-protector-all flag

https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06i-Testing-Code-Quality-and-Build-Settin...

However, the current instructions for adding these flags are for when you are using XCode to build the IOS App.

From my understanding, AIR is using ADT (AIR development Tool) to build the app and it is not using XCode internally so I'm not able to add these in some "XCode" project.

And I'm also unable to find any option to add these flags or similar flags in the ADT packaging command.

Ref: https://help.adobe.com/en_US/air/build/WS901d38e593cd1bac1e63e3d128cdca935b-8000.html

Can anyone (pref. from Adobe/HARMAN staff or anyone who has encountered this risk issue)

kindly verify if these security flags or security features can or cannot be added using AIR SDK (or specifically AIR SDK 32) at the moment?

Would like a confirmation if it is not really supported so that we can reason the build tool limitation with the auditor.

Thanks