Question by SujitKadam · Apr 22, 2021 at 03:15 PM · android mobile security binary libraries

PIE and RELRO flags not enabled related security issues for Android build when performing Mobile application security testing (MAST).

Hi,
We are currently developing a mobile game for an enterprise client who is also a Fortune 500 company. Hence they have strict security measures before they are willing to put it on their enterprise store. For the same, they asked us to perform a MAST or mobile application security test for the build. As you can see in the attached images from the report, it seems like some flags like the PIE (Position Independent Executables) and RELRO (Relocation Read-Only) are not enabled and hence are flagged off as High priority issues. All these issues are coming from shared library object (.so) files:
1. lib/arm64-v8a/libil2cpp.so
2. lib/arm64-v8a/libmain.so
3. lib/arm64-v8a/libunity.so
4. lib/armeabi-v7a/libil2cpp.so
5. lib/armeabi-v7a/libmain.so
6. lib/armeabi-v7a/libunity.so

(refer to the attached screenshots for more details.)

This build was created in Unity version 2019.3.14f1. However, we tried some solutions as mentioned in the scenarios below but found the same issues there as well:
Scenario 1: Created build in the latest version of unity i.e. 2020.3.2f1 (LTS).
Scenario 2: Created build for both Mono and IL2CPP scripting backend.
Scenario 3: Used locally downloaded NDK and SDK.

Has anyone come across similar issues and help us understand how to 'set' these flags or a possible solution to this.