[HOTFIX] Code QA (#2393)

* QA * Add new android rule setAllow*FromFileURLs * android root bypass and debugger bypass scripts improvements * Dockerfile qa * prevent entrypoint exit if username already exists
MobSF · Jun 2, 2024 · 39ba3e6 · 39ba3e6
1 parent 680ca5d
commit 39ba3e6
Show file tree

Hide file tree

Showing 9 changed files with 150 additions and 68 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -10,7 +10,24 @@ LABEL \
     contributor_2="Vincent Nadal <[email protected]>" \
     description="Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis."
 
-ENV DEBIAN_FRONTEND=noninteractive
+ENV DEBIAN_FRONTEND=noninteractive \
+    MOBSF_USER=mobsf \
+    USER_ID=9901 \
+    MOBSF_PLATFORM=docker \
+    MOBSF_ADB_BINARY=/usr/bin/adb \
+    JDK_FILE=openjdk-20.0.2_linux-x64_bin.tar.gz \
+    JDK_FILE_ARM=openjdk-20.0.2_linux-aarch64_bin.tar.gz \
+    WKH_FILE=wkhtmltox_0.12.6.1-2.jammy_amd64.deb \
+    WKH_FILE_ARM=wkhtmltox_0.12.6.1-2.jammy_arm64.deb \
+    JAVA_HOME=/jdk-20.0.2 \
+    PATH=$JAVA_HOME/bin:$PATH \
+    LANG=en_US.UTF-8 \
+    LANGUAGE=en_US:en \
+    LC_ALL=en_US.UTF-8 \
+    PYTHONUNBUFFERED=1 \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONFAULTHANDLER=1 \
+    POETRY_VERSION=1.6.1
 
 # See https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run
 RUN apt update -y && apt install -y  --no-install-recommends \
@@ -37,32 +54,13 @@ RUN apt update -y && apt install -y  --no-install-recommends \
     locale-gen en_US.UTF-8 && \
     apt upgrade -y
 
-ENV MOBSF_USER=mobsf \
-    MOBSF_PLATFORM=docker \
-    MOBSF_ADB_BINARY=/usr/bin/adb \
-    JDK_FILE=openjdk-20.0.2_linux-x64_bin.tar.gz \
-    JDK_FILE_ARM=openjdk-20.0.2_linux-aarch64_bin.tar.gz \
-    WKH_FILE=wkhtmltox_0.12.6.1-2.jammy_amd64.deb \
-    WKH_FILE_ARM=wkhtmltox_0.12.6.1-2.jammy_arm64.deb \
-    JAVA_HOME=/jdk-20.0.2 \
-    PATH=$JAVA_HOME/bin:$PATH \
-    LANG=en_US.UTF-8 \
-    LANGUAGE=en_US:en \
-    LC_ALL=en_US.UTF-8 \
-    PYTHONUNBUFFERED=1 \
-    PYTHONDONTWRITEBYTECODE=1 \
-    PYTHONFAULTHANDLER=1 \
-    POETRY_VERSION=1.6.1
-
 # Install wkhtmltopdf & OpenJDK
 ARG TARGETPLATFORM
 
 COPY scripts/install_java_wkhtmltopdf.sh .
 RUN ./install_java_wkhtmltopdf.sh
 
-RUN groupadd -g 9901 $MOBSF_USER
-RUN adduser $MOBSF_USER --shell /bin/false -u 9901 --ingroup $MOBSF_USER --gecos "" --disabled-password
-
+# Install Python dependencies
 COPY poetry.lock pyproject.toml ./
 RUN python3 -m pip install --upgrade --no-cache-dir pip poetry==${POETRY_VERSION} && \
     poetry config virtualenvs.create false && \
@@ -104,8 +102,11 @@ HEALTHCHECK CMD curl --fail http://host.docker.internal:8000/ || exit 1
 # Expose MobSF Port and Proxy Port
 EXPOSE 8000 8000 1337 1337
 
-RUN chown -R $MOBSF_USER:$MOBSF_USER /home/mobsf
-USER mobsf
+# Create mobsf user
+RUN groupadd --gid $USER_ID $MOBSF_USER && \
+    useradd $MOBSF_USER --uid $USER_ID --gid $MOBSF_USER --shell /bin/false && \
+    chown -R $MOBSF_USER:$MOBSF_USER /home/mobsf
+USER $MOBSF_USER
 
 # Run MobSF
 CMD ["/home/mobsf/Mobile-Security-Framework-MobSF/scripts/entrypoint.sh"]
diff --git a/mobsf/DynamicAnalyzer/tools/frida_scripts/android/default/debugger_check_bypass.js b/mobsf/DynamicAnalyzer/tools/frida_scripts/android/default/debugger_check_bypass.js
@@ -196,3 +196,22 @@ Java.perform(function() {
         }
     } catch(e){}
 })
+
+/* React Native JailMonkey Detection Bypass */
+
+Java.perform(function() {
+    try{
+        let hook = Java.use("com.gantix.JailMonkey.JailMonkeyModule")['isDevelopmentSettingsMode'];
+        if (hook) {
+            hook.overload("com.facebook.react.bridge.Promise").implementation = function(p) {
+                p.resolve(Java.use("java.lang.Boolean").$new(false));
+            }
+        }
+        let hook2 = Java.use("com.gantix.JailMonkey.JailMonkeyModule")['isDebuggedMode'];
+        if (hook2) {
+            hook2.overload("com.facebook.react.bridge.Promise").implementation = function(p) {
+                p.resolve(Java.use("java.lang.Boolean").$new(false));
+            }
+        }
+    } catch(e){}
+});
diff --git a/mobsf/DynamicAnalyzer/tools/frida_scripts/android/default/root_bypass.js b/mobsf/DynamicAnalyzer/tools/frida_scripts/android/default/root_bypass.js
@@ -163,7 +163,6 @@ Java.performNow(function () {
         }
     } catch (err) {
         send('[RootDetection Bypass] Error ' + className + '.' + classMethod + err);
-        return
     }
 
     try {
@@ -183,7 +182,6 @@ Java.performNow(function () {
         }
     } catch (err) {
         send('[RootDetection Bypass] Error ' + className + '.' + classMethod + err);
-        return
     }
     try {
         className = 'android.security.keystore.KeyInfo'
@@ -203,7 +201,6 @@ Java.performNow(function () {
         }
     } catch (err) {
         send('[RootDetection Bypass] Error ' + className + '.' + classMethod + err);
-        return
     }
 
     // Native Root Check Bypass
@@ -257,4 +254,53 @@ Java.performNow(function () {
     int execvpe(const char *file, char *const argv[], char *const envp[]);
 
     */
-});
+});
+Java.perform(function() {
+    // Bypassing Root in React Native JailMonkey
+    // Source: https://codeshare.frida.re/@RohindhR/react-native-jail-monkey-bypass-all-checks/
+    try {
+        let toHook = Java.use('com.gantix.JailMonkey.JailMonkeyModule')['getConstants'];
+        toHook.implementation = function() {
+            var hashmap = this.getConstants();
+            hashmap.put('isJailBroken', Java.use("java.lang.Boolean").$new(false));
+            hashmap.put('hookDetected', Java.use("java.lang.Boolean").$new(false));
+            hashmap.put('canMockLocation', Java.use("java.lang.Boolean").$new(false));
+            hashmap.put('isOnExternalStorage', Java.use("java.lang.Boolean").$new(false));
+            hashmap.put('AdbEnabled', Java.use("java.lang.Boolean").$new(false));
+            return hashmap;
+        }
+    } catch (err) {}
+    try{
+        // Bypassing Rooted Check
+        let hook = Java.use('com.gantix.JailMonkey.Rooted.RootedCheck')['getResultByDetectionMethod']
+        hook.implementation = function() {
+            let map = this.getResultByDetectionMethod();
+            map.put("jailMonkey", Java.use("java.lang.Boolean").$new(false));
+            return map;
+        }
+
+    } catch (err) {}
+    try{
+        // Bypassing Root detection method's result of RootBeer library
+        var className = 'com.gantix.JailMonkey.Rooted.RootedCheck$RootBeerResults';
+        let toHook = Java.use(className)['isJailBroken'];
+        toHook.implementation = function() {
+            return false;
+        };
+
+        let toHook2 = Java.use(className)['toNativeMap']
+        toHook2.implementation = function() {
+            var map = this.toNativeMap.call(this);
+            map.put("detectRootManagementApps", Java.use("java.lang.Boolean").$new(false));
+            map.put("detectPotentiallyDangerousApps", Java.use("java.lang.Boolean").$new(false));
+            map.put("checkForSuBinary", Java.use("java.lang.Boolean").$new(false));
+            map.put("checkForDangerousProps", Java.use("java.lang.Boolean").$new(false));
+            map.put("checkForRWPaths", Java.use("java.lang.Boolean").$new(false));
+            map.put("detectTestKeys", Java.use("java.lang.Boolean").$new(false));
+            map.put("checkSuExists", Java.use("java.lang.Boolean").$new(false));
+            map.put("checkForRootNative", Java.use("java.lang.Boolean").$new(false));
+            map.put("checkForMagiskBinary", Java.use("java.lang.Boolean").$new(false));
+            return map;
+        };
+    } catch (err) {}
+})
diff --git a/mobsf/MobSF/init.py b/mobsf/MobSF/init.py
@@ -10,7 +10,7 @@
 
 logger = logging.getLogger(__name__)
 
-VERSION = '4.0.2'
+VERSION = '4.0.3'
 BANNER = """
   __  __       _    ____  _____       _  _    ___  
  |  \/  | ___ | |__/ ___||  ___|_   _| || |  / _ \ 

diff --git a/mobsf/StaticAnalyzer/views/android/rules/android_rules.yaml b/mobsf/StaticAnalyzer/views/android/rules/android_rules.yaml
@@ -161,6 +161,23 @@
     owasp-mobile: m1
     masvs: platform-7
     ref: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5
+- id: android_webview_allow_file_from_url
+  message: >-
+    Ensure that user controlled URLs never reaches the Webview. Enabling file access
+    from URLs in WebView can leak sensitive information from the file system.
+  type: RegexAndOr
+  pattern:
+    - setJavaScriptEnabled\(true\)
+    - - \.setAllowFileAccessFromFileURLs\(true\)
+      - \.setAllowUniversalAccessFromFileURLs\(true\)
+  severity: warning
+  input_case: exact
+  metadata:
+    cvss: 6.1
+    cwe: cwe-200
+    owasp-mobile: m1
+    masvs: platform-7
+    ref: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6
 - id: android_sql_cipher_aes256
   message: >-
     This App uses SQL Cipher. SQLCipher provides 256-bit AES encryption to

diff --git a/mobsf/StaticAnalyzer/views/common/shared_func.py b/mobsf/StaticAnalyzer/views/common/shared_func.py
@@ -198,31 +198,28 @@ def ar_extract(src, dst):
 
 def url_n_email_extract(dat, relative_path):
     """Extract URLs and Emails from Source Code."""
-    urls = []
-    emails = []
+    urls = set()
+    emails = set()
     urllist = []
     url_n_file = []
     email_n_file = []
     # URL Extraction
     urllist = URL_REGEX.findall(dat.lower())
-    uflag = 0
     for url in urllist:
-        if url not in urls:
-            urls.append(url)
-            uflag = 1
-    if uflag == 1:
-        url_n_file.append(
-            {'urls': urls, 'path': escape(relative_path)})
+        urls.add(url)
+    if urls:
+        url_n_file.append({
+            'urls': list(urls),
+            'path': escape(relative_path)})
 
     # Email Extraction
-    eflag = 0
     for email in EMAIL_REGEX.findall(dat.lower()):
-        if (email not in emails) and (not email.startswith('//')):
-            emails.append(email)
-            eflag = 1
-    if eflag == 1:
-        email_n_file.append(
-            {'emails': emails, 'path': escape(relative_path)})
+        if not email.startswith('//'):
+            emails.add(email)
+    if emails:
+        email_n_file.append({
+            'emails': list(emails),
+            'path': escape(relative_path)})
     return urllist, url_n_file, email_n_file
 
 

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "mobsf"
-version = "4.0.2"
+version = "4.0.3"
 description = "Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis."
 keywords = ["mobsf", "mobile security framework", "mobile security", "security tool", "static analysis", "dynamic analysis", "malware analysis"]
 authors = ["Ajin Abraham <[email protected]>"]

diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh
@@ -4,7 +4,9 @@ set -e
 python3 manage.py makemigrations && \
 python3 manage.py makemigrations StaticAnalyzer && \
 python3 manage.py migrate
+set +e
 python3 manage.py createsuperuser --noinput --email ""
+set -e
 python3 manage.py create_roles
 
 exec gunicorn -b 0.0.0.0:8000 "mobsf.MobSF.wsgi:application" --workers=1 --threads=10 --timeout=3600 \