4.2.0 (#2450)

- Added malware lookup using SHA2 with VirusTotal, Triage, Hybrid Analysis, and MetaDefender.
- Fixed permissions of extracted files to counter anti-analysis techniques.
- Resolved APK parsing errors in `androguard`.
- Handled exceptions in `string_on_binary`.
- Optimized APK ZIP analysis for improved performance.
- Fixed untar permission errors in dynamic analysis.
- Added bypass for SSL pinning in Boye's `AbstractVerifier`.
- Updated bypass for SSL pinning in Appmattus's `CertificateTransparencyInterceptor`.
- Introduced SSL pinning detector script.
- Improved Frida intent dumper script.
- Added Frida intent tracer script.
- Introduced timeouts for all HTTP calls.
- Added `django-q2`-based asynchronous scans for Android and iOS binaries and source code.
- Fixed bug in certificate analysis.
- Enabled asynchronous scans in Docker Compose setup.
- Performed QA for Android and iOS SAST modules.
- Added Frida script for `audit-webview`.
- Introduced Frida script for `trace-javascript-interface`.
- Upgraded `libsast` for improved file reading, multiprocessing, and multithreading.
- Fixed PNG crush issues on Darwin systems.
- Performed QA on the home screen UI.
- Updated `httptools` and `libsast` dependencies.

.github/codeql-config.yml

@@ -0,0 +1,12 @@
+name: "CodeQL config"
+
+queries:
+  - uses: security-extended
+
+query-filters:
+  - exclude:
+      id: py/path-injection  # To much false positives
+
+paths-ignore:
+  - "**/.git/**"
+  - "**/.github/**"

.github/workflows/codeql-analysis.yml

@@ -1,61 +1,76 @@
-name: "CodeQL"
+name: "CodeQL Advanced"
 
 on:
   push:
     branches: [ "master" ]
   pull_request:
-    # The branches below must be a subset of the branches above
     branches: [ "master" ]
   schedule:
-    - cron: '17 16 * * 0'
+    - cron: '18 14 * * 3'
 
 jobs:
   analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
     permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
       actions: read
       contents: read
-      security-events: write
 
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'python' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
-
+        include:
+        - language: python
+          build-mode: none
+        # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-
-        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
-
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
-
+        build-mode: ${{ matrix.build-mode }}
+        config-file: .github/codeql-config.yml
+
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
-    # - run: |
-    #   echo "Run, Build Application using script"
-    #   ./location_of_script_within_repo/buildscript.sh
+    - if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

docker/docker-compose.yml

@@ -3,6 +3,12 @@ services:
   postgres:
     image: "postgres:13"
     restart: always
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+        reservations:
+          memory: 512M
     volumes:
       - $HOME/MobSF/postgresql_data:/var/lib/postgresql/data
     environment:
@@ -15,6 +21,12 @@ services:
   nginx:
     image: nginx:latest
     restart: always
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+        reservations:
+          memory: 256M
     ports:
       - "80:4000"
       - "1337:4001"
@@ -25,8 +37,31 @@ services:
     networks:
       - mobsf_network
 
+  djangoq:
+    image: opensecurity/mobile-security-framework-mobsf:latest
+    build:
+      context: ..
+      dockerfile: Dockerfile
+    restart: unless-stopped
+    command: /home/mobsf/Mobile-Security-Framework-MobSF/scripts/qcluster.sh
+    volumes:
+      - $HOME/MobSF/mobsf_data:/home/mobsf/.MobSF
+    environment:
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=password
+      - POSTGRES_DB=mobsf
+      - POSTGRES_HOST=postgres
+      - POSTGRES_PORT=5432
+    depends_on:
+      - postgres
+    networks:
+      - mobsf_network
+
   mobsf:
     image: opensecurity/mobile-security-framework-mobsf:latest
+    build:
+      context: ..
+      dockerfile: Dockerfile
     restart: always
     volumes:
       - $HOME/MobSF/mobsf_data:/home/mobsf/.MobSF
@@ -36,10 +71,15 @@ services:
       - POSTGRES_DB=mobsf
       - POSTGRES_HOST=postgres
       - POSTGRES_PORT=5432
+      - MOBSF_ASYNC_ANALYSIS=1
     healthcheck:
       test: curl -f http://localhost:8000/login/ || exit 1
+      interval: 30s
+      timeout: 10s
+      retries: 5
     depends_on:
       - postgres
+      - djangoq
     networks:
       - mobsf_network
     extra_hosts:

mobsf/DynamicAnalyzer/tools/frida_scripts/android/default/ssl_pinning_bypass.js

@@ -241,15 +241,82 @@ Java.perform(function() {
     } catch (err) {
         send('[SSL Pinning Bypass] Cronet not found');
     }
-    /* Certificate Transparency Bypass
-       Ajin Abraham - opensecurity.in */
-    try{
+    /* Boye AbstractVerifier */
+    try {
+        Java.use("ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier").verify.implementation = function(host, ssl) {
+        send("[SSL Pinning Bypass] Bypassing Boye AbstractVerifier" + host);
+    };
+    } catch (err) {
+        send("[SSL Pinning Bypass] Boye AbstractVerifier not found");
+    }
+    /* Appmattus */
+    try {
+        /* Certificate Transparency Bypass Ajin Abraham - opensecurity.in */
         Java.use('com.babylon.certificatetransparency.CTInterceptorBuilder').includeHost.overload('java.lang.String').implementation = function(host) {
             send('[SSL Pinning Bypass] Bypassing Certificate Transparency check');
             return this.includeHost('nonexistent.domain');
         };
+    } catch (err) {
+        send('[SSL Pinning Bypass] babylon certificatetransparency.CTInterceptorBuilder not found');
+    }
+    try {
+        Java.use("com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor")["intercept"].implementation = function(a) {
+            send("[SSL Pinning Bypass] Appmattus Certificate Transparency");
+            return a.proceed(a.request());
+        };
+    } catch (err) {
+        send("[SSL Pinning Bypass] Appmattus CertificateTransparencyInterceptor not found");
+    }
+    try{
+        bypassOkHttp3CertificateTransparency();
     } catch (err) {
         send('[SSL Pinning Bypass] certificatetransparency.CTInterceptorBuilder not found');
     }
-
 }, 0);
+
+
+function bypassOkHttp3CertificateTransparency() {
+  // https://gist.github.com/m-rey/f2a235123908ca42395b6d3c5fe1128e
+    var CertificateTransparencyInterceptor = Java.use('com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor');
+    var OkHttpClientBuilder = Java.use('okhttp3.OkHttpClient$Builder');
+
+    CertificateTransparencyInterceptor.intercept.implementation = function (chain) {
+        var request = chain.request();
+        var url = request.url();
+        var host = url.host();
+
+        // Dynamically access the VerificationResult classes
+        var VerificationResult = Java.use('com.appmattus.certificatetransparency.VerificationResult');
+        var VerificationResultSuccessInsecureConnection = Java.use('com.appmattus.certificatetransparency.VerificationResult$Success$InsecureConnection');
+        var VerificationResultFailureNoCertificates = Java.use('com.appmattus.certificatetransparency.VerificationResult$Failure$NoCertificates');
+
+        // Create instances of the desired VerificationResult classes
+        var success = VerificationResultSuccessInsecureConnection.$new(host);
+        var failureNoCertificates = VerificationResultFailureNoCertificates.$new();
+
+        // Bypass certificate transparency verification
+        var certs = chain.connection().handshake().peerCertificates();
+        if (certs.length === 0) {
+        send('[SSL Pinning Bypass] Certificate transparency bypassed.');
+        return failureNoCertificates;
+        }
+
+        try {
+        // Proceed with the original request
+        return chain.proceed(request);
+        } catch (e) {
+        // Catch SSLPeerUnverifiedException and return intercepted response
+        if (e.toString().includes('SSLPeerUnverifiedException')) {
+            send('[SSL Pinning Bypass] Certificate transparency failed.');
+            return failureNoCertificates;
+        }
+        throw e;
+        }
+    };
+
+    OkHttpClientBuilder.build.implementation = function () {
+        // Intercept the OkHttpClient creation
+        var client = this.build();
+        return client;
+    };
+}

mobsf/DynamicAnalyzer/tools/frida_scripts/android/others/audit-webview.js

@@ -0,0 +1,53 @@
+Java.perform(function () {
+   send("Starting WebView configuration dump...");
+
+    const WebView = Java.use('android.webkit.WebView');
+
+    // Hook the first overload: loadUrl(String)
+    WebView.loadUrl.overload('java.lang.String').implementation = function (url) {
+       send("[+] WebView.loadUrl(String) called: " + url);
+
+        // Dump WebSettings after loading a URL
+        dumpWebSettingsSafely(this);
+
+        // Call the original method
+        this.loadUrl(url);
+    };
+
+    // Hook the second overload: loadUrl(String, Map)
+    WebView.loadUrl.overload('java.lang.String', 'java.util.Map').implementation = function (url, additionalHttpHeaders) {
+       send("[+] WebView.loadUrl(String, Map) called: " + url);
+       send("    Additional HTTP Headers: " + additionalHttpHeaders);
+
+        // Dump WebSettings after loading a URL
+        dumpWebSettingsSafely(this);
+
+        // Call the original method
+        this.loadUrl(url, additionalHttpHeaders);
+    };
+
+    function dumpWebSettingsSafely(webView) {
+        try {
+            const webSettings = webView.getSettings();
+           send("\n[+] Dumping WebSettings:");
+
+            // Security-sensitive settings
+           send("    JavaScript Enabled: " + webSettings.getJavaScriptEnabled());
+           send("    Allow File Access: " + webSettings.getAllowFileAccess());
+           send("    Allow Content Access: " + webSettings.getAllowContentAccess());
+           send("    Mixed Content Mode: " + webSettings.getMixedContentMode());
+           send("    Safe Browsing Enabled: " + webSettings.getSafeBrowsingEnabled());
+           send("    Dom Storage Enabled: " + webSettings.getDomStorageEnabled());
+           send("    Allow Universal Access From File URLs: " + webSettings.getAllowUniversalAccessFromFileURLs());
+           send("    Allow File Access From File URLs: " + webSettings.getAllowFileAccessFromFileURLs());
+            // Caching and storage
+           send("    Cache Mode: " + webSettings.getCacheMode());
+            // User agent and other information
+           send("    User Agent String: " + webSettings.getUserAgentString());
+        } catch (err) {
+            send("Error while dumping WebView configuration: " + err);
+        }
+    }
+
+   send("Hooks installed for WebView.");
+});

mobsf/DynamicAnalyzer/tools/frida_scripts/android/others/detect-ssl-pinning.js

@@ -0,0 +1,20 @@
+try {
+    var UnverifiedCertError = Java.use('javax.net.ssl.SSLPeerUnverifiedException');
+    UnverifiedCertError.$init.implementation = function(str) {
+        send('Unexpected SSLPeerUnverifiedException occurred');
+        try {
+            var stackTrace = Java.use('java.lang.Thread').currentThread().getStackTrace();
+            var exceptionStackIndex = stackTrace.findIndex(stack => stack.getClassName() === "javax.net.ssl.SSLPeerUnverifiedException");
+            var callingFunctionStack = stackTrace[exceptionStackIndex + 1];
+            var className = callingFunctionStack.getClassName();
+            var methodName = callingFunctionStack.getMethodName();
+            var callingClass = Java.use(className);
+            var callingMethod = callingClass[methodName];
+            send('SSL exception caused: ' + className + '.' + methodName + '. Patch this method to bypass pinning.');
+            if (callingMethod.implementation) {
+                return;
+            }
+        } catch (e) {}
+        return this.$init(str);
+    };
+} catch (err) {}