Bug Fixes + Improvements

mobsf/MobSF/init.py

@@ -10,7 +10,7 @@
 
 logger = logging.getLogger(__name__)
 
-VERSION = '3.8.7'
+VERSION = '3.8.8'
 BANNER = """
   __  __       _    ____  _____       _____  ___  
  |  \/  | ___ | |__/ ___||  ___|_   _|___ / ( _ ) 

mobsf/MobSF/utils.py

@@ -492,7 +492,8 @@ def update_local_db(db_name, url, local_file):
         else:
             logger.info('%s Database is up-to-date', db_name)
         return update
-    except requests.exceptions.ReadTimeout:
+    except (requests.exceptions.ReadTimeout,
+            requests.exceptions.ConnectionError):
         logger.warning('Failed to download %s DB.', db_name)
     except Exception:
         logger.exception('[ERROR] %s DB Update', db_name)

mobsf/MobSF/views/home.py

@@ -164,7 +164,7 @@ def upload(self):
 def api_docs(request):
     """Api Docs Route."""
     context = {
-        'title': 'REST API Docs',
+        'title': 'API Docs',
         'api_key': api_key(),
         'version': settings.MOBSF_VER,
     }

mobsf/StaticAnalyzer/tests.py

@@ -71,7 +71,7 @@ def static_analysis_test():
         if platform.system() in ['Darwin', 'Linux']:
             pdfs = [
                 '/pdf/02e7989c457ab67eb514a8328779f256/',
-                '/pdf/3a552566097a8de588b8184b059b0158/',
+                '/pdf/82ab8b2193b3cfb1c737e3a786be363a/',
                 '/pdf/6c23c2970551be15f32bbab0b5db0c71/',
                 '/pdf/52c50ae824e329ba8b5b7a0f523efffe/',
                 '/pdf/57bb5be0ea44a755ada4a93885c3825e/',
@@ -81,7 +81,7 @@ def static_analysis_test():
         else:
             pdfs = [
                 '/pdf/02e7989c457ab67eb514a8328779f256/',
-                '/pdf/3a552566097a8de588b8184b059b0158/',
+                '/pdf/82ab8b2193b3cfb1c737e3a786be363a/',
                 '/pdf/52c50ae824e329ba8b5b7a0f523efffe/',
                 '/pdf/57bb5be0ea44a755ada4a93885c3825e/',
                 '/pdf/8179b557433835827a70510584f3143e/',
@@ -101,7 +101,7 @@ def static_analysis_test():
 
         # Compare apps test
         logger.info('Running App Compare tests')
-        first_app = '3a552566097a8de588b8184b059b0158'
+        first_app = '82ab8b2193b3cfb1c737e3a786be363a'
         second_app = '52c50ae824e329ba8b5b7a0f523efffe'
         url = '/compare/{}/{}/'.format(first_app, second_app)
         resp = http_client.get(url, follow=True)
@@ -113,18 +113,32 @@ def static_analysis_test():
             logger.info(resp.content)
             return True
 
+        # Scan shared object or dylib from binaries.
+        logger.info('Running Library Analysis test')
+        md5 = '82ab8b2193b3cfb1c737e3a786be363a'
+        lib = 'apktool_out/lib/arm64-v8a/libdivajni.so'
+        url = f'/scan_library/{md5}?library={lib}'
+        resp = http_client.get(url, follow=True)
+        assert (resp.status_code == 200)
+        if resp.status_code == 200:
+            logger.info('[OK] Library Analysis test passed successfully')
+        else:
+            logger.error('Library Analysis test failed')
+            logger.info(resp.content)
+            return True
+
         # Search by MD5
         if platform.system() in ['Darwin', 'Linux']:
             scan_md5s = ['02e7989c457ab67eb514a8328779f256',
-                         '3a552566097a8de588b8184b059b0158',
+                         '82ab8b2193b3cfb1c737e3a786be363a',
                          '6c23c2970551be15f32bbab0b5db0c71',
                          '52c50ae824e329ba8b5b7a0f523efffe',
                          '57bb5be0ea44a755ada4a93885c3825e',
                          '8179b557433835827a70510584f3143e',
                          '7b0a23bffc80bac05739ea1af898daad']
         else:
             scan_md5s = ['02e7989c457ab67eb514a8328779f256',
-                         '3a552566097a8de588b8184b059b0158',
+                         '82ab8b2193b3cfb1c737e3a786be363a',
                          '52c50ae824e329ba8b5b7a0f523efffe',
                          '57bb5be0ea44a755ada4a93885c3825e',
                          '8179b557433835827a70510584f3143e',
@@ -242,7 +256,7 @@ def api_test():
         if platform.system() in ['Darwin', 'Linux']:
             pdfs = [
                 {'hash': '02e7989c457ab67eb514a8328779f256'},
-                {'hash': '3a552566097a8de588b8184b059b0158'},
+                {'hash': '82ab8b2193b3cfb1c737e3a786be363a'},
                 {'hash': '6c23c2970551be15f32bbab0b5db0c71'},
                 {'hash': '52c50ae824e329ba8b5b7a0f523efffe'},
                 {'hash': '57bb5be0ea44a755ada4a93885c3825e'},
@@ -252,7 +266,7 @@ def api_test():
         else:
             pdfs = [
                 {'hash': '02e7989c457ab67eb514a8328779f256'},
-                {'hash': '3a552566097a8de588b8184b059b0158'},
+                {'hash': '82ab8b2193b3cfb1c737e3a786be363a'},
                 {'hash': '52c50ae824e329ba8b5b7a0f523efffe'},
                 {'hash': '57bb5be0ea44a755ada4a93885c3825e'},
                 {'hash': '8179b557433835827a70510584f3143e'},
@@ -314,9 +328,9 @@ def api_test():
         logger.info('[OK] Scorecard API test completed')
         logger.info('Running View Source API test')
         # View Source tests
-        files = [{'file': 'opensecurity/helloworld/MainActivity.java',
+        files = [{'file': 'jakhar/aseem/diva/MainActivity.java',
                   'type': 'apk',
-                  'hash': '3a552566097a8de588b8184b059b0158'},
+                  'hash': '82ab8b2193b3cfb1c737e3a786be363a'},
                  {'file': 'opensecurity/webviewignoressl/MainActivity.java',
                   'type': 'studio',
                   'hash': '52c50ae824e329ba8b5b7a0f523efffe'},
@@ -351,15 +365,15 @@ def api_test():
         resp = http_client.post(
             '/api/v1/compare',
             {
-                'hash1': '3a552566097a8de588b8184b059b0158',
+                'hash1': '82ab8b2193b3cfb1c737e3a786be363a',
                 'hash2': '52c50ae824e329ba8b5b7a0f523efffe',
             },
             HTTP_AUTHORIZATION=auth)
         assert (resp.status_code == 200)
         resp_custom = http_client.post(
             '/api/v1/compare',
             {
-                'hash1': '3a552566097a8de588b8184b059b0158',
+                'hash1': '82ab8b2193b3cfb1c737e3a786be363a',
                 'hash2': '52c50ae824e329ba8b5b7a0f523efffe',
             },
             HTTP_X_MOBSF_API_KEY=auth)
@@ -373,7 +387,7 @@ def api_test():
         logger.info('Running Delete Scan Results test')
         # Suppression tests
         # Android Manifest by rule
-        and_hash = '3a552566097a8de588b8184b059b0158'
+        and_hash = '82ab8b2193b3cfb1c737e3a786be363a'
         rule = 'app_is_debuggable'
         typ = 'manifest'
         logger.info('Running Suppression disable by rule for APK manifest')
@@ -489,7 +503,7 @@ def api_test():
         # Deleting Scan Results
         if platform.system() in ['Darwin', 'Linux']:
             scan_md5s = ['02e7989c457ab67eb514a8328779f256',
-                         '3a552566097a8de588b8184b059b0158',
+                         '82ab8b2193b3cfb1c737e3a786be363a',
                          '6c23c2970551be15f32bbab0b5db0c71',
                          '52c50ae824e329ba8b5b7a0f523efffe',
                          '57bb5be0ea44a755ada4a93885c3825e',
@@ -498,7 +512,7 @@ def api_test():
                          ]
         else:
             scan_md5s = ['02e7989c457ab67eb514a8328779f256',
-                         '3a552566097a8de588b8184b059b0158',
+                         '82ab8b2193b3cfb1c737e3a786be363a',
                          '52c50ae824e329ba8b5b7a0f523efffe',
                          '57bb5be0ea44a755ada4a93885c3825e',
                          '8179b557433835827a70510584f3143e',

mobsf/StaticAnalyzer/views/android/android_manifest_desc.py

@@ -42,15 +42,28 @@
                  '[android:networkSecurityConfig=%s]'),
     },
     'vulnerable_os_version': {
+        'title': ('App can be installed on a vulnerable '
+                  'upatched Android version<br>Android %s, [minSdk=%s]'),
+        'level': 'high',
+        'description': ('This application can be installed on an older version'
+                        ' of android that has multiple unfixed '
+                        'vulnerabilities. These devices won\'t receive '
+                        'reasonable security updates from Google. '
+                        'Support an Android version => 10, API 29 '
+                        'to receive reasonable security updates.'),
+        'name': ('App can be installed on a vulnerable '
+                 'upatched Android version %s, [minSdk=%s]'),
+    },
+    'vulnerable_os_version2': {
         'title': ('App can be installed on a vulnerable Android version'
-                  '<br>[minSdk=%s]'),
+                  '<br>Android %s, minSdk=%s]'),
         'level': 'warning',
         'description': ('This application can be installed on an older version'
-                        ' of android that has multiple unfixed '
-                        'vulnerabilities. Support an Android version > 8, '
-                        'API 26 to receive reasonable security updates.'),
+                        ' of android that has multiple vulnerabilities. '
+                        'Support an Android version => 10, API 29 '
+                        'to receive reasonable security updates.'),
         'name': ('App can be installed on a vulnerable Android version'
-                 '[minSdk=%s]'),
+                 ' %s, [minSdk=%s]'),
     },
     'app_is_debuggable': {
         'title': 'Debug Enabled For App<br>[android:debuggable=true]',
@@ -104,7 +117,7 @@
     },
     'non_standard_launchmode': {
         'title': 'Launch Mode of activity (%s) is not standard.',
-        'level': 'high',
+        'level': 'warning',
         'description': ('An Activity should not be having the launch mode'
                         ' attribute set to "singleTask/singleInstance" as '
                         'it becomes root Activity and it is possible for'
@@ -114,9 +127,45 @@
                         ' information is included in an Intent.'),
         'name': 'Launch Mode of activity (%s) is not standard.',
     },
+    'task_hijacking': {
+        'title': ('Activity (%s) is vulnerable to Android '
+                  'Task Hijacking/StrandHogg.'),
+        'level': 'high',
+        'description': ('An Activity should not be having the launch mode '
+                        'attribute set to "singleTask". It is then '
+                        'possible for other applications to place a '
+                        'malicious activity on top of the activity stack '
+                        'resulting in Task Hijacking/StrandHogg 1.0'
+                        'vulnerability. This makes the application an easy '
+                        'target for phishing attacks. The vulnerability can '
+                        'be remediated by setting the launch mode attribute '
+                        'to "singleInstance" or by setting an empty '
+                        'taskAffinity (taskAffinity="") attribute. You can '
+                        'also update the target SDK version of the app to '
+                        '28 or higher to fix this issue at platform level.'),
+        'name': ('Activity (%s) is vulnerable to Android '
+                 'Task Hijacking/StrandHogg.'),
+    },
+    'task_hijacking2': {
+        'title': 'Activity (%s) is vulnerable to StrandHogg 2.0',
+        'level': 'high',
+        'description': ('Activity is found to be vulnerable to '
+                        'StrandHogg 2.0 task hijacking vulnerability. '
+                        'When vulnerable, it is possible for other '
+                        'applications to place a malicious activity '
+                        'on top of the activity stack of the vulnerable '
+                        'application. This makes the application an easy '
+                        'target for phishing attacks. The vulnerability can '
+                        'be remediated by setting the launch mode attribute '
+                        'to "singleInstance" and by setting an empty '
+                        'taskAffinity (taskAffinity=""). You can also update '
+                        'the target SDK version of the app to 29 or higher '
+                        'to fix this issue at platform level.'),
+        'name': 'Activity (%s) is vulnerable to StrandHogg 2.0',
+    },
     'improper_provider_permission': {
         'title': 'Improper Content Provider Permissions<br>[%s]',
-        'level': 'high',
+        'level': 'warning',
         'description': ('A content provider permission was set to allows'
                         ' access from any other app on the device. '
                         'Content providers may contain sensitive '
@@ -343,7 +392,7 @@
     'explicitly_exported': {
         'title': ('<strong>%s</strong> (%s) is not Protected.'
                   ' <br>[android:exported=true]'),
-        'level': 'high',
+        'level': 'warning',
         'description': ('A%s %s is found to be shared with other apps on the'
                         ' device therefore leaving it accessible to any other'
                         ' application on the device.'),

mobsf/StaticAnalyzer/views/android/cert_analysis.py

@@ -50,10 +50,11 @@ def get_hardcoded_cert_keystore(files):
         for file_name in files:
             if '.' not in file_name:
                 continue
-            ext = file_name.split('.')[-1]
-            if re.search('cer|pem|cert|crt|pub|key|pfx|p12|der', ext):
+            ext = Path(file_name).suffix
+            if ext in ('.cer', '.pem', '.cert', '.crt',
+                       '.pub', '.key', '.pfx', '.p12', '.der'):
                 certz.append(escape(file_name))
-            if re.search('jks|bks', ext):
+            if ext in ('.jks', '.bks'):
                 key_store.append(escape(file_name))
         if certz:
             desc = 'Certificate/Key files hardcoded inside the app.'