Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ChatGPT Permission Mapping + Improved Description #2308

Merged
merged 7 commits into from
Dec 18, 2023
Merged

Conversation

ajinabraham
Copy link
Member

@ajinabraham ajinabraham commented Dec 18, 2023

Describe the Pull Request

* Android Permission Mapping, generated with ChatGPT + axplorer
* Android Permission description enhancement generated with ChatGPT
* Added new permissions to permission analyzer

Checklist for PR

  • Run MobSF unit tests and lint tox -e lint,test
  • Tested Working on Linux, Mac, Windows, and Docker
  • Add unit test for any new Web API (Refer: StaticAnalyzer/tests.py)
  • Make sure tests are passing on your PR MobSF tests

Additional Comments (if any)

DESCRIBE HERE

Copy link

👋 @ajinabraham
Thank you for sending this pull request ❤️.
Please make sure you have followed our contribution guidelines. We will review it as soon as possible

@ajinabraham ajinabraham merged commit 1f8c609 into master Dec 18, 2023
12 checks passed
@ajinabraham ajinabraham deleted the perm-mapping branch December 18, 2023 08:23
brice-syslogic added a commit to cyberspect/Mobile-Security-Framework-MobSF that referenced this pull request Oct 29, 2024
* HOTFIX: EFR01 Enterprise feature request (MobSF#1908)

* Replace Warning with Medium and added Hotspot
* Add file analysis to hotspot
* Enterprise Feature Request Flag
* EFR01 changes
* version bump

* update quark & frida (MobSF#1903)

Co-authored-by: Ajin Abraham <[email protected]>

* Update tldextract from 3.1.2 to 3.2.0 (MobSF#1910)

* upgrade apktool to 2.6.1 (MobSF#1915)

* Hotfix: Update slack link

* Hotfix: update slack link

* Hotfix: Slack link

* Hotfix:Slack link

* Hotfix:Slack link

* Introduce jadx decompilation timeout with env var (MobSF#1916)

* Introduce jadx decompilation timeout with env var
- exception for timeout
- replace subprocess.call for run


Co-authored-by: Ajin Abraham <[email protected]>

* Update ip2location from 8.6.4 to 8.7.2 (MobSF#1926)

Co-authored-by: Ajin Abraham <[email protected]>

* Scheduled weekly dependency update for week 13 (MobSF#1931)

* Update quark-engine from 22.2.1 to 22.3.1

* update lief

Co-authored-by: Ajin Abraham <[email protected]>

* update apkid (MobSF#1939)

* Fix dynamic report_json api bug (MobSF#1934)

Co-authored-by: Ajin Abraham <[email protected]>

* Hotfix: LIEF

* Update README.md (MobSF#1951)

* update jadx to 1.3.4 (MobSF#1941)

* update jadx to 1.3.4
* update lief
* update jadx and requirements

* Scheduled weekly dependency update for week 22 (MobSF#1972)

* Update ip2location from 8.7.3 to 8.7.4

* Update quark-engine from 22.4.1 to 22.5.1

* Update frida from 15.1.17 to 15.1.23

* Update tldextract from 3.2.1 to 3.3.0

* Check for updates via GitHub releases (MobSF#1957)

* Check the GitHub releases page for latest version number

* Update utils.py

Only log distro if not empty (or spaces)

Co-authored-by: Ajin Abraham <[email protected]>

* Update cert_analysis.py (MobSF#1948)

* Update cert_analysis.py

Flag on MD5 hash algorithm in signer certificate

* Update cert_analysis.py

Co-authored-by: Ajin Abraham <[email protected]>

* HOTFIX: Update Readme with Rewards Banner

* Update frida from 15.1.23 to 15.1.24 (MobSF#1975)

Co-authored-by: Ajin Abraham <[email protected]>

* HOTFIX: openSSL link and readme update

* Hotfix: Broken slack channel link fix

* Hotfix: Windows setup script

* Feature Parity Allow iOS IPA download (MobSF#1977)

* Allow iOS IPA download

* Code QA

* Add the checking of the parent element of the permission-related elements to manifest analysis (MobSF#1905)

* Add the checking of the parent element of the permission-related elements to manifest analysis

Co-authored-by: Ajin Abraham <[email protected]>

* Remove RELRO (MobSF#1978)

* Revert "Add the checking of the parent element of the permission-related elements to manifest analysis (MobSF#1905)" (MobSF#1984)

HOTFIX: Revert MobSF#1905

* Scheduled weekly dependency update for week 26 (MobSF#1986)

* Update ip2location from 8.7.4 to 8.8.0

* Update frida from 15.1.24 to 15.1.27

* Update quark-engine from 22.5.1 to 22.6.1 (MobSF#1989)

* Scheduled weekly dependency update for week 28 (MobSF#1993)

* Update frida from 15.1.27 to 15.1.28

* Update tldextract from 3.3.0 to 3.3.1

* HOTFIX: libsast, iOS Rule, M1 Mac support

* Hotfix MobSF#1999

* Update frida from 15.1.28 to 15.2.2 (MobSF#2002)

* Update README.md (MobSF#2020)

add Badge App

* Fix bug MobSF#1917 where checking for stripped debugging symbols produces false positives in iOS. (MobSF#2023)

Co-authored-by: Toor <[email protected]>
Co-authored-by: Ajin Abraham <[email protected]>

* Update ip2location from 8.8.0 to 8.8.1 (MobSF#2035)

Co-authored-by: Ajin Abraham <[email protected]>

* update apkid to 2.1.4 (MobSF#2037)

* Adding tarfile member sanitization to extractall() (MobSF#2039)

Co-authored-by: TrellixVulnTeam <[email protected]>
Co-authored-by: Ajin Abraham <[email protected]>

* fix res directory not exist (MobSF#2042)

Fix the problem that the res resource folder does not exist, the solution is to copy from the apktool_out directory

* [EFR-02]Enterprise Feature Request - False Positive Triaging (MobSF#2000)

* Suppression logic

* Android code analysis suppression

* Fixes MobSF#1981

* iOS source support bundle id extraction

* iOS Source Code - Suppression support

* Remove check in CFBundleURLName

* iOS Binary code analysis suppression support

* Add Code QL

* Suppression support for Manifest analysis

* Fixes MobSF#2014

* REST API + Docs

* Address review comments

* update suppression wordings

* Fixes MobSF#2043

* Icon analysis code QA

* Unit Test for False Positive Triaging

* Adding numeric_owner as a keyword argument (MobSF#2050)

numeric_owner needs to be a keyword argument.

* Scheduled weekly dependency update for week 41 (MobSF#2046)

* Update quark-engine from 22.6.1 to 22.9.1

* Update frida from 15.2.2 to 16.0.1

* Update tldextract from 3.3.1 to 3.4.0

* Update openstep-parser from 1.5.3 to 1.5.4

Co-authored-by: Ajin Abraham <[email protected]>

* HOTFIX: revert frida to 15.X

* HOTFIX: UI changes and warning on mobsf.live (MobSF#2051)

* UI changes and warning on mobsf.live

* Update home.html

* HOTFIX: Split certificate analysis out, suppression list fixes (MobSF#2052)

* Hotfix: ui on donate page

* Hotfix: Homescreen Navbar

* Hotfix: UI icon

* hotfix for quyark rules location (MobSF#2053)

* HOTFIX: jadx update to 1.4.5  (MobSF#2064)

* jadx update to 1.4.5
* MobSF version bump
* Fixes CVE-2022-42889 in third party dependency

* Installation script error: Solving spelling error (MobSF#2067)

changed "installtion" to "installation"

* Android APK support extracting icon SVG from XML (MobSF#2060)

* Added support for SVG icon extraction
* Add jar binaries
* code refactoring
* Update settings.py

* HOTFIX: Setup improvement (MobSF#2078)

* Improve setup scripts.
* Python support to 3.8 - 3.10
* Delete MobSF data directory on running setup.
* Bump applicable dependencies.

* Apktool 2.7.0 update (MobSF#2082)

* Update apktool to version 2.7.0

* HOTFIX: Icon should be a file

* version bump

* New Android Manifest Rule: App support vulnerable android versions (MobSF#2114)

* add a new rule: dangerous os version

* qa

* lint checks

* run lint test on one os

* Support for filenames containing & (MobSF#2129)

Co-authored-by: none <[email protected]>

* HOTFIX: Fix docker build (MobSF#2135)

* Fix Scorecard Severity Distribution chart data (MobSF#2140)

* HOTIX: Update Dockerfile to install jq (MobSF#2149)

* Update Dockerfile

* Update tox.ini

* [HOTFIX] Add support for environment variable for MobSF config (MobSF#2150)

* add support for environment variable config
* Fixes MobSF#2109
* update lief

* HOTFIX: Fixes MobSF#2144

* HOTFIX: Android min SDK check on janus vulnerability detection (MobSF#2159)

* Android min SDK  check on janus check

* Update README.md

* [Enterprise Feature Request EFR02] Support summary of severity in each section. (MobSF#2160)

* Summary for Android and iOS SCA

* [EFR05] Enterprise Feature Request: AAR and JAR support (MobSF#2163)

* AAR and JAR support

* Enable binary analysis for aar/jar

* Scheduled weekly dependency update for week 24 (MobSF#2187)

* Update ip2location from 8.9.0 to 8.10.0

* Update quark-engine from 22.10.1 to 23.5.1

* Update LIEF from to 0.13.1

* Update tldextract from 3.4.0 to 3.4.4

* Update requirements.txt

---------

Co-authored-by: Ajin Abraham <[email protected]>

* Update requirements.txt

0.13.1 not available.

* HOTFIX: update lief

* Revert Hotfix

* HOTFIX: Feature updates and Bug Fixes (MobSF#2197)

* OFAC, jquery bump, tox fix
* AAR handle multiple application tags

* HOTFIX: MobSF Android Dynamic Analysis Docker Support (MobSF#2214)

* MobSF Android Docker Support

* Pin pip version

* Update mobsf-test.yml

* Update setup.py

* Hotfix: Docker error fixes

* Hotfix: Add Corellium support message

* Hotfix: Broken donate link fix

* Update dynamic_analysis.html (MobSF#2218)

* Hotfix: Handle Docker <-> ADB connectivity internally (MobSF#2219)

* host.docker.internal transilation for localhost

* Replace urlparse with re

* version bump

* update ascii art

* update apktool to 2.8.1 (MobSF#2220)

* update apktool (MobSF#2225)

Co-authored-by: Ajin Abraham <[email protected]>

* HOTFIX: translate upstream proxy ip for docker

* Dynamic Analysis support alert (MobSF#2227)

* [HOTFIX] Regex + Rule Update (MobSF#2232)

* IOS Swift Rules updates
  *  Updated or added rules `ios_biometric_bool`, `ios_biometric_acl`, `ios_keychain_weak_acl_device_passcode`, `ios_keychain_weak_accessibility_value`, `ios_insecure_random_no_generator`, `ios_biometry_hardened`
 * Regex Hardening: Fixes possible Regex DoS in rules and MobSF code base

* [HOTFIX][EFR06] Independent Shared Object (.so) Scan and Improved String search (MobSF#2228)

* String extraction from APK, Source, AAR, JAR, SO
* Strings sections to show source of strings extracted
* Strings Refactor
* Support for independent .SO scan
* Android SCA rules update
* Entropies scan support for strings
* URLs/Email extraction refactor
* Bug Fixes
  * iOS Source Report Fix
  * Frida APK Patcher (WIP)
  * Dynamic Analyzer identifier not available
  * Settings env var not working fix for enabled by default features
  * AppSec Score fix
  * Recent `scan not completed` fix for iOS zip

* HOTFIX: Improve code string extraction

* Update macho_analysis.py - SYMBOLS STRIPPED False Negative (MobSF#2234)

* Update macho_analysis.py

PR for this issue: 
MobSF#2233

* Update macho_analysis.py


Co-authored-by: Ajin Abraham <[email protected]>

* HOTFIX: fix IPA download support

* [HOTFIX][EFR-08] Dylib + Symbols + Other Features (MobSF#2239)

* Dylib analysis support + PDF for iOS Binary
* Dylib string extraction
* Improved iOS Plist secret extraction
* iOS/Android Form Validation QA
* Independent Dylib scan
* Symbols view for dylib and so
* Trackers support for so

* Fix missing exported components (MobSF#2176)

Components which are exported and have no permission were not listed in the results because of a wrong template description key.
Also added a warning if this happens again.

Co-authored-by: Ajin Abraham <[email protected]>

* [HOTFIX][EFR09] AAR/JAR obfuscation and debug check + Exception Handed strings and symbols extraction (MobSF#2240)

* AAR/JAR obfuscation and debug check
* Exception handling symbols and strings from so/dylib

* [HOTFIX][EFR10] Independent Static Library(.a) ELF/MachO Analysis + Graceful Analysis (MobSF#2242)

* Independent Static Library(.a) ELF/MachO Analysis
   * Mac FAT binary only supported on Mac
* Static and Dynamic Binary Analysis QA
* Refactor Dex permissions
* Fallback certificate analysis using apksigtool
* Refactor Androguard `apk.APK()` usage

* Pip to Poetry,  Ubuntu Base image Bump, Dockerfile QA, Python 3.11 support (MobSF#2244)

* Docker base image update
* Docker file QA
* Github Actions version update
* Removed unwanted pinned repository
* Pip to Poetry migration
* Bump httptools
* Jump yara-python-dex
* Python 3.11 support

* [HOTFIX] Docker Buildx test (MobSF#2247)

* Docker image build test for PRs

* [HOTFIX] bs4 malformed xml parsing + xml namespace detection (MobSF#2248)

* Use BeautifulSoup4 to prettify malformed XML
* Detect non standard XML namespace in AndroidManifest.xml (Fixes : MobSF#2198) 
* Updated android permissions list
* Updated android permission update check script

* [HOTFIX] Migrate from setup.py to poetry, tox QA (MobSF#2249)

* Migrate from setup.py to use poetry build and publish
* Tox QA
* Version is now configured only at pyproject.toml
* Added poetry build test
* Updated mobsf PyPI publishing workflow 
* Update local DBs

* Performance Improvements on SAST (MobSF#2251)

* Performance improvements in SAST scans (Code Analysis, API Analysis, NIAP etc.) with libsast bump
* Android API rule QA
* Manifest analysis continuation on apktool failure
* Linux setup script fix
* Disable NIAP by default

* [HOTFIX] add apksigner.jar for reading signatures (MobSF#2254)

* Add `apksigner.jar`
* Use apksigner to extract signature versions (v1, v2, v3, v4)
* Fix: MobSF#2120

* [HOTFIX] add jar (MobSF#2255)

* Add apksigner jar

* [HOTFIX] Bump Frida to address crash on M1 Mac (MobSF#2258)

* Update frida to 16.1.4 to resolve segmentation faults on Docker arm image
---------

Co-authored-by: Mark Sowell <[email protected]>

* [HOTFIX] simplify scan api (MobSF#2259)

* Simplify Scan API
* Need only scan hash to trigger a scan
* Updated API Docs

* [HOTFIX] iOS Framework Analysis + Multiple Feature QA (MobSF#2260)

* iOS Framework Analysis
* Static Analysis URL simplification
* Replace hardcoded urls in template with `{% url %}`
* Code QA
* Remove unwanted template file
* Remove `rescan` query param from url
* Android icon SVG guessing improvements
* Icon analysis refactoring, change icon storage location
* Remove SVG to PNG converter. Support PNG and SVG icon.
* Github docker release action update

* [HOTFIX] Support webp for icon (MobSF#2267)

* [HOTFIX] Fixed that the icon cannot be found (MobSF#2265)

fixed that the icon cannot be found when the suffix name is uppercase

* Allow jpeg icons (MobSF#2268)

* [HOTFIX] Fix jadx and apktool failure due to JDK changes (MobSF#2269)

* Fix jadx and apktool failure due to JDK zip64 changes

* [HOTFIX][EFR] Priority Bug Fixes (MobSF#2275)

* P1.1 AAR Permissions not properly listed 
* P1.2 Local variable table not listed in proper section
* P1.3 static library strings are not listed
* P1.5 Stripping of dynamic and static libraries are not correctly reported
* Dependency bump
* MobSF version bump

* Hotfix: Bump deps

* update apktool to 2.9.0 (MobSF#2278)

Co-authored-by: Ajin Abraham <[email protected]>

* Build(deps): Bump django from 4.1.12 to 4.1.13 (MobSF#2282)

Bumps [django](https://github.com/django/django) from 4.1.12 to 4.1.13.
- [Commits](django/django@4.1.12...4.1.13)

---
updated-dependencies:
- dependency-name: django
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Hotfix: Support viewing kotlin files MobSF#2283

* iOS Dynamic Analysis with Corellium (MobSF#2194)

* iOS Dynamic Analysis Support with Corellium Jailbroken iOS devices
* Corellium API layer for complete device and project management
* Frida instrumentation (attach, spawn and inject) over SSH local port forward
* Shell access over SSH
* MobSF httptools proxy integration over SSH remote port forward
* Device File upload and download over SSH
* Frida scripts for core defense bypass, monitoring, and tracing
* Helper iOS Frida scripts for pentesting and malware analysis
* Screen cast with touch, swipe and text input support from web UI
* Dynamic Analysis device data dump and  report Generation
* Android Certificate analysis, replaced oscrypto with cryptography for public key parsing
* Python minimum support is 3.10
* Bumped httptools to latest, fixes httptools repeat bug
* Added unzip to docker to fix a bug

* Relaxed bundleid regex

* HOTFIX: Dynamic Analysis Improvements Android & iOS (MobSF#2295)

iOS Screencast, better swipe
Android Screencast to support touch, swipe and text input events
Android Frida Logs update
Android Improved Screencast
Android Frida spawn, inject and attach support
Added new Android Frida scripts
Replaced Clipdump with Frida script for clipboard monitoring

* Hotfix QA (MobSF#2297)

* REST API update for android frida instrument
* Code QA

* [HOTFIX] More Android & iOS Frida Scripts (MobSF#2299)

Improved existing frida scripts
More Android & iOS frida Scripts
Code QA

* [HOTFIX] Android script loading,  frida injected code view, paramiko SSH issues (MobSF#2300)

* Android script loading bug fix
* Frida injected code view
* Paramiko SSH reactor to address some host key issues, revert from warning to autoadd.
* Frida Injection refactoring

* Enhancements to ARC and Stack Canary Checks in Mach-O Parsing (MobSF#2284)

* Extend 'has_arc' check to include '_swift_release'

Updated the has_arc method to detect the usage of ARC not only by the presence of the _objc_release symbol but also by the _swift_release symbol. This change broadens the scope of ARC detection to cover both Objective-C and Swift implementations.

* Optimize has_canary function without using a set

Refactored the has_canary method to directly check the presence of ___stack_chk_fail and ___stack_chk_guard symbols in imported_functions. Removed the unnecessary conversion to a set, streamlining the function and enhancing readability. Now, has_canary uses any() for efficient symbol existence checks.

* [HOTFIX] RPC hook suggestions + Bug Fix (MobSF#2301)

* String compare script improvements
* Fix iOS Frida script bugs
* Added RPC helpers for hook suggestion (TODO:Expose to UI)
* Code QA

* HOTFIX: Add missing RPC script, Frida Logs font size

* version bump

* update pktool to 2.9.1 (MobSF#2304)

* [EFR][HOTFIX] QA Request (MobSF#2306)

* Scan independent library file (.so, .dylib, Framework dylib) from APK/IPA Static Analysis Report
* Library analysis refactored relative path helper for Django template.
* Re-introduced RELRO checks for Android, added Dart binary check to avoid Flutter false positives.
* Improved stripped debug symbol check for ELF and MachO using native OS tools such as nm and objdump when available.
* Merge iOS Framework and Dylib Analysis.

* Bug Fixes + Improvements (MobSF#2307)

* Replace Android test APK
* Added tests for Library analysis from binary (scan_library route)
* iOS merge findings from swift and objective c rules with same rule identifier. Fixes MobSF#2287 
* iOS Binary analysis, sort regex matches. Fixes MobSF#2252
* Framework dylibs with no extensions to skip PIE checks. Fixes MobSF#2307
* Select correct network_security config. Fixes MobSF#2049
* Android Manifest Analysis added support for detecting task hijacking (StrandHogg 1.0 and StrandHogg 2.0) . Fixes MobSF#2124
* Added new manifest analysis rule to warn on apps targeting older Android OS
* Updated severity of findings
* UI improvement for AppSec dashboard to show a loader
* UI changes in Static Analysis to collapse large no of files in API and Code Analysis for better real estate
* Improved certificate file analysis for android, jar, aar, and ios
* MobSF version Bump

* [HOTFIX] ChatGPT Permission Mapping + Improved Description (MobSF#2308)

* Android Permission Mapping, generated with ChatGPT + axplorer. Addressed MobSF#1772 
* Android Permission description enhancement generated with ChatGPT
* Added new permissions to permission analyzer

* Windows Python tempfile permission error fix (MobSF#2309)

* Fix PermissionError: [Errno 13] Permission denied
Windows Python tempfile permission error fix

* Multiple Features Improved or Added (MobSF#2310)

* Android added App Link assetlinks.json check
* Added more new permission mappings
* Updated Permission database
* Improved Source code view content search
* Added upstream proxy support for Corellium API calls
* Updated Readme

* [HOTFIX] Malware Permission Check for Android, API Rules + Version Bump (MobSF#2313)

* Malware Permission Check for Android
* New Android API rule to support Passkeys
* Updated Readme
* Version Bump

* Bug Fix and QA (MobSF#2315)

* Bug Fix
* QA
* Version bumps

* HOTFIX: update apktool, fixes a security issue GHSA-2hqv-2xv4-5h5w

* Update submodule

* Using multithreading to improve code efficiency (MobSF#2319)

* Using multithreading to improve code efficiency
* Update manifest_analysis.py
* QA
* Handle asterik in host names.

---------

Co-authored-by: Ajin Abraham <[email protected]>

* GPT Goodness (MobSF#2318)

* QA
* Version Bump

* Update SECURITY.md (MobSF#2323)

updated security policy

* [HOTFIX][SECURITY] Fix an LFI, DSA Pub Key parsing bug and dependencies  (MobSF#2326)

* [SECURITY] Fixes an LFI reported by @0x33c0unt - A crafted APK resource with icon name containing arbitrary path will get copied by MobSF as the icon file to the download directory which is available under `/download/` route. Fixed by MobSF@a58f8a8
* Fixes MobSF#2324 , Bug in parsing DSA Public Key parameters for fingerprint calculation.
* Update dependencies

* Filter out invalid links (MobSF#2322)

* Filter out invalid links

[ERROR] 2024-01-10 10:28:29 - Well Known Assetlinks Check for URL: http://*/.well-known/assetlinks.json
Traceback (most recent call last):
 
requests.exceptions.InvalidURL: URL has an invalid label.

* Update manifest_analysis.py

---------

Co-authored-by: Ajin Abraham <[email protected]>

* Fix Arbitrary file writes on Windows (MobSF#2328)

* Runtime Exec Tampering Detection, iOS Dynamic REST APIs, Datatables Export  (MobSF#2339)

* Runtime Executable Tampering Detection

* Add security.py

* Code QA Performance

* Code QA Runtime EXEC tampering detection

* Corellium API QA + Domain support

* REST API Docs + Datatables export

* HOTFIX: Dependency bump

* HOTFIX: Injected code overwrite revert

* HOTFIX: Bump deps + ELF strings check fix

* MOBSF_CORELLIUM_API_DOMAIN Update (MobSF#2347)

* MOBSF_CORELLIUM_API_DOMAIN Update

Set the default of `MOBSF_CORELLIUM_API_DOMAIN` to `https://app.corellium.com` was it was not being picked up properly in `dynamic_analyzer.py` for iOS

* Update corellium_apis.py

* Update settings.py

---------

Co-authored-by: Ajin Abraham <[email protected]>

* Add name parameter to create vm

* Add name support in ui

* HOTFIX: Frida Logs API response code + Dependency bump

* HOTFIX: Bump deps + expose Corellium stop app api

* Fix MobSF#2343

* HOTFIX: target sdk bug

* HOTFIX: Bump androguard + remove quark

* HOTFIX: androguard bump

* Fix MobSF#2349

* HOTFIX: Individual image publish

* HOTFIX:[SECURITY] Fix GHSA-wfgj-wrgh-h3r3, dep bump, docker build qa

* poetry pyqt5 fixes (MobSF#2362)

* poetry pyqt5 fixes

* QA

* fix

* Cert analysis qa

* QA

* pin pyqt5

* HOTFIX: Remove Androguard dependency use only features required by MobSF (MobSF#2363)

This PR strips out androguard and it's dependencies from MobSF.
Extract androguard related functions used by MobSF.
Some dependencies such as pyQt5 from apkinspector is breaking the ARM64 docker image.
This should address that issue.
In future, we will have to copy over any fixes to axml, apk, public, types from androguard and ZipEntry from apkinspector. 
We won't be adding linting to these files. The extracted functions will be considered as an external tool.

* Optimize rendering of big lists (MobSF#2351)

* Optimize rendering of big lists
* Dynamic rendering in browser to improve ux
Co-authored-by: Ajin Abraham <[email protected]>

* Fixes GHSA-m435-9v6r-v5f6

* Update SECURITY.md (MobSF#2364)

* Update SECURITY.md (MobSF#2365)

* Update SECURITY.md

* HOTFIX: Build and push docker arm64 and amd64 together

* HOTFIX: Possible SSRF

* Resolve the situation where the function name is bytes (MobSF#2367)

fix error:
 if function.name.endswith('_chk'):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: endswith first arg must be bytes or a tuple of bytes, not str

Co-authored-by: Ajin Abraham <[email protected]>

* Lint fixes #1

* Lint fixes #2

* Lint fixes #3

* Lint fixes #4

* Lint fixes #5

* Removing authentication requirement for /tests

* Lint fixes

* Updated

* Updated test logging

* Lint fix

* Setting template in context

* Lint fixes

* Added missing api params

* is_admin adjustment

* Include checksum

* Lint fixes

* Adding more logging

* Unit test fixes

* Lint fix

* # Get App Icon fix

* SCAN_LOGS support

* Timestamp fix

* Undid some bad updates

* Lint fix

* Error set is_admin

* Adding logging

* Removing logs field

* Debugging error

* Debugging

* Adding framework_analysis to fake_bin_dict

* Fixed so_analysis

* scan_library fix

* Handling of empty fields

* Lint fixes

* Lint fixes

* Updates to settings.py to allow ECS environment variables to be used

* Changing errors to warnings

* Resetting tests.py to match 3.9.7

* Fixing unit test

* exec2 in EXECUTABLE_HASH_MAP

* SCAN_TYPE fixes

* Removing old "custom" HTTP header tests

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Ajin Abraham <[email protected]>
Co-authored-by: superpoussin22 <[email protected]>
Co-authored-by: pyup.io bot <[email protected]>
Co-authored-by: Matej Soroka <[email protected]>
Co-authored-by: N1neSun <[email protected]>
Co-authored-by: Ajin.Abraham <[email protected]>
Co-authored-by: Dapo Adedire <[email protected]>
Co-authored-by: Atarii <[email protected]>
Co-authored-by: Han0nly <[email protected]>
Co-authored-by: rustaska <[email protected]>
Co-authored-by: Toor <[email protected]>
Co-authored-by: TrellixVulnTeam <[email protected]>
Co-authored-by: TrellixVulnTeam <[email protected]>
Co-authored-by: ohyeah521 <[email protected]>
Co-authored-by: th3-d4v1d-c0de <[email protected]>
Co-authored-by: evmxattr <[email protected]>
Co-authored-by: none <[email protected]>
Co-authored-by: antoinbo <[email protected]>
Co-authored-by: Karmaz <[email protected]>
Co-authored-by: Abb4d0n <[email protected]>
Co-authored-by: Mark Sowell <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpuu <[email protected]>
Co-authored-by: JJ <[email protected]>
Co-authored-by: JPSxzy8 <[email protected]>
brice-syslogic added a commit to cyberspect/Mobile-Security-Framework-MobSF that referenced this pull request Oct 31, 2024
* HOTFIX: EFR01 Enterprise feature request (MobSF#1908)

* Replace Warning with Medium and added Hotspot
* Add file analysis to hotspot
* Enterprise Feature Request Flag
* EFR01 changes
* version bump

* update quark & frida (MobSF#1903)

Co-authored-by: Ajin Abraham <[email protected]>

* Update tldextract from 3.1.2 to 3.2.0 (MobSF#1910)

* upgrade apktool to 2.6.1 (MobSF#1915)

* Hotfix: Update slack link

* Hotfix: update slack link

* Hotfix: Slack link

* Hotfix:Slack link

* Hotfix:Slack link

* Introduce jadx decompilation timeout with env var (MobSF#1916)

* Introduce jadx decompilation timeout with env var
- exception for timeout
- replace subprocess.call for run


Co-authored-by: Ajin Abraham <[email protected]>

* Update ip2location from 8.6.4 to 8.7.2 (MobSF#1926)

Co-authored-by: Ajin Abraham <[email protected]>

* Scheduled weekly dependency update for week 13 (MobSF#1931)

* Update quark-engine from 22.2.1 to 22.3.1

* update lief

Co-authored-by: Ajin Abraham <[email protected]>

* update apkid (MobSF#1939)

* Fix dynamic report_json api bug (MobSF#1934)

Co-authored-by: Ajin Abraham <[email protected]>

* Hotfix: LIEF

* Update README.md (MobSF#1951)

* update jadx to 1.3.4 (MobSF#1941)

* update jadx to 1.3.4
* update lief
* update jadx and requirements

* Scheduled weekly dependency update for week 22 (MobSF#1972)

* Update ip2location from 8.7.3 to 8.7.4

* Update quark-engine from 22.4.1 to 22.5.1

* Update frida from 15.1.17 to 15.1.23

* Update tldextract from 3.2.1 to 3.3.0

* Check for updates via GitHub releases (MobSF#1957)

* Check the GitHub releases page for latest version number

* Update utils.py

Only log distro if not empty (or spaces)

Co-authored-by: Ajin Abraham <[email protected]>

* Update cert_analysis.py (MobSF#1948)

* Update cert_analysis.py

Flag on MD5 hash algorithm in signer certificate

* Update cert_analysis.py

Co-authored-by: Ajin Abraham <[email protected]>

* HOTFIX: Update Readme with Rewards Banner

* Update frida from 15.1.23 to 15.1.24 (MobSF#1975)

Co-authored-by: Ajin Abraham <[email protected]>

* HOTFIX: openSSL link and readme update

* Hotfix: Broken slack channel link fix

* Hotfix: Windows setup script

* Feature Parity Allow iOS IPA download (MobSF#1977)

* Allow iOS IPA download

* Code QA

* Add the checking of the parent element of the permission-related elements to manifest analysis (MobSF#1905)

* Add the checking of the parent element of the permission-related elements to manifest analysis

Co-authored-by: Ajin Abraham <[email protected]>

* Remove RELRO (MobSF#1978)

* Revert "Add the checking of the parent element of the permission-related elements to manifest analysis (MobSF#1905)" (MobSF#1984)

HOTFIX: Revert MobSF#1905

* Scheduled weekly dependency update for week 26 (MobSF#1986)

* Update ip2location from 8.7.4 to 8.8.0

* Update frida from 15.1.24 to 15.1.27

* Update quark-engine from 22.5.1 to 22.6.1 (MobSF#1989)

* Scheduled weekly dependency update for week 28 (MobSF#1993)

* Update frida from 15.1.27 to 15.1.28

* Update tldextract from 3.3.0 to 3.3.1

* HOTFIX: libsast, iOS Rule, M1 Mac support

* Hotfix MobSF#1999

* Update frida from 15.1.28 to 15.2.2 (MobSF#2002)

* Update README.md (MobSF#2020)

add Badge App

* Fix bug MobSF#1917 where checking for stripped debugging symbols produces false positives in iOS. (MobSF#2023)

Co-authored-by: Toor <[email protected]>
Co-authored-by: Ajin Abraham <[email protected]>

* Update ip2location from 8.8.0 to 8.8.1 (MobSF#2035)

Co-authored-by: Ajin Abraham <[email protected]>

* update apkid to 2.1.4 (MobSF#2037)

* Adding tarfile member sanitization to extractall() (MobSF#2039)

Co-authored-by: TrellixVulnTeam <[email protected]>
Co-authored-by: Ajin Abraham <[email protected]>

* fix res directory not exist (MobSF#2042)

Fix the problem that the res resource folder does not exist, the solution is to copy from the apktool_out directory

* [EFR-02]Enterprise Feature Request - False Positive Triaging (MobSF#2000)

* Suppression logic

* Android code analysis suppression

* Fixes MobSF#1981

* iOS source support bundle id extraction

* iOS Source Code - Suppression support

* Remove check in CFBundleURLName

* iOS Binary code analysis suppression support

* Add Code QL

* Suppression support for Manifest analysis

* Fixes MobSF#2014

* REST API + Docs

* Address review comments

* update suppression wordings

* Fixes MobSF#2043

* Icon analysis code QA

* Unit Test for False Positive Triaging

* Adding numeric_owner as a keyword argument (MobSF#2050)

numeric_owner needs to be a keyword argument.

* Scheduled weekly dependency update for week 41 (MobSF#2046)

* Update quark-engine from 22.6.1 to 22.9.1

* Update frida from 15.2.2 to 16.0.1

* Update tldextract from 3.3.1 to 3.4.0

* Update openstep-parser from 1.5.3 to 1.5.4

Co-authored-by: Ajin Abraham <[email protected]>

* HOTFIX: revert frida to 15.X

* HOTFIX: UI changes and warning on mobsf.live (MobSF#2051)

* UI changes and warning on mobsf.live

* Update home.html

* HOTFIX: Split certificate analysis out, suppression list fixes (MobSF#2052)

* Hotfix: ui on donate page

* Hotfix: Homescreen Navbar

* Hotfix: UI icon

* hotfix for quyark rules location (MobSF#2053)

* HOTFIX: jadx update to 1.4.5  (MobSF#2064)

* jadx update to 1.4.5
* MobSF version bump
* Fixes CVE-2022-42889 in third party dependency

* Installation script error: Solving spelling error (MobSF#2067)

changed "installtion" to "installation"

* Android APK support extracting icon SVG from XML (MobSF#2060)

* Added support for SVG icon extraction
* Add jar binaries
* code refactoring
* Update settings.py

* HOTFIX: Setup improvement (MobSF#2078)

* Improve setup scripts.
* Python support to 3.8 - 3.10
* Delete MobSF data directory on running setup.
* Bump applicable dependencies.

* Apktool 2.7.0 update (MobSF#2082)

* Update apktool to version 2.7.0

* HOTFIX: Icon should be a file

* version bump

* New Android Manifest Rule: App support vulnerable android versions (MobSF#2114)

* add a new rule: dangerous os version

* qa

* lint checks

* run lint test on one os

* Support for filenames containing & (MobSF#2129)

Co-authored-by: none <[email protected]>

* HOTFIX: Fix docker build (MobSF#2135)

* Fix Scorecard Severity Distribution chart data (MobSF#2140)

* HOTIX: Update Dockerfile to install jq (MobSF#2149)

* Update Dockerfile

* Update tox.ini

* [HOTFIX] Add support for environment variable for MobSF config (MobSF#2150)

* add support for environment variable config
* Fixes MobSF#2109
* update lief

* HOTFIX: Fixes MobSF#2144

* HOTFIX: Android min SDK check on janus vulnerability detection (MobSF#2159)

* Android min SDK  check on janus check

* Update README.md

* [Enterprise Feature Request EFR02] Support summary of severity in each section. (MobSF#2160)

* Summary for Android and iOS SCA

* [EFR05] Enterprise Feature Request: AAR and JAR support (MobSF#2163)

* AAR and JAR support

* Enable binary analysis for aar/jar

* Scheduled weekly dependency update for week 24 (MobSF#2187)

* Update ip2location from 8.9.0 to 8.10.0

* Update quark-engine from 22.10.1 to 23.5.1

* Update LIEF from to 0.13.1

* Update tldextract from 3.4.0 to 3.4.4

* Update requirements.txt

---------

Co-authored-by: Ajin Abraham <[email protected]>

* Update requirements.txt

0.13.1 not available.

* HOTFIX: update lief

* Revert Hotfix

* HOTFIX: Feature updates and Bug Fixes (MobSF#2197)

* OFAC, jquery bump, tox fix
* AAR handle multiple application tags

* HOTFIX: MobSF Android Dynamic Analysis Docker Support (MobSF#2214)

* MobSF Android Docker Support

* Pin pip version

* Update mobsf-test.yml

* Update setup.py

* Hotfix: Docker error fixes

* Hotfix: Add Corellium support message

* Hotfix: Broken donate link fix

* Update dynamic_analysis.html (MobSF#2218)

* Hotfix: Handle Docker <-> ADB connectivity internally (MobSF#2219)

* host.docker.internal transilation for localhost

* Replace urlparse with re

* version bump

* update ascii art

* update apktool to 2.8.1 (MobSF#2220)

* update apktool (MobSF#2225)

Co-authored-by: Ajin Abraham <[email protected]>

* HOTFIX: translate upstream proxy ip for docker

* Dynamic Analysis support alert (MobSF#2227)

* [HOTFIX] Regex + Rule Update (MobSF#2232)

* IOS Swift Rules updates
  *  Updated or added rules `ios_biometric_bool`, `ios_biometric_acl`, `ios_keychain_weak_acl_device_passcode`, `ios_keychain_weak_accessibility_value`, `ios_insecure_random_no_generator`, `ios_biometry_hardened`
 * Regex Hardening: Fixes possible Regex DoS in rules and MobSF code base

* [HOTFIX][EFR06] Independent Shared Object (.so) Scan and Improved String search (MobSF#2228)

* String extraction from APK, Source, AAR, JAR, SO
* Strings sections to show source of strings extracted
* Strings Refactor
* Support for independent .SO scan
* Android SCA rules update
* Entropies scan support for strings
* URLs/Email extraction refactor
* Bug Fixes
  * iOS Source Report Fix
  * Frida APK Patcher (WIP)
  * Dynamic Analyzer identifier not available
  * Settings env var not working fix for enabled by default features
  * AppSec Score fix
  * Recent `scan not completed` fix for iOS zip

* HOTFIX: Improve code string extraction

* Update macho_analysis.py - SYMBOLS STRIPPED False Negative (MobSF#2234)

* Update macho_analysis.py

PR for this issue: 
MobSF#2233

* Update macho_analysis.py


Co-authored-by: Ajin Abraham <[email protected]>

* HOTFIX: fix IPA download support

* [HOTFIX][EFR-08] Dylib + Symbols + Other Features (MobSF#2239)

* Dylib analysis support + PDF for iOS Binary
* Dylib string extraction
* Improved iOS Plist secret extraction
* iOS/Android Form Validation QA
* Independent Dylib scan
* Symbols view for dylib and so
* Trackers support for so

* Fix missing exported components (MobSF#2176)

Components which are exported and have no permission were not listed in the results because of a wrong template description key.
Also added a warning if this happens again.

Co-authored-by: Ajin Abraham <[email protected]>

* [HOTFIX][EFR09] AAR/JAR obfuscation and debug check + Exception Handed strings and symbols extraction (MobSF#2240)

* AAR/JAR obfuscation and debug check
* Exception handling symbols and strings from so/dylib

* [HOTFIX][EFR10] Independent Static Library(.a) ELF/MachO Analysis + Graceful Analysis (MobSF#2242)

* Independent Static Library(.a) ELF/MachO Analysis
   * Mac FAT binary only supported on Mac
* Static and Dynamic Binary Analysis QA
* Refactor Dex permissions
* Fallback certificate analysis using apksigtool
* Refactor Androguard `apk.APK()` usage

* Pip to Poetry,  Ubuntu Base image Bump, Dockerfile QA, Python 3.11 support (MobSF#2244)

* Docker base image update
* Docker file QA
* Github Actions version update
* Removed unwanted pinned repository
* Pip to Poetry migration
* Bump httptools
* Jump yara-python-dex
* Python 3.11 support

* [HOTFIX] Docker Buildx test (MobSF#2247)

* Docker image build test for PRs

* [HOTFIX] bs4 malformed xml parsing + xml namespace detection (MobSF#2248)

* Use BeautifulSoup4 to prettify malformed XML
* Detect non standard XML namespace in AndroidManifest.xml (Fixes : MobSF#2198) 
* Updated android permissions list
* Updated android permission update check script

* [HOTFIX] Migrate from setup.py to poetry, tox QA (MobSF#2249)

* Migrate from setup.py to use poetry build and publish
* Tox QA
* Version is now configured only at pyproject.toml
* Added poetry build test
* Updated mobsf PyPI publishing workflow 
* Update local DBs

* Performance Improvements on SAST (MobSF#2251)

* Performance improvements in SAST scans (Code Analysis, API Analysis, NIAP etc.) with libsast bump
* Android API rule QA
* Manifest analysis continuation on apktool failure
* Linux setup script fix
* Disable NIAP by default

* [HOTFIX] add apksigner.jar for reading signatures (MobSF#2254)

* Add `apksigner.jar`
* Use apksigner to extract signature versions (v1, v2, v3, v4)
* Fix: MobSF#2120

* [HOTFIX] add jar (MobSF#2255)

* Add apksigner jar

* [HOTFIX] Bump Frida to address crash on M1 Mac (MobSF#2258)

* Update frida to 16.1.4 to resolve segmentation faults on Docker arm image
---------

Co-authored-by: Mark Sowell <[email protected]>

* [HOTFIX] simplify scan api (MobSF#2259)

* Simplify Scan API
* Need only scan hash to trigger a scan
* Updated API Docs

* [HOTFIX] iOS Framework Analysis + Multiple Feature QA (MobSF#2260)

* iOS Framework Analysis
* Static Analysis URL simplification
* Replace hardcoded urls in template with `{% url %}`
* Code QA
* Remove unwanted template file
* Remove `rescan` query param from url
* Android icon SVG guessing improvements
* Icon analysis refactoring, change icon storage location
* Remove SVG to PNG converter. Support PNG and SVG icon.
* Github docker release action update

* [HOTFIX] Support webp for icon (MobSF#2267)

* [HOTFIX] Fixed that the icon cannot be found (MobSF#2265)

fixed that the icon cannot be found when the suffix name is uppercase

* Allow jpeg icons (MobSF#2268)

* [HOTFIX] Fix jadx and apktool failure due to JDK changes (MobSF#2269)

* Fix jadx and apktool failure due to JDK zip64 changes

* [HOTFIX][EFR] Priority Bug Fixes (MobSF#2275)

* P1.1 AAR Permissions not properly listed 
* P1.2 Local variable table not listed in proper section
* P1.3 static library strings are not listed
* P1.5 Stripping of dynamic and static libraries are not correctly reported
* Dependency bump
* MobSF version bump

* Hotfix: Bump deps

* update apktool to 2.9.0 (MobSF#2278)

Co-authored-by: Ajin Abraham <[email protected]>

* Build(deps): Bump django from 4.1.12 to 4.1.13 (MobSF#2282)

Bumps [django](https://github.com/django/django) from 4.1.12 to 4.1.13.
- [Commits](django/django@4.1.12...4.1.13)

---
updated-dependencies:
- dependency-name: django
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Hotfix: Support viewing kotlin files MobSF#2283

* iOS Dynamic Analysis with Corellium (MobSF#2194)

* iOS Dynamic Analysis Support with Corellium Jailbroken iOS devices
* Corellium API layer for complete device and project management
* Frida instrumentation (attach, spawn and inject) over SSH local port forward
* Shell access over SSH
* MobSF httptools proxy integration over SSH remote port forward
* Device File upload and download over SSH
* Frida scripts for core defense bypass, monitoring, and tracing
* Helper iOS Frida scripts for pentesting and malware analysis
* Screen cast with touch, swipe and text input support from web UI
* Dynamic Analysis device data dump and  report Generation
* Android Certificate analysis, replaced oscrypto with cryptography for public key parsing
* Python minimum support is 3.10
* Bumped httptools to latest, fixes httptools repeat bug
* Added unzip to docker to fix a bug

* Relaxed bundleid regex

* HOTFIX: Dynamic Analysis Improvements Android & iOS (MobSF#2295)

iOS Screencast, better swipe
Android Screencast to support touch, swipe and text input events
Android Frida Logs update
Android Improved Screencast
Android Frida spawn, inject and attach support
Added new Android Frida scripts
Replaced Clipdump with Frida script for clipboard monitoring

* Hotfix QA (MobSF#2297)

* REST API update for android frida instrument
* Code QA

* [HOTFIX] More Android & iOS Frida Scripts (MobSF#2299)

Improved existing frida scripts
More Android & iOS frida Scripts
Code QA

* [HOTFIX] Android script loading,  frida injected code view, paramiko SSH issues (MobSF#2300)

* Android script loading bug fix
* Frida injected code view
* Paramiko SSH reactor to address some host key issues, revert from warning to autoadd.
* Frida Injection refactoring

* Enhancements to ARC and Stack Canary Checks in Mach-O Parsing (MobSF#2284)

* Extend 'has_arc' check to include '_swift_release'

Updated the has_arc method to detect the usage of ARC not only by the presence of the _objc_release symbol but also by the _swift_release symbol. This change broadens the scope of ARC detection to cover both Objective-C and Swift implementations.

* Optimize has_canary function without using a set

Refactored the has_canary method to directly check the presence of ___stack_chk_fail and ___stack_chk_guard symbols in imported_functions. Removed the unnecessary conversion to a set, streamlining the function and enhancing readability. Now, has_canary uses any() for efficient symbol existence checks.

* [HOTFIX] RPC hook suggestions + Bug Fix (MobSF#2301)

* String compare script improvements
* Fix iOS Frida script bugs
* Added RPC helpers for hook suggestion (TODO:Expose to UI)
* Code QA

* HOTFIX: Add missing RPC script, Frida Logs font size

* version bump

* update pktool to 2.9.1 (MobSF#2304)

* [EFR][HOTFIX] QA Request (MobSF#2306)

* Scan independent library file (.so, .dylib, Framework dylib) from APK/IPA Static Analysis Report
* Library analysis refactored relative path helper for Django template.
* Re-introduced RELRO checks for Android, added Dart binary check to avoid Flutter false positives.
* Improved stripped debug symbol check for ELF and MachO using native OS tools such as nm and objdump when available.
* Merge iOS Framework and Dylib Analysis.

* Bug Fixes + Improvements (MobSF#2307)

* Replace Android test APK
* Added tests for Library analysis from binary (scan_library route)
* iOS merge findings from swift and objective c rules with same rule identifier. Fixes MobSF#2287 
* iOS Binary analysis, sort regex matches. Fixes MobSF#2252
* Framework dylibs with no extensions to skip PIE checks. Fixes MobSF#2307
* Select correct network_security config. Fixes MobSF#2049
* Android Manifest Analysis added support for detecting task hijacking (StrandHogg 1.0 and StrandHogg 2.0) . Fixes MobSF#2124
* Added new manifest analysis rule to warn on apps targeting older Android OS
* Updated severity of findings
* UI improvement for AppSec dashboard to show a loader
* UI changes in Static Analysis to collapse large no of files in API and Code Analysis for better real estate
* Improved certificate file analysis for android, jar, aar, and ios
* MobSF version Bump

* [HOTFIX] ChatGPT Permission Mapping + Improved Description (MobSF#2308)

* Android Permission Mapping, generated with ChatGPT + axplorer. Addressed MobSF#1772 
* Android Permission description enhancement generated with ChatGPT
* Added new permissions to permission analyzer

* Windows Python tempfile permission error fix (MobSF#2309)

* Fix PermissionError: [Errno 13] Permission denied
Windows Python tempfile permission error fix

* Multiple Features Improved or Added (MobSF#2310)

* Android added App Link assetlinks.json check
* Added more new permission mappings
* Updated Permission database
* Improved Source code view content search
* Added upstream proxy support for Corellium API calls
* Updated Readme

* [HOTFIX] Malware Permission Check for Android, API Rules + Version Bump (MobSF#2313)

* Malware Permission Check for Android
* New Android API rule to support Passkeys
* Updated Readme
* Version Bump

* Bug Fix and QA (MobSF#2315)

* Bug Fix
* QA
* Version bumps

* HOTFIX: update apktool, fixes a security issue GHSA-2hqv-2xv4-5h5w

* Update submodule

* Using multithreading to improve code efficiency (MobSF#2319)

* Using multithreading to improve code efficiency
* Update manifest_analysis.py
* QA
* Handle asterik in host names.

---------

Co-authored-by: Ajin Abraham <[email protected]>

* GPT Goodness (MobSF#2318)

* QA
* Version Bump

* Update SECURITY.md (MobSF#2323)

updated security policy

* [HOTFIX][SECURITY] Fix an LFI, DSA Pub Key parsing bug and dependencies  (MobSF#2326)

* [SECURITY] Fixes an LFI reported by @0x33c0unt - A crafted APK resource with icon name containing arbitrary path will get copied by MobSF as the icon file to the download directory which is available under `/download/` route. Fixed by MobSF@a58f8a8
* Fixes MobSF#2324 , Bug in parsing DSA Public Key parameters for fingerprint calculation.
* Update dependencies

* Filter out invalid links (MobSF#2322)

* Filter out invalid links

[ERROR] 2024-01-10 10:28:29 - Well Known Assetlinks Check for URL: http://*/.well-known/assetlinks.json
Traceback (most recent call last):
 
requests.exceptions.InvalidURL: URL has an invalid label.

* Update manifest_analysis.py

---------

Co-authored-by: Ajin Abraham <[email protected]>

* Fix Arbitrary file writes on Windows (MobSF#2328)

* Runtime Exec Tampering Detection, iOS Dynamic REST APIs, Datatables Export  (MobSF#2339)

* Runtime Executable Tampering Detection

* Add security.py

* Code QA Performance

* Code QA Runtime EXEC tampering detection

* Corellium API QA + Domain support

* REST API Docs + Datatables export

* HOTFIX: Dependency bump

* HOTFIX: Injected code overwrite revert

* HOTFIX: Bump deps + ELF strings check fix

* MOBSF_CORELLIUM_API_DOMAIN Update (MobSF#2347)

* MOBSF_CORELLIUM_API_DOMAIN Update

Set the default of `MOBSF_CORELLIUM_API_DOMAIN` to `https://app.corellium.com` was it was not being picked up properly in `dynamic_analyzer.py` for iOS

* Update corellium_apis.py

* Update settings.py

---------

Co-authored-by: Ajin Abraham <[email protected]>

* Add name parameter to create vm

* Add name support in ui

* HOTFIX: Frida Logs API response code + Dependency bump

* HOTFIX: Bump deps + expose Corellium stop app api

* Fix MobSF#2343

* HOTFIX: target sdk bug

* HOTFIX: Bump androguard + remove quark

* HOTFIX: androguard bump

* Fix MobSF#2349

* HOTFIX: Individual image publish

* HOTFIX:[SECURITY] Fix GHSA-wfgj-wrgh-h3r3, dep bump, docker build qa

* poetry pyqt5 fixes (MobSF#2362)

* poetry pyqt5 fixes

* QA

* fix

* Cert analysis qa

* QA

* pin pyqt5

* HOTFIX: Remove Androguard dependency use only features required by MobSF (MobSF#2363)

This PR strips out androguard and it's dependencies from MobSF.
Extract androguard related functions used by MobSF.
Some dependencies such as pyQt5 from apkinspector is breaking the ARM64 docker image.
This should address that issue.
In future, we will have to copy over any fixes to axml, apk, public, types from androguard and ZipEntry from apkinspector. 
We won't be adding linting to these files. The extracted functions will be considered as an external tool.

* Optimize rendering of big lists (MobSF#2351)

* Optimize rendering of big lists
* Dynamic rendering in browser to improve ux
Co-authored-by: Ajin Abraham <[email protected]>

* Fixes GHSA-m435-9v6r-v5f6

* Update SECURITY.md (MobSF#2364)

* Update SECURITY.md (MobSF#2365)

* Update SECURITY.md

* HOTFIX: Build and push docker arm64 and amd64 together

* HOTFIX: Possible SSRF

* Resolve the situation where the function name is bytes (MobSF#2367)

fix error:
 if function.name.endswith('_chk'):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: endswith first arg must be bytes or a tuple of bytes, not str

Co-authored-by: Ajin Abraham <[email protected]>

* Lint fixes #1

* Lint fixes #2

* Lint fixes #3

* Lint fixes #4

* Lint fixes #5

* Removing authentication requirement for /tests

* Lint fixes

* Updated

* Updated test logging

* Lint fix

* Setting template in context

* Lint fixes

* Added missing api params

* is_admin adjustment

* Include checksum

* Lint fixes

* Adding more logging

* Unit test fixes

* Lint fix

* # Get App Icon fix

* SCAN_LOGS support

* Timestamp fix

* Undid some bad updates

* Lint fix

* Error set is_admin

* Adding logging

* Removing logs field

* Debugging error

* Debugging

* Adding framework_analysis to fake_bin_dict

* Fixed so_analysis

* scan_library fix

* Handling of empty fields

* Lint fixes

* Lint fixes

* Updates to settings.py to allow ECS environment variables to be used

* Changing errors to warnings

* Resetting tests.py to match 3.9.7

* Fixing unit test

* exec2 in EXECUTABLE_HASH_MAP

* SCAN_TYPE fixes

* Removing old "custom" HTTP header tests

* Version update

* Fixing pdf report link

* Fixed section display logic

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Ajin Abraham <[email protected]>
Co-authored-by: superpoussin22 <[email protected]>
Co-authored-by: pyup.io bot <[email protected]>
Co-authored-by: Matej Soroka <[email protected]>
Co-authored-by: N1neSun <[email protected]>
Co-authored-by: Ajin.Abraham <[email protected]>
Co-authored-by: Dapo Adedire <[email protected]>
Co-authored-by: Atarii <[email protected]>
Co-authored-by: Han0nly <[email protected]>
Co-authored-by: rustaska <[email protected]>
Co-authored-by: Toor <[email protected]>
Co-authored-by: TrellixVulnTeam <[email protected]>
Co-authored-by: TrellixVulnTeam <[email protected]>
Co-authored-by: ohyeah521 <[email protected]>
Co-authored-by: th3-d4v1d-c0de <[email protected]>
Co-authored-by: evmxattr <[email protected]>
Co-authored-by: none <[email protected]>
Co-authored-by: antoinbo <[email protected]>
Co-authored-by: Karmaz <[email protected]>
Co-authored-by: Abb4d0n <[email protected]>
Co-authored-by: Mark Sowell <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpuu <[email protected]>
Co-authored-by: JJ <[email protected]>
Co-authored-by: JPSxzy8 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant