MobSF platform update, merge 3.9.7 (#199)

* HOTFIX: EFR01 Enterprise feature request (MobSF#1908)

* Replace Warning with Medium and added Hotspot
* Add file analysis to hotspot
* Enterprise Feature Request Flag
* EFR01 changes
* version bump

* update quark & frida (MobSF#1903)

Co-authored-by: Ajin Abraham <[email protected]>

* Update tldextract from 3.1.2 to 3.2.0 (MobSF#1910)

* upgrade apktool to 2.6.1 (MobSF#1915)

* Hotfix: Update slack link

* Hotfix: update slack link

* Hotfix: Slack link

* Hotfix:Slack link

* Hotfix:Slack link

* Introduce jadx decompilation timeout with env var (MobSF#1916)

* Introduce jadx decompilation timeout with env var
- exception for timeout
- replace subprocess.call for run


Co-authored-by: Ajin Abraham <[email protected]>

* Update ip2location from 8.6.4 to 8.7.2 (MobSF#1926)

Co-authored-by: Ajin Abraham <[email protected]>

* Scheduled weekly dependency update for week 13 (MobSF#1931)

* Update quark-engine from 22.2.1 to 22.3.1

* update lief

Co-authored-by: Ajin Abraham <[email protected]>

* update apkid (MobSF#1939)

* Fix dynamic report_json api bug (MobSF#1934)

Co-authored-by: Ajin Abraham <[email protected]>

* Hotfix: LIEF

* Update README.md (MobSF#1951)

* update jadx to 1.3.4 (MobSF#1941)

* update jadx to 1.3.4
* update lief
* update jadx and requirements

* Scheduled weekly dependency update for week 22 (MobSF#1972)

* Update ip2location from 8.7.3 to 8.7.4

* Update quark-engine from 22.4.1 to 22.5.1

* Update frida from 15.1.17 to 15.1.23

* Update tldextract from 3.2.1 to 3.3.0

* Check for updates via GitHub releases (MobSF#1957)

* Check the GitHub releases page for latest version number

* Update utils.py

Only log distro if not empty (or spaces)

Co-authored-by: Ajin Abraham <[email protected]>

* Update cert_analysis.py (MobSF#1948)

* Update cert_analysis.py

Flag on MD5 hash algorithm in signer certificate

* Update cert_analysis.py

Co-authored-by: Ajin Abraham <[email protected]>

* HOTFIX: Update Readme with Rewards Banner

* Update frida from 15.1.23 to 15.1.24 (MobSF#1975)

Co-authored-by: Ajin Abraham <[email protected]>

* HOTFIX: openSSL link and readme update

* Hotfix: Broken slack channel link fix

* Hotfix: Windows setup script

* Feature Parity Allow iOS IPA download (MobSF#1977)

* Allow iOS IPA download

* Code QA

* Add the checking of the parent element of the permission-related elements to manifest analysis (MobSF#1905)

* Add the checking of the parent element of the permission-related elements to manifest analysis

Co-authored-by: Ajin Abraham <[email protected]>

* Remove RELRO (MobSF#1978)

* Revert "Add the checking of the parent element of the permission-related elements to manifest analysis (MobSF#1905)" (MobSF#1984)

HOTFIX: Revert MobSF#1905

* Scheduled weekly dependency update for week 26 (MobSF#1986)

* Update ip2location from 8.7.4 to 8.8.0

* Update frida from 15.1.24 to 15.1.27

* Update quark-engine from 22.5.1 to 22.6.1 (MobSF#1989)

* Scheduled weekly dependency update for week 28 (MobSF#1993)

* Update frida from 15.1.27 to 15.1.28

* Update tldextract from 3.3.0 to 3.3.1

* HOTFIX: libsast, iOS Rule, M1 Mac support

* Hotfix MobSF#1999

* Update frida from 15.1.28 to 15.2.2 (MobSF#2002)

* Update README.md (MobSF#2020)

add Badge App

* Fix bug MobSF#1917 where checking for stripped debugging symbols produces false positives in iOS. (MobSF#2023)

Co-authored-by: Toor <[email protected]>
Co-authored-by: Ajin Abraham <[email protected]>

* Update ip2location from 8.8.0 to 8.8.1 (MobSF#2035)

Co-authored-by: Ajin Abraham <[email protected]>

* update apkid to 2.1.4 (MobSF#2037)

* Adding tarfile member sanitization to extractall() (MobSF#2039)

Co-authored-by: TrellixVulnTeam <[email protected]>
Co-authored-by: Ajin Abraham <[email protected]>

* fix res directory not exist (MobSF#2042)

Fix the problem that the res resource folder does not exist, the solution is to copy from the apktool_out directory

* [EFR-02]Enterprise Feature Request - False Positive Triaging (MobSF#2000)

* Suppression logic

* Android code analysis suppression

* Fixes MobSF#1981

* iOS source support bundle id extraction

* iOS Source Code - Suppression support

* Remove check in CFBundleURLName

* iOS Binary code analysis suppression support

* Add Code QL

* Suppression support for Manifest analysis

* Fixes MobSF#2014

* REST API + Docs

* Address review comments

* update suppression wordings

* Fixes MobSF#2043

* Icon analysis code QA

* Unit Test for False Positive Triaging

* Adding numeric_owner as a keyword argument (MobSF#2050)

numeric_owner needs to be a keyword argument.

* Scheduled weekly dependency update for week 41 (MobSF#2046)

* Update quark-engine from 22.6.1 to 22.9.1

* Update frida from 15.2.2 to 16.0.1

* Update tldextract from 3.3.1 to 3.4.0

* Update openstep-parser from 1.5.3 to 1.5.4

Co-authored-by: Ajin Abraham <[email protected]>

* HOTFIX: revert frida to 15.X

* HOTFIX: UI changes and warning on mobsf.live (MobSF#2051)

* UI changes and warning on mobsf.live

* Update home.html

* HOTFIX: Split certificate analysis out, suppression list fixes (MobSF#2052)

* Hotfix: ui on donate page

* Hotfix: Homescreen Navbar

* Hotfix: UI icon

* hotfix for quyark rules location (MobSF#2053)

* HOTFIX: jadx update to 1.4.5  (MobSF#2064)

* jadx update to 1.4.5
* MobSF version bump
* Fixes CVE-2022-42889 in third party dependency

* Installation script error: Solving spelling error (MobSF#2067)

changed "installtion" to "installation"

* Android APK support extracting icon SVG from XML (MobSF#2060)

* Added support for SVG icon extraction
* Add jar binaries
* code refactoring
* Update settings.py

* HOTFIX: Setup improvement (MobSF#2078)

* Improve setup scripts.
* Python support to 3.8 - 3.10
* Delete MobSF data directory on running setup.
* Bump applicable dependencies.

* Apktool 2.7.0 update (MobSF#2082)

* Update apktool to version 2.7.0

* HOTFIX: Icon should be a file

* version bump

* New Android Manifest Rule: App support vulnerable android versions (MobSF#2114)

* add a new rule: dangerous os version

* qa

* lint checks

* run lint test on one os

* Support for filenames containing & (MobSF#2129)

Co-authored-by: none <[email protected]>

* HOTFIX: Fix docker build (MobSF#2135)

* Fix Scorecard Severity Distribution chart data (MobSF#2140)

* HOTIX: Update Dockerfile to install jq (MobSF#2149)

* Update Dockerfile

* Update tox.ini

* [HOTFIX] Add support for environment variable for MobSF config (MobSF#2150)

* add support for environment variable config
* Fixes MobSF#2109
* update lief

* HOTFIX: Fixes MobSF#2144

* HOTFIX: Android min SDK check on janus vulnerability detection (MobSF#2159)

* Android min SDK  check on janus check

* Update README.md

* [Enterprise Feature Request EFR02] Support summary of severity in each section. (MobSF#2160)

* Summary for Android and iOS SCA

* [EFR05] Enterprise Feature Request: AAR and JAR support (MobSF#2163)

* AAR and JAR support

* Enable binary analysis for aar/jar

* Scheduled weekly dependency update for week 24 (MobSF#2187)

* Update ip2location from 8.9.0 to 8.10.0

* Update quark-engine from 22.10.1 to 23.5.1

* Update LIEF from to 0.13.1

* Update tldextract from 3.4.0 to 3.4.4

* Update requirements.txt

---------

Co-authored-by: Ajin Abraham <[email protected]>

* Update requirements.txt

0.13.1 not available.

* HOTFIX: update lief

* Revert Hotfix

* HOTFIX: Feature updates and Bug Fixes (MobSF#2197)

* OFAC, jquery bump, tox fix
* AAR handle multiple application tags

* HOTFIX: MobSF Android Dynamic Analysis Docker Support (MobSF#2214)

* MobSF Android Docker Support

* Pin pip version

* Update mobsf-test.yml

* Update setup.py

* Hotfix: Docker error fixes

* Hotfix: Add Corellium support message

* Hotfix: Broken donate link fix

* Update dynamic_analysis.html (MobSF#2218)

* Hotfix: Handle Docker <-> ADB connectivity internally (MobSF#2219)

* host.docker.internal transilation for localhost

* Replace urlparse with re

* version bump

* update ascii art

* update apktool to 2.8.1 (MobSF#2220)

* update apktool (MobSF#2225)

Co-authored-by: Ajin Abraham <[email protected]>

* HOTFIX: translate upstream proxy ip for docker

* Dynamic Analysis support alert (MobSF#2227)

* [HOTFIX] Regex + Rule Update (MobSF#2232)

* IOS Swift Rules updates
  *  Updated or added rules `ios_biometric_bool`, `ios_biometric_acl`, `ios_keychain_weak_acl_device_passcode`, `ios_keychain_weak_accessibility_value`, `ios_insecure_random_no_generator`, `ios_biometry_hardened`
 * Regex Hardening: Fixes possible Regex DoS in rules and MobSF code base

* [HOTFIX][EFR06] Independent Shared Object (.so) Scan and Improved String search (MobSF#2228)

* String extraction from APK, Source, AAR, JAR, SO
* Strings sections to show source of strings extracted
* Strings Refactor
* Support for independent .SO scan
* Android SCA rules update
* Entropies scan support for strings
* URLs/Email extraction refactor
* Bug Fixes
  * iOS Source Report Fix
  * Frida APK Patcher (WIP)
  * Dynamic Analyzer identifier not available
  * Settings env var not working fix for enabled by default features
  * AppSec Score fix
  * Recent `scan not completed` fix for iOS zip

* HOTFIX: Improve code string extraction

* Update macho_analysis.py - SYMBOLS STRIPPED False Negative (MobSF#2234)

* Update macho_analysis.py

PR for this issue: 
MobSF#2233

* Update macho_analysis.py


Co-authored-by: Ajin Abraham <[email protected]>

* HOTFIX: fix IPA download support

* [HOTFIX][EFR-08] Dylib + Symbols + Other Features (MobSF#2239)

* Dylib analysis support + PDF for iOS Binary
* Dylib string extraction
* Improved iOS Plist secret extraction
* iOS/Android Form Validation QA
* Independent Dylib scan
* Symbols view for dylib and so
* Trackers support for so

* Fix missing exported components (MobSF#2176)

Components which are exported and have no permission were not listed in the results because of a wrong template description key.
Also added a warning if this happens again.

Co-authored-by: Ajin Abraham <[email protected]>

* [HOTFIX][EFR09] AAR/JAR obfuscation and debug check + Exception Handed strings and symbols extraction (MobSF#2240)

* AAR/JAR obfuscation and debug check
* Exception handling symbols and strings from so/dylib

* [HOTFIX][EFR10] Independent Static Library(.a) ELF/MachO Analysis + Graceful Analysis (MobSF#2242)

* Independent Static Library(.a) ELF/MachO Analysis
   * Mac FAT binary only supported on Mac
* Static and Dynamic Binary Analysis QA
* Refactor Dex permissions
* Fallback certificate analysis using apksigtool
* Refactor Androguard `apk.APK()` usage

* Pip to Poetry,  Ubuntu Base image Bump, Dockerfile QA, Python 3.11 support (MobSF#2244)

* Docker base image update
* Docker file QA
* Github Actions version update
* Removed unwanted pinned repository
* Pip to Poetry migration
* Bump httptools
* Jump yara-python-dex
* Python 3.11 support

* [HOTFIX] Docker Buildx test (MobSF#2247)

* Docker image build test for PRs

* [HOTFIX] bs4 malformed xml parsing + xml namespace detection (MobSF#2248)

* Use BeautifulSoup4 to prettify malformed XML
* Detect non standard XML namespace in AndroidManifest.xml (Fixes : MobSF#2198) 
* Updated android permissions list
* Updated android permission update check script

* [HOTFIX] Migrate from setup.py to poetry, tox QA (MobSF#2249)

* Migrate from setup.py to use poetry build and publish
* Tox QA
* Version is now configured only at pyproject.toml
* Added poetry build test
* Updated mobsf PyPI publishing workflow 
* Update local DBs

* Performance Improvements on SAST (MobSF#2251)

* Performance improvements in SAST scans (Code Analysis, API Analysis, NIAP etc.) with libsast bump
* Android API rule QA
* Manifest analysis continuation on apktool failure
* Linux setup script fix
* Disable NIAP by default

* [HOTFIX] add apksigner.jar for reading signatures (MobSF#2254)

* Add `apksigner.jar`
* Use apksigner to extract signature versions (v1, v2, v3, v4)
* Fix: MobSF#2120

* [HOTFIX] add jar (MobSF#2255)

* Add apksigner jar

* [HOTFIX] Bump Frida to address crash on M1 Mac (MobSF#2258)

* Update frida to 16.1.4 to resolve segmentation faults on Docker arm image
---------

Co-authored-by: Mark Sowell <[email protected]>

* [HOTFIX] simplify scan api (MobSF#2259)

* Simplify Scan API
* Need only scan hash to trigger a scan
* Updated API Docs

* [HOTFIX] iOS Framework Analysis + Multiple Feature QA (MobSF#2260)

* iOS Framework Analysis
* Static Analysis URL simplification
* Replace hardcoded urls in template with `{% url %}`
* Code QA
* Remove unwanted template file
* Remove `rescan` query param from url
* Android icon SVG guessing improvements
* Icon analysis refactoring, change icon storage location
* Remove SVG to PNG converter. Support PNG and SVG icon.
* Github docker release action update

* [HOTFIX] Support webp for icon (MobSF#2267)

* [HOTFIX] Fixed that the icon cannot be found (MobSF#2265)

fixed that the icon cannot be found when the suffix name is uppercase

* Allow jpeg icons (MobSF#2268)

* [HOTFIX] Fix jadx and apktool failure due to JDK changes (MobSF#2269)

* Fix jadx and apktool failure due to JDK zip64 changes

* [HOTFIX][EFR] Priority Bug Fixes (MobSF#2275)

* P1.1 AAR Permissions not properly listed 
* P1.2 Local variable table not listed in proper section
* P1.3 static library strings are not listed
* P1.5 Stripping of dynamic and static libraries are not correctly reported
* Dependency bump
* MobSF version bump

* Hotfix: Bump deps

* update apktool to 2.9.0 (MobSF#2278)

Co-authored-by: Ajin Abraham <[email protected]>

* Build(deps): Bump django from 4.1.12 to 4.1.13 (MobSF#2282)

Bumps [django](https://github.com/django/django) from 4.1.12 to 4.1.13.
- [Commits](django/django@4.1.12...4.1.13)

---
updated-dependencies:
- dependency-name: django
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Hotfix: Support viewing kotlin files MobSF#2283

* iOS Dynamic Analysis with Corellium (MobSF#2194)

* iOS Dynamic Analysis Support with Corellium Jailbroken iOS devices
* Corellium API layer for complete device and project management
* Frida instrumentation (attach, spawn and inject) over SSH local port forward
* Shell access over SSH
* MobSF httptools proxy integration over SSH remote port forward
* Device File upload and download over SSH
* Frida scripts for core defense bypass, monitoring, and tracing
* Helper iOS Frida scripts for pentesting and malware analysis
* Screen cast with touch, swipe and text input support from web UI
* Dynamic Analysis device data dump and  report Generation
* Android Certificate analysis, replaced oscrypto with cryptography for public key parsing
* Python minimum support is 3.10
* Bumped httptools to latest, fixes httptools repeat bug
* Added unzip to docker to fix a bug

* Relaxed bundleid regex

* HOTFIX: Dynamic Analysis Improvements Android & iOS (MobSF#2295)

iOS Screencast, better swipe
Android Screencast to support touch, swipe and text input events
Android Frida Logs update
Android Improved Screencast
Android Frida spawn, inject and attach support
Added new Android Frida scripts
Replaced Clipdump with Frida script for clipboard monitoring

* Hotfix QA (MobSF#2297)

* REST API update for android frida instrument
* Code QA

* [HOTFIX] More Android & iOS Frida Scripts (MobSF#2299)

Improved existing frida scripts
More Android & iOS frida Scripts
Code QA

* [HOTFIX] Android script loading,  frida injected code view, paramiko SSH issues (MobSF#2300)

* Android script loading bug fix
* Frida injected code view
* Paramiko SSH reactor to address some host key issues, revert from warning to autoadd.
* Frida Injection refactoring

* Enhancements to ARC and Stack Canary Checks in Mach-O Parsing (MobSF#2284)

* Extend 'has_arc' check to include '_swift_release'

Updated the has_arc method to detect the usage of ARC not only by the presence of the _objc_release symbol but also by the _swift_release symbol. This change broadens the scope of ARC detection to cover both Objective-C and Swift implementations.

* Optimize has_canary function without using a set

Refactored the has_canary method to directly check the presence of ___stack_chk_fail and ___stack_chk_guard symbols in imported_functions. Removed the unnecessary conversion to a set, streamlining the function and enhancing readability. Now, has_canary uses any() for efficient symbol existence checks.

* [HOTFIX] RPC hook suggestions + Bug Fix (MobSF#2301)

* String compare script improvements
* Fix iOS Frida script bugs
* Added RPC helpers for hook suggestion (TODO:Expose to UI)
* Code QA

* HOTFIX: Add missing RPC script, Frida Logs font size

* version bump

* update pktool to 2.9.1 (MobSF#2304)

* [EFR][HOTFIX] QA Request (MobSF#2306)

* Scan independent library file (.so, .dylib, Framework dylib) from APK/IPA Static Analysis Report
* Library analysis refactored relative path helper for Django template.
* Re-introduced RELRO checks for Android, added Dart binary check to avoid Flutter false positives.
* Improved stripped debug symbol check for ELF and MachO using native OS tools such as nm and objdump when available.
* Merge iOS Framework and Dylib Analysis.

* Bug Fixes + Improvements (MobSF#2307)

* Replace Android test APK
* Added tests for Library analysis from binary (scan_library route)
* iOS merge findings from swift and objective c rules with same rule identifier. Fixes MobSF#2287 
* iOS Binary analysis, sort regex matches. Fixes MobSF#2252
* Framework dylibs with no extensions to skip PIE checks. Fixes MobSF#2307
* Select correct network_security config. Fixes MobSF#2049
* Android Manifest Analysis added support for detecting task hijacking (StrandHogg 1.0 and StrandHogg 2.0) . Fixes MobSF#2124
* Added new manifest analysis rule to warn on apps targeting older Android OS
* Updated severity of findings
* UI improvement for AppSec dashboard to show a loader
* UI changes in Static Analysis to collapse large no of files in API and Code Analysis for better real estate
* Improved certificate file analysis for android, jar, aar, and ios
* MobSF version Bump

* [HOTFIX] ChatGPT Permission Mapping + Improved Description (MobSF#2308)

* Android Permission Mapping, generated with ChatGPT + axplorer. Addressed MobSF#1772 
* Android Permission description enhancement generated with ChatGPT
* Added new permissions to permission analyzer

* Windows Python tempfile permission error fix (MobSF#2309)

* Fix PermissionError: [Errno 13] Permission denied
Windows Python tempfile permission error fix

* Multiple Features Improved or Added (MobSF#2310)

* Android added App Link assetlinks.json check
* Added more new permission mappings
* Updated Permission database
* Improved Source code view content search
* Added upstream proxy support for Corellium API calls
* Updated Readme

* [HOTFIX] Malware Permission Check for Android, API Rules + Version Bump (MobSF#2313)

* Malware Permission Check for Android
* New Android API rule to support Passkeys
* Updated Readme
* Version Bump

* Bug Fix and QA (MobSF#2315)

* Bug Fix
* QA
* Version bumps

* HOTFIX: update apktool, fixes a security issue GHSA-2hqv-2xv4-5h5w

* Update submodule

* Using multithreading to improve code efficiency (MobSF#2319)

* Using multithreading to improve code efficiency
* Update manifest_analysis.py
* QA
* Handle asterik in host names.

---------

Co-authored-by: Ajin Abraham <[email protected]>

* GPT Goodness (MobSF#2318)

* QA
* Version Bump

* Update SECURITY.md (MobSF#2323)

updated security policy

* [HOTFIX][SECURITY] Fix an LFI, DSA Pub Key parsing bug and dependencies  (MobSF#2326)

* [SECURITY] Fixes an LFI reported by @0x33c0unt - A crafted APK resource with icon name containing arbitrary path will get copied by MobSF as the icon file to the download directory which is available under `/download/` route. Fixed by MobSF@a58f8a8
* Fixes MobSF#2324 , Bug in parsing DSA Public Key parameters for fingerprint calculation.
* Update dependencies

* Filter out invalid links (MobSF#2322)

* Filter out invalid links

[ERROR] 2024-01-10 10:28:29 - Well Known Assetlinks Check for URL: http://*/.well-known/assetlinks.json
Traceback (most recent call last):
 
requests.exceptions.InvalidURL: URL has an invalid label.

* Update manifest_analysis.py

---------

Co-authored-by: Ajin Abraham <[email protected]>

* Fix Arbitrary file writes on Windows (MobSF#2328)

* Runtime Exec Tampering Detection, iOS Dynamic REST APIs, Datatables Export  (MobSF#2339)

* Runtime Executable Tampering Detection

* Add security.py

* Code QA Performance

* Code QA Runtime EXEC tampering detection

* Corellium API QA + Domain support

* REST API Docs + Datatables export

* HOTFIX: Dependency bump

* HOTFIX: Injected code overwrite revert

* HOTFIX: Bump deps + ELF strings check fix

* MOBSF_CORELLIUM_API_DOMAIN Update (MobSF#2347)

* MOBSF_CORELLIUM_API_DOMAIN Update

Set the default of `MOBSF_CORELLIUM_API_DOMAIN` to `https://app.corellium.com` was it was not being picked up properly in `dynamic_analyzer.py` for iOS

* Update corellium_apis.py

* Update settings.py

---------

Co-authored-by: Ajin Abraham <[email protected]>

* Add name parameter to create vm

* Add name support in ui

* HOTFIX: Frida Logs API response code + Dependency bump

* HOTFIX: Bump deps + expose Corellium stop app api

* Fix MobSF#2343

* HOTFIX: target sdk bug

* HOTFIX: Bump androguard + remove quark

* HOTFIX: androguard bump

* Fix MobSF#2349

* HOTFIX: Individual image publish

* HOTFIX:[SECURITY] Fix GHSA-wfgj-wrgh-h3r3, dep bump, docker build qa

* poetry pyqt5 fixes (MobSF#2362)

* poetry pyqt5 fixes

* QA

* fix

* Cert analysis qa

* QA

* pin pyqt5

* HOTFIX: Remove Androguard dependency use only features required by MobSF (MobSF#2363)

This PR strips out androguard and it's dependencies from MobSF.
Extract androguard related functions used by MobSF.
Some dependencies such as pyQt5 from apkinspector is breaking the ARM64 docker image.
This should address that issue.
In future, we will have to copy over any fixes to axml, apk, public, types from androguard and ZipEntry from apkinspector. 
We won't be adding linting to these files. The extracted functions will be considered as an external tool.

* Optimize rendering of big lists (MobSF#2351)

* Optimize rendering of big lists
* Dynamic rendering in browser to improve ux
Co-authored-by: Ajin Abraham <[email protected]>

* Fixes GHSA-m435-9v6r-v5f6

* Update SECURITY.md (MobSF#2364)

* Update SECURITY.md (MobSF#2365)

* Update SECURITY.md

* HOTFIX: Build and push docker arm64 and amd64 together

* HOTFIX: Possible SSRF

* Resolve the situation where the function name is bytes (MobSF#2367)

fix error:
 if function.name.endswith('_chk'):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: endswith first arg must be bytes or a tuple of bytes, not str

Co-authored-by: Ajin Abraham <[email protected]>

* Lint fixes #1

* Lint fixes #2

* Lint fixes #3

* Lint fixes #4

* Lint fixes #5

* Removing authentication requirement for /tests

* Lint fixes

* Updated

* Updated test logging

* Lint fix

* Setting template in context

* Lint fixes

* Added missing api params

* is_admin adjustment

* Include checksum

* Lint fixes

* Adding more logging

* Unit test fixes

* Lint fix

* # Get App Icon fix

* SCAN_LOGS support

* Timestamp fix

* Undid some bad updates

* Lint fix

* Error set is_admin

* Adding logging

* Removing logs field

* Debugging error

* Debugging

* Adding framework_analysis to fake_bin_dict

* Fixed so_analysis

* scan_library fix

* Handling of empty fields

* Lint fixes

* Lint fixes

* Updates to settings.py to allow ECS environment variables to be used

* Changing errors to warnings

* Resetting tests.py to match 3.9.7

* Fixing unit test

* exec2 in EXECUTABLE_HASH_MAP

* SCAN_TYPE fixes

* Removing old "custom" HTTP header tests

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Ajin Abraham <[email protected]>
Co-authored-by: superpoussin22 <[email protected]>
Co-authored-by: pyup.io bot <[email protected]>
Co-authored-by: Matej Soroka <[email protected]>
Co-authored-by: N1neSun <[email protected]>
Co-authored-by: Ajin.Abraham <[email protected]>
Co-authored-by: Dapo Adedire <[email protected]>
Co-authored-by: Atarii <[email protected]>
Co-authored-by: Han0nly <[email protected]>
Co-authored-by: rustaska <[email protected]>
Co-authored-by: Toor <[email protected]>
Co-authored-by: TrellixVulnTeam <[email protected]>
Co-authored-by: TrellixVulnTeam <[email protected]>
Co-authored-by: ohyeah521 <[email protected]>
Co-authored-by: th3-d4v1d-c0de <[email protected]>
Co-authored-by: evmxattr <[email protected]>
Co-authored-by: none <[email protected]>
Co-authored-by: antoinbo <[email protected]>
Co-authored-by: Karmaz <[email protected]>
Co-authored-by: Abb4d0n <[email protected]>
Co-authored-by: Mark Sowell <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: cpuu <[email protected]>
Co-authored-by: JJ <[email protected]>
Co-authored-by: JPSxzy8 <[email protected]>

.github/SECURITY.md

@@ -16,6 +16,13 @@ Please report all security issues [here](https://github.com/MobSF/Mobile-Securit
 
 ## Past Security Issues
 
-* [Local file reading regression < 3.0.0](https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/1197)
-* [Upload a malicious zip file can overwrite arbitary files >=v0.9.3.2 && <=0.9.4.1](https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/358)
-* [Fix Local File Inclusion Vulnerability in ViewSource Function. Version <= v0.9.2](https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/166)
+| Vulnerability | Affected Versions |
+| ------- | ------------------ |
+| [SSRF in AppLink check via abusing url redirect](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-m435-9v6r-v5f6) | `<=3.9.6` |
+| [SSRF in AppLink check via crafted android:host](https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wfgj-wrgh-h3r3) | `<=3.9.5`|
+| [Arbitrary Local file read in APK icon resource](https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/a58f8a8c0aa49e1581d97e19e8e2255ca96cd838)  | `>=1.0.4, <=3.9.2` |
+| [Remote Code Execution via arbitrary file overwrite vulnerability in apktool <2.9.2](https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/19c1b55c2c59596f2d43439926c9dc976cbeaec4),  [[CVE-2024-21633]](https://github.com/0x33c0unt/CVE-2024-21633) | `<=3.9.1` |
+| [Arbitrary Local file read regression](https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/1197)  | `<3.0.0` |
+| [Upload a malicious zip file can overwrite arbitary files](https://github.com/MobSF/Mobile-Security-Framework-MobSF/issues/358)  | `>=0.9.3.2, <=0.9.4.1` |
+| [Arbitrary Local file read](https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/166) | `<=0.9.2` |
+

.github/workflows/mobsf-test.yml

@@ -11,10 +11,6 @@ jobs:
       matrix:
         os: [ubuntu-22.04]
         python-version: ['3.11']
-        # exclude:
-          # excludes py38, py39 on Windows
-          # - os: windows-latest
-          #   python-version: 3.8
 
     runs-on: ${{ matrix.os }}
     steps:

.sonarcloud.properties

@@ -1,4 +1,4 @@
 sonar.sources=.
 sonar.exclusions=mobsf/static/**/*,mobsf/templates/**/*
 sonar.sourceEncoding=UTF-8
-sonar.python.version=3.7, 3.8, 3.9, 3.10, 3.11
+sonar.python.version=3.10, 3.11

Dockerfile

@@ -32,8 +32,10 @@ RUN apt update -y && apt install -y  --no-install-recommends \
     curl \
     git \
     jq \
+    unzip \
     android-tools-adb && \
-    locale-gen en_US.UTF-8 
+    locale-gen en_US.UTF-8 && \
+    apt upgrade -y
 
 ENV MOBSF_USER=mobsf \
     MOBSF_PLATFORM=docker \

LICENSES/apkinspector.txt

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

LICENSES/apksigner.txt

@@ -0,0 +1,15 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# Set up prog to be the path of this script, including following symlinks,
+# and set up progdir to be the fully-qualified pathname of its directory.