New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Complex AndroidManifest.xml analysis #35

Open
Razican opened this Issue Sep 22, 2016 · 3 comments

Comments

Projects
None yet
2 participants
@Razican
Member

Razican commented Sep 22, 2016

We need to add content providers, receivers, etc. to manifest analysis, and rules to decide what to analyze. Here is the complete list:

  • <provider>:
    • if android:exported="false" everything is OK.
    • if android:exported="true" and any targetSdkVersion or no android:exported and minSdkVersion < 17, we could have a vulnerability:
      • if android:permission or android:readPermission or android:writePermission, only warning.
      • if no permissions, medium or high vulnerability: other apps can read it.
  • <receiver>, <activity>, <activity-alias> or <service>:
    • if android:exported="false" everything is OK.
    • if android:exported="true" we could have a vulnerability:
      • if android:permission, only warning.
      • if no permissions, medium or high vulnerability: other apps can access it.
    • If no android:exported, we could have a vulnerability:
      • if no <intent-filter>, everything is OK.
      • if <intent-filter>:
        • if android:permission, only warning.
        • if no permissions, medium or high vulnerability: other apps can access it.

Analysis from AndroBugs: https://github.com/AndroBugs/AndroBugs_Framework/blob/master/androbugs.py

@Razican Razican added this to the SUPER 0.2.0 milestone Sep 22, 2016

@Chuky9 Chuky9 self-assigned this Oct 20, 2016

@Razican Razican modified the milestones: SUPER 0.2.0, SUPER 0.3.0 Nov 2, 2016

@Chuky9

This comment has been minimized.

Show comment
Hide comment
@Chuky9

Chuky9 Nov 3, 2016

Member

Complex AndroidManifest.xml analysis implemented but some clarifications are required in order to improve these detections in the next version (0.3.0). That's why this issue will remain openned.

Member

Chuky9 commented Nov 3, 2016

Complex AndroidManifest.xml analysis implemented but some clarifications are required in order to improve these detections in the next version (0.3.0). That's why this issue will remain openned.

@Chuky9 Chuky9 modified the milestones: SUPER 0.3.0, SUPER 0.2.0 Nov 3, 2016

@Razican

This comment has been minimized.

Show comment
Hide comment
@Razican

Razican Nov 10, 2016

Member

This depends on #20. We suppose that it will be available before the launch of 0.3.0 with enough time to implement it, so we maintain it for 0.3.0.

Member

Razican commented Nov 10, 2016

This depends on #20. We suppose that it will be available before the launch of 0.3.0 with enough time to implement it, so we maintain it for 0.3.0.

@Razican Razican modified the milestones: SUPER 0.3.0, SUPER 0.4.0 Feb 11, 2017

@Razican

This comment has been minimized.

Show comment
Hide comment
@Razican

Razican Apr 2, 2017

Member

Moving this to SUPER 0.5.0.

Member

Razican commented Apr 2, 2017

Moving this to SUPER 0.5.0.

@Razican Razican modified the milestones: SUPER 0.5.0, SUPER 0.4.0 Apr 2, 2017

@Razican Razican modified the milestones: SUPER 0.5.0, SUPER 0.6.0 May 10, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment