July origin merge to downstream (#63)

* HOTFIX: EFR01 Enterprise feature request (MobSF#1908)

* Replace Warning with Medium and added Hotspot
* Add file analysis to hotspot
* Enterprise Feature Request Flag
* EFR01 changes
* version bump

* update quark & frida (MobSF#1903)

Co-authored-by: Ajin Abraham <ajin25@gmail.com>

* Update tldextract from 3.1.2 to 3.2.0 (MobSF#1910)

* upgrade apktool to 2.6.1 (MobSF#1915)

* Hotfix: Update slack link

* Hotfix: update slack link

* Hotfix: Slack link

* Hotfix:Slack link

* Hotfix:Slack link

* Introduce jadx decompilation timeout with env var (MobSF#1916)

* Introduce jadx decompilation timeout with env var
- exception for timeout
- replace subprocess.call for run


Co-authored-by: Ajin Abraham <ajin25@gmail.com>

* Update ip2location from 8.6.4 to 8.7.2 (MobSF#1926)

Co-authored-by: Ajin Abraham <ajin25@gmail.com>

* Scheduled weekly dependency update for week 13 (MobSF#1931)

* Update quark-engine from 22.2.1 to 22.3.1

* update lief

Co-authored-by: Ajin Abraham <ajin25@gmail.com>

* update apkid (MobSF#1939)

* Fix dynamic report_json api bug (MobSF#1934)

Co-authored-by: Ajin Abraham <ajin25@gmail.com>

* Hotfix: LIEF

* Update README.md (MobSF#1951)

* update jadx to 1.3.4 (MobSF#1941)

* update jadx to 1.3.4
* update lief
* update jadx and requirements

* Scheduled weekly dependency update for week 22 (MobSF#1972)

* Update ip2location from 8.7.3 to 8.7.4

* Update quark-engine from 22.4.1 to 22.5.1

* Update frida from 15.1.17 to 15.1.23

* Update tldextract from 3.2.1 to 3.3.0

* Check for updates via GitHub releases (MobSF#1957)

* Check the GitHub releases page for latest version number

* Update utils.py

Only log distro if not empty (or spaces)

Co-authored-by: Ajin Abraham <ajin25@gmail.com>

* Update cert_analysis.py (MobSF#1948)

* Update cert_analysis.py

Flag on MD5 hash algorithm in signer certificate

* Update cert_analysis.py

Co-authored-by: Ajin Abraham <ajin25@gmail.com>

* HOTFIX: Update Readme with Rewards Banner

* Update frida from 15.1.23 to 15.1.24 (MobSF#1975)

Co-authored-by: Ajin Abraham <ajin25@gmail.com>

* HOTFIX: openSSL link and readme update

* Hotfix: Broken slack channel link fix

* Hotfix: Windows setup script

* Feature Parity Allow iOS IPA download (MobSF#1977)

* Allow iOS IPA download

* Code QA

* Add the checking of the parent element of the permission-related elements to manifest analysis (MobSF#1905)

* Add the checking of the parent element of the permission-related elements to manifest analysis

Co-authored-by: Ajin Abraham <ajin25@gmail.com>

* Remove RELRO (MobSF#1978)

* Revert "Add the checking of the parent element of the permission-related elements to manifest analysis (MobSF#1905)" (MobSF#1984)

HOTFIX: Revert MobSF#1905

* Scheduled weekly dependency update for week 26 (MobSF#1986)

* Update ip2location from 8.7.4 to 8.8.0

* Update frida from 15.1.24 to 15.1.27

* Update quark-engine from 22.5.1 to 22.6.1 (MobSF#1989)

* Scheduled weekly dependency update for week 28 (MobSF#1993)

* Update frida from 15.1.27 to 15.1.28

* Update tldextract from 3.3.0 to 3.3.1

* HOTFIX: libsast, iOS Rule, M1 Mac support

Co-authored-by: Ajin Abraham <ajin25@gmail.com>
Co-authored-by: superpoussin22 <vincent.nadal@orange.fr>
Co-authored-by: pyup.io bot <github-bot@pyup.io>
Co-authored-by: Matej Soroka <hi@matejsoroka.com>
Co-authored-by: N1neSun <917549681@qq.com>
Co-authored-by: Ajin.Abraham <ajin.abraham@chime.com>
Co-authored-by: Dapo Adedire <adedireadedapo19@gmail.com>
Co-authored-by: Atarii <atarii@users.noreply.github.com>
Co-authored-by: Han0nly <byxiaohanzhang@foxmail.com>

.github/ISSUE_TEMPLATE/bug_report.md

@@ -26,7 +26,7 @@ MobSF Version:
 ```
 What happens, under which versions, under what conditions, when, and what were you expecting instead.
 ```
-<!-- If you see errors while running setup/run scripts, join MobSF Slack channel: http://tiny.cc/mobsf to get limited support. -->
+<!-- If you see errors while running setup/run scripts, join MobSF Slack channel: https://bit.ly/3mCMNOx to get limited support. -->
 
 ## STEPS TO REPRODUCE THE ISSUE
 
@@ -47,7 +47,7 @@ Paste the contents of ~/.MobSF/debug.log here or attach the log file.
 BEFORE POSTING YOUR ISSUE/BUG
 - These comments won't show up when you submit the issue.
 - GitHub issues ARE NOT FOR FEATURE REQUESTS, SUPPORT, DISCUSSIONS AND QUESTIONS! 
-- If you have questions, use our slack channel. Join MobSF Slack channel: http://tiny.cc/mobsf
+- If you have questions, use our slack channel. Join MobSF Slack channel: https://bit.ly/3mCMNOx
 - Reproduce issue in the latest master and try to add as much detail as possible.
 - Search this repository (top of the page) for the issue and it has not been fixed or reported already.
 - Once you open a bug, you should also provide additional information if requested. 

.github/workflows/mobsf-test.yml

@@ -12,7 +12,11 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-20.04]
-        python-version: [3.9]
+        python-version: ['3.10']
+        # exclude:
+          # excludes py38, py39 on Windows
+          # - os: windows-latest
+          #   python-version: 3.8
 
     runs-on: ${{ matrix.os }}
     steps:

README.md

@@ -1,5 +1,6 @@
 # Mobile Security Framework (MobSF)
 Version: v3.5 beta
+
 ![](https://cloud.githubusercontent.com/assets/4301109/20019521/cc61f7fc-a2f2-11e6-95f3-407030d9fdde.png)
 
 Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF supports mobile app binaries (APK, XAPK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.
@@ -38,6 +39,7 @@ If you liked MobSF and find it useful, please consider donating.
 [![See MobSF Documentation](https://user-images.githubusercontent.com/4301109/70686099-3855f780-1c79-11ea-8141-899e39459da2.png)](https://mobsf.github.io/docs)
 [![See MobSF Documentation in Chinese](https://user-images.githubusercontent.com/4301109/117404947-b09d0880-aebf-11eb-9db8-3d7360f47914.png)](https://mobsf.github.io/docs/#/zh-cn/)
 [![See MobSF Documentation in Japanese](https://user-images.githubusercontent.com/4301109/148662149-7ee671b4-66a2-4232-9522-276b8e88d924.png)](https://mobsf.github.io/docs/#/ja-jp/)
+[![See MobSF Documentation in Español](https://user-images.githubusercontent.com/4301109/173221657-ac1f7221-6ae9-44d8-bf6b-8732d84bf120.png)](https://mobsf.github.io/docs/#/es/)
 
 * Try MobSF Static Analyzer Online: [mobsf.live](https://mobsf.live)
 * MobSF in CI/CD: [mobsfscan](https://github.com/MobSF/mobsfscan)
@@ -66,6 +68,14 @@ If you liked MobSF and find it useful, please consider donating.
 * For Project updates and announcements, follow [@ajinabraham](https://twitter.com/ajinabraham) or [@OpenSecurity_IN](https://twitter.com/OpenSecurity_IN).
 * Github Issues are only for tracking bugs and feature requests. Do not post support or help queries there. We have a slack channel for that.
 
+### Launching MobSF Rewards
+
+Contributed to MobSF? Here is a big thank you from our community to you. Claim your badge, a soulbound NFT and showcase them with pride. Let us inspire more folks !
+
+![MobSF Badges](https://aviyel.com/assets/uploads/rewards/share/project/7/512/share.png)
+
+[Claim Now!](https://aviyel.com/projects/7/mobile-security-framework/rewards)
+
 
 ### Static Analysis - Android
 

mobsf/MobSF/settings.py

@@ -68,6 +68,7 @@
     '.zip': 'application/zip',
     '.tar': 'application/x-tar',
     '.apk': 'application/octet-stream',
+    '.ipa': 'application/octet-stream',
 }
 # =============ALLOWED MIMETYPES=================
 APK_MIME = [
@@ -108,9 +109,8 @@
 EXODUS_URL = 'https://reports.exodus-privacy.eu.org'
 APPMONSTA_URL = 'https://api.appmonsta.com/v1/stores/android/details/'
 ITUNES_URL = 'https://itunes.apple.com/lookup'
-GITHUB_URL = ('https://raw.githubusercontent.com/'
-              'MobSF/Mobile-Security-Framework-MobSF/'
-              'master/mobsf/MobSF/init.py')
+GITHUB_URL = ('https://github.com/MobSF/Mobile-Security-Framework-MobSF/'
+              'releases/latest')
 FRIDA_SERVER = 'https://api.github.com/repos/frida/frida/releases/tags/'
 GOOGLE = 'https://www.google.com'
 BAIDU = 'https://www.baidu.com/'

mobsf/MobSF/utils.py

@@ -95,9 +95,9 @@ def print_version():
         print('REST API Key: ' + Color.BOLD + api_key() + Color.END)
     logger.info('OS: %s', platform.system())
     logger.info('Platform: %s', platform.platform())
-    dist = distro.linux_distribution(full_distribution_name=False)
-    if dist:
-        logger.info('Dist: %s', ' '.join(dist))
+    dist = ' '.join(distro.linux_distribution(full_distribution_name=False))
+    if dist.strip():
+        logger.info('Dist: %s', dist)
     logger.info('File storage: %s', settings.MobSF_HOME)
     logger.info('Administrators: %s', settings.ADMIN_USERS)
     find_java_binary()
@@ -117,15 +117,10 @@ def check_update():
             proxies, verify = upstream_proxy('https')
         except Exception:
             logger.exception('Setting upstream proxy')
-        response = requests.get(github_url, timeout=5,
-                                proxies=proxies, verify=verify)
-        html = str(response.text).split('\n')
         local_version = settings.VERSION
-        remote_version = None
-        for line in html:
-            if line.startswith('VERSION'):
-                remote_version = line.split('\'')[1]
-                break
+        response = requests.head(github_url, timeout=5,
+                                 proxies=proxies, verify=verify)
+        remote_version = response.next.path_url.split('v')[1]
         if remote_version:
             sem_loc = StrictVersion(local_version)
             sem_rem = StrictVersion(remote_version)

mobsf/StaticAnalyzer/views/android/binary_analysis.py

@@ -61,40 +61,6 @@ def checksec(self):
             'severity': severity,
             'description': desc,
         }
-        relro = self.relro()
-        if relro == 'Full RELRO':
-            severity = 'info'
-            desc = (
-                'This shared object has full RELRO '
-                'enabled. RELRO ensures that the GOT cannot be '
-                'overwritten in vulnerable ELF binaries. '
-                'In Full RELRO, the entire GOT (.got and '
-                '.got.plt both) is marked as read-only.')
-        elif relro == 'Partial RELRO':
-            severity = 'warning'
-            desc = (
-                'This shared object has partial RELRO '
-                'enabled. RELRO ensures that the GOT cannot be '
-                'overwritten in vulnerable ELF binaries. '
-                'In partial RELRO, the non-PLT part of the GOT '
-                'section is read only but .got.plt is still '
-                'writeable. Use the option -z,relro,-z,now to '
-                'enable full RELRO.')
-        else:
-            severity = 'high'
-            desc = (
-                'This shared object does not have RELRO '
-                'enabled. The entire GOT (.got and '
-                '.got.plt both) are writable. Without this compiler '
-                'flag, buffer overflows on a global variable can '
-                'overwrite GOT entries. Use the option '
-                '-z,relro,-z,now to enable full RELRO and only '
-                '-z,relro to enable partial RELRO.')
-        elf_dict['relocation_readonly'] = {
-            'relro': relro,
-            'severity': severity,
-            'description': desc,
-        }
         rpath = self.rpath()
         if rpath:
             severity = 'high'
@@ -189,21 +155,6 @@ def has_canary(self):
                 pass
         return False
 
-    def relro(self):
-        try:
-            gnu_relro = lief.ELF.SEGMENT_TYPES.GNU_RELRO
-            flags = lief.ELF.DYNAMIC_TAGS.FLAGS
-            bind_now = lief.ELF.DYNAMIC_FLAGS.BIND_NOW
-            if self.elf.get(gnu_relro):
-                eflags = self.elf.get(flags)
-                if eflags and bind_now in eflags:
-                    return 'Full RELRO'
-                else:
-                    return 'Partial RELRO'
-            return 'No RELRO'
-        except lief.not_found:
-            return 'No RELRO'
-
     def rpath(self):
         try:
             rpath = lief.ELF.DYNAMIC_TAGS.RPATH

mobsf/StaticAnalyzer/views/android/cert_analysis.py

@@ -158,8 +158,16 @@ def cert_info(app_dir, app_file):
                 desc += (
                     ' The manifest file indicates SHA256withRSA'
                     ' is in use.')
-            title = ('Certificate algorithm might be '
-                     'vulnerable to hash collision')
+                title = ('Certificate algorithm might be '
+                         'vulnerable to hash collision')
+            findings.append((status, desc, title))
+        if re.findall(r'Hash Algorithm: md5', cert_info):
+            status = 'high'
+            desc = (
+                'Application is signed with MD5. '
+                'MD5 hash algorithm is known to have '
+                'collision issues.')
+            title = 'Certificate algorithm vulnerable to hash collision'
             findings.append((status, desc, title))
         cert_dic = {
             'certificate_info': cert_info,

mobsf/StaticAnalyzer/views/android/generate_downloads.py

@@ -41,8 +41,8 @@ def run(request):
             dwd_dir = os.path.join(settings.DWD_DIR, file_name)
             shutil.make_archive(dwd_dir, 'zip', directory)
             file_name = file_name + '.zip'
-        elif file_type == 'apk':
-            file_name = md5 + '.apk'
+        elif file_type in ('apk', 'ipa'):
+            file_name = f'{md5}.{file_type}'
             src = os.path.join(app_dir, file_name)
             dst = os.path.join(settings.DWD_DIR, file_name)
             shutil.copy2(src, dst)

mobsf/StaticAnalyzer/views/ios/rules/objective_c_rules.yaml

@@ -114,7 +114,7 @@
     The App may contain banned API(s). These API(s) are insecure and must not be
     used.
   input_case: exact
-  pattern: 'strcpy\(|memcpy\(|strcat\(|strncat\(|strncpy\(|sprintf\(|vsprintf\(|gets\('
+  pattern: '\s+(strcpy\(|memcpy\(|strcat\(|strncat\(|strncpy\(|sprintf\(|sprintf\(|gets\()'
   severity: high
   type: Regex
   metadata:

mobsf/templates/pdf/android_report.html

@@ -581,7 +581,6 @@ <h2><i class="fa fa-flag"></i> SHARED LIBRARY BINARY ANALYSIS</h2>
                         <th>SHARED OBJECT</th>
                         <th>NX</th>
                         <th>STACK CANARY</th>
-                        <th>RELRO</th>
                         <th>RPATH</th>
                         <th>RUNPATH</th>
                         <th>FORTIFY</th>
@@ -604,10 +603,6 @@ <h2><i class="fa fa-flag"></i> SHARED LIBRARY BINARY ANALYSIS</h2>
                             <br/>
                             <span class="{% if so.stack_canary.severity == 'high' %}danger{% elif so.stack_canary.severity == 'warning' %}warning{% else %}info{% endif %}">{{so.stack_canary.severity}}</span>
                             <br/>{{so.stack_canary.description}}</td>
-                        <td style="vertical-align: top;"><b>{{so.relocation_readonly.relro}}</b>
-                          <br/>
-                          <span class="{% if so.relocation_readonly.severity == 'high' %}danger{% elif so.relocation_readonly.severity == 'warning' %}warning{% else %}info{% endif %}">{{so.relocation_readonly.severity}}</span>
-                          <br/>{{so.relocation_readonly.description}}</td>
                         <td style="vertical-align: top;"><b>{{so.rpath.rpath}}</b>
                           <br/>
                           <span class="{% if so.rpath.severity == 'high' %}danger{% elif so.rpath.severity == 'warning' %}warning{% else %}info{% endif %}">{{so.rpath.severity}}</span>

mobsf/templates/static_analysis/android_binary_analysis.html

@@ -1099,7 +1099,6 @@ <h3>{{ providers | length }}</h3>
                           <th>SHARED OBJECT</th>
                           <th>NX</th>
                           <th>STACK CANARY</th>
-                          <th>RELRO</th>
                           <th>RPATH</th>
                           <th>RUNPATH</th>
                           <th>FORTIFY</th>
@@ -1122,10 +1121,6 @@ <h3>{{ providers | length }}</h3>
                   <br/>
                   <span class="badge bg-{% if so.stack_canary.severity == 'high' %}danger{% elif so.stack_canary.severity == 'warning' %}warning{% else %}info{% endif %}">{{so.stack_canary.severity}}</span>
                   <br/>{{so.stack_canary.description}}</td>
-              <td><b>{{so.relocation_readonly.relro}}</b>
-                <br/>
-                <span class="badge bg-{% if so.relocation_readonly.severity == 'high' %}danger{% elif so.relocation_readonly.severity == 'warning' %}warning{% else %}info{% endif %}">{{so.relocation_readonly.severity}}</span>
-                <br/>{{so.relocation_readonly.description}}</td>
               <td><b>{{so.rpath.rpath}}</b>
                 <br/>
                 <span class="badge bg-{% if so.rpath.severity == 'high' %}danger{% elif so.rpath.severity == 'warning' %}warning{% else %}info{% endif %}">{{so.rpath.severity}}</span>

mobsf/templates/static_analysis/ios_binary_analysis.html

@@ -388,7 +388,8 @@ <h5 class="card-title"></h5>
 <section class="content">
       <div class="container-fluid">
         <div class="row">
-            <div class="col-lg-12">
+
+          <div class="col-lg-4">
             <div class="card">
               <div class="card-body">
                 <p>
@@ -400,10 +401,25 @@ <h5 class="card-title"></h5>
                  <a role="button" class="btn btn-primary" data-target="#mstrings" data-toggle="modal" href="#"><i class="fas fa-font"></i> View Strings</a>
                  <a target="_blank" href="../view_file_ios/?file=classdump.txt&amp;md5={{ md5 }}&amp;type=ios" class="btn btn-warning" role="button"><i class="fa fa-code"></i> View Class Dump</a>
                 </p>
-
               </div>
             </div><!-- /.card -->
             </div>
+            <div class="col-lg-8">
+              <div class="card">
+                <div class="card-body">
+                    <p>
+                    <strong><i class="fas fa-file-code"></i> DECOMPILED ASSETS</strong>
+                  </p>
+                  <p>
+                    <a role="button" class="btn btn-primary" data-target="#mplist" data-toggle="modal" href="#"><i class="fa fa-list"></i> View Info.plist</a>
+                    <a role="button" class="btn btn-primary" data-target="#mstrings" data-toggle="modal" href="#"><i class="fas fa-font"></i> View Strings</a>
+                    <a target="_blank" href="../view_file_ios/?file=classdump.txt&amp;md5={{ md5 }}&amp;type=ios" class="btn btn-warning" role="button"><i class="fa fa-code"></i> View Class Dump</a>
+                    <a href="../generate_downloads/?hash={{ md5 }}&amp;file_type=ipa" class="btn btn-warning"> <i class="fa fa-download"></i> Download IPA</a>
+                 </p>
+                </div>
+              </div>
+            </div>
+
             <!-- end row -->
             </div>
         </div>

requirements.txt

@@ -14,22 +14,22 @@ shelljob>=0.6.2
 asn1crypto>=1.4.0
 oscrypto>=1.2.1
 distro>=1.5.0
-IP2Location==8.7.3
+IP2Location==8.8.0
 lief>=0.12.1
 http-tools>=2.1.0
-libsast>=1.5.0
+libsast>=1.5.1
 pdfkit>=0.6.1
 google-play-scraper>=0.1.2
 androguard==3.4.0a1
 apkid==2.1.3
-quark-engine==22.4.1
-frida==15.1.17
-tldextract==3.2.1
+quark-engine==22.6.1
+frida==15.1.28
+tldextract==3.3.1
 # For semgrep & mitmproxy
 ruamel.yaml==0.16.13 # pyup: ignore
 click==8.0.1 # pyup: ignore
 decorator==4.4.2 # pyup: ignore
 # For Cyberspect
 boto3>=1.21.0
 PyJWT>=2.3.0
-siphash>=0.0.1
+siphash>=0.0.1

setup.bat

@@ -37,7 +37,7 @@ where python >nul 2>&1 && (
     echo [INSTALL] Found OpenSSL executable
   ) else (
    echo [ERROR] OpenSSL executable not found in [C:\\Program Files\\OpenSSL-Win64\\bin\\openssl.exe]
-   echo [INFO] Install OpenSSL non-light version - https://slproweb.com/download/Win64OpenSSL-3_0_0.exe
+   echo [INFO] Install OpenSSL non-light version [Win64 OpenSSL v3.x] - https://slproweb.com/products/Win32OpenSSL.html
    pause
    exit /b
   )