APKS incomplete analysis, misses info about native libs

[tosiara]

ENVIRONMENT

OS and Version: official docker image, opensecurity/mobile-security-framework-mobsf:latest
MobSF Version: v4.0.3

EXPLANATION OF THE ISSUE

Performed analysis of an .apks file, the report was missing info about native libs and strings were not extracted from them. App contents:

sample.apks:

base.apk
split_config.arm64_v8a.apk
split_config.en.apk
split_config.xxhdpi.apk

split_config.arm64_v8a.apk:

lib/arm64-v8a/libapp.so
lib/arm64-v8a/libflutter.so

STEPS TO REPRODUCE THE ISSUE

1. Analyzed sample.apks file
2. Opened static analysis report
3. Flutter native lib is not mentioned anywhere, strings not extracted from it

LOG FILE

[INFO] 21/Dec/2024 20:13:37 - Extracting Manifest Data
[INFO] 21/Dec/2024 20:13:37 - Performing Static Analysis on: XXX (xxx)
[INFO] 21/Dec/2024 20:13:37 - Fetching Details from Play Store: xxx
[INFO] 21/Dec/2024 20:13:38 - Manifest Analysis Started
[INFO] 21/Dec/2024 20:13:38 - App Link Assetlinks Check - [xxx.MainActivity] https://xxxx
[INFO] 21/Dec/2024 20:13:39 - Checking for Malware Permissions
[INFO] 21/Dec/2024 20:13:39 - Fetching icon path
[INFO] 21/Dec/2024 20:13:39 - Library Binary Analysis Started
[INFO] 21/Dec/2024 20:13:39 - Reading Code Signing Certificate
[INFO] 21/Dec/2024 20:13:39 - Getting Signature Versions
[INFO] 21/Dec/2024 20:13:39 - Running APKiD 2.1.5
[INFO] 21/Dec/2024 20:13:42 - Trackers Database is up-to-date
[INFO] 21/Dec/2024 20:13:42 - Detecting Trackers
[INFO] 21/Dec/2024 20:13:44 - APK -> JAVA
[INFO] 21/Dec/2024 20:13:44 - Decompiling to Java with jadx
[INFO] 21/Dec/2024 20:14:01 - DEX -> SMALI
[INFO] 21/Dec/2024 20:14:01 - Converting classes.dex to Smali Code
[INFO] 21/Dec/2024 20:14:01 - Converting classes2.dex to Smali Code
[INFO] 21/Dec/2024 20:14:01 - Converting classes3.dex to Smali Code
[INFO] 21/Dec/2024 20:14:01 - Code Analysis Started on - java_source
[INFO] 21/Dec/2024 20:14:44 - Android SAST Completed
[INFO] 21/Dec/2024 20:14:44 - Android API Analysis Started
[INFO] 21/Dec/2024 20:15:29 - Android Permission Mapping Started
[INFO] 21/Dec/2024 20:15:45 - Android Permission Mapping Completed
[INFO] 21/Dec/2024 20:15:48 - Finished Code Analysis, Email and URL Extraction
[INFO] 21/Dec/2024 20:15:48 - Extracting Data from APK
[INFO] 21/Dec/2024 20:15:48 - Extracting Data from Source Code
[INFO] 21/Dec/2024 20:15:51 - Detecting Firebase URL(s)
[INFO] 21/Dec/2024 20:15:51 - Performing Malware Check on extracted Domains
[INFO] 21/Dec/2024 20:15:52 - Maltrail Database is up-to-date
[INFO] 21/Dec/2024 20:15:55 - Saving to Database

Expected results

Expected to see strings extracted from native library

I cannot share this private apks file, but I will try to build a sample flutter app and see if I can reproduce

[github-actions]

👋 @tosiara
Issues is only for reporting a bug/feature request. For limited support, questions, and discussions, please join MobSF Slack channel
Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.

[tosiara]

Thanks, bot, I believe this is a bug tho

[tosiara]

Here is a flutter sample app that you can use to reproduce: sample.apks.zip

[INFO] 22/Dec/2024 15:08:02 - MIME Type: application/octet-stream FILE: sample.apks
[INFO] 22/Dec/2024 15:08:02 - Performing Static Analysis of Android Split APK
[INFO] 22/Dec/2024 15:08:02 - Scan Hash: 15a6a8ecafc5d15871b56eed8877526e
[INFO] 22/Dec/2024 15:08:02 - Starting Analysis on: sample.apks
[INFO] 22/Dec/2024 15:08:02 - Unzipping
[INFO] 22/Dec/2024 15:08:03 - Generating Hashes
[INFO] 22/Dec/2024 15:08:03 - Unzipping
[INFO] 22/Dec/2024 15:08:03 - APK Extracted
[INFO] 22/Dec/2024 15:08:03 - Getting Hardcoded Certificates/Keystores
[INFO] 22/Dec/2024 15:08:03 - Getting AndroidManifest.xml from APK
[INFO] 22/Dec/2024 15:08:03 - Converting AXML to XML
[INFO] 22/Dec/2024 15:08:04 - Parsing AndroidManifest.xml
[INFO] 22/Dec/2024 15:08:04 - Parsing APK with androguard
[INFO] 22/Dec/2024 15:08:04 - Starting analysis on AndroidManifest.xml
[INFO] 22/Dec/2024 15:08:04 - Extracting Manifest Data
[INFO] 22/Dec/2024 15:08:04 - Performing Static Analysis on: Learn Flutter (com.magicforstudio.learnflutter)
[INFO] 22/Dec/2024 15:08:04 - Fetching Details from Play Store: com.magicforstudio.learnflutter
[INFO] 22/Dec/2024 15:08:05 - Manifest Analysis Started
[INFO] 22/Dec/2024 15:08:05 - Checking for Malware Permissions
[INFO] 22/Dec/2024 15:08:05 - Fetching icon path
[WARNING] 22/Dec/2024 15:08:05 - res1 must be zero!
[WARNING] 22/Dec/2024 15:08:05 - res1 must be zero!
[WARNING] 22/Dec/2024 15:08:05 - res1 must be zero!
[WARNING] 22/Dec/2024 15:08:05 - res1 must be zero!
[WARNING] 22/Dec/2024 15:08:05 - res1 must be zero!
[WARNING] 22/Dec/2024 15:08:05 - res1 must be zero!
[WARNING] 22/Dec/2024 15:08:05 - res1 must be zero!
[WARNING] 22/Dec/2024 15:08:05 - res1 must be zero!
[WARNING] 22/Dec/2024 15:08:05 - res1 must be zero!
[WARNING] 22/Dec/2024 15:08:05 - res1 must be zero!
[WARNING] 22/Dec/2024 15:08:05 - res1 must be zero!
[WARNING] 22/Dec/2024 15:08:05 - res1 must be zero!
[WARNING] 22/Dec/2024 15:08:05 - res1 must be zero!
[WARNING] 22/Dec/2024 15:08:05 - res1 must be zero!
[INFO] 22/Dec/2024 15:08:05 - Library Binary Analysis Started
[INFO] 22/Dec/2024 15:08:05 - Reading Code Signing Certificate
[INFO] 22/Dec/2024 15:08:05 - Getting Signature Versions
[INFO] 22/Dec/2024 15:08:05 - Running APKiD 2.1.5
[INFO] 22/Dec/2024 15:08:07 - Trackers Database is up-to-date
[INFO] 22/Dec/2024 15:08:07 - Detecting Trackers
[INFO] 22/Dec/2024 15:08:08 - APK -> JAVA
[INFO] 22/Dec/2024 15:08:08 - Decompiling to Java with jadx
[INFO] 22/Dec/2024 15:08:23 - DEX -> SMALI
[INFO] 22/Dec/2024 15:08:23 - Converting classes.dex to Smali Code
[INFO] 22/Dec/2024 15:08:23 - Code Analysis Started on - java_source
[INFO] 22/Dec/2024 15:08:31 - Android SAST Completed
[INFO] 22/Dec/2024 15:08:31 - Android API Analysis Started
[INFO] 22/Dec/2024 15:08:37 - Android Permission Mapping Started
[INFO] 22/Dec/2024 15:08:41 - Android Permission Mapping Completed
[INFO] 22/Dec/2024 15:08:41 - Finished Code Analysis, Email and URL Extraction
[INFO] 22/Dec/2024 15:08:41 - Extracting Data from APK
[INFO] 22/Dec/2024 15:08:41 - Extracting Data from Source Code
[INFO] 22/Dec/2024 15:08:42 - Detecting Firebase URL(s)
[INFO] 22/Dec/2024 15:08:42 - Performing Malware Check on extracted Domains
[INFO] 22/Dec/2024 15:08:43 - Maltrail Database is up-to-date
[INFO] 22/Dec/2024 15:08:43 - Saving to Database

[ajinabraham]

Thanks for the report, I will take a look at this and get back.