Incorect regexp rule for SharedPreference being world writable #2

[Kira-ka]

OS and Version: macOS, running under docker,
Python Version:  3.13.7
MobSF Version: 4.4

EXPLANATION OF THE ISSUE

In my apk I get red entry for:
The file or SharedPreference is World Writable. Any App can write to the file
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2

Files:
com/huawei/agconnect/datastore/core/AndroidSharedPrefUtil.java, line(s) 224
ru/cbdc/....java, line(s) 431
ru/cbdc/....java, line(s) 348

com/huawei/agconnect/datastore/core/AndroidSharedPrefUtil.java, line(s) 224:

private static Object getObject(SharedPreferences var0, String var1, ICrypto var2, Object var3, Class<?> var4) {
Object var5 = var3;
if (!Parcelable.class.isAssignableFrom(var4)) {
Log.e("AndroidSharedPrefUtil", "Only Support Parcelable Object");
return var3;
} else {
try {
String var6 = getString(var0, var1, var2, (Object)null);
Parcelable.Creator var7 = (Parcelable.Creator)var4.getField("CREATOR").get((Object)null);
var5 = ParcelableSerializer.deserializeFromString(var6, var7);
} catch (NoSuchFieldException var8) {
Log.e("AndroidSharedPrefUtil", "NoSuchFieldException:" + var4);
} catch (IllegalAccessException var9) {
Log.e("AndroidSharedPrefUtil", "IllegalAccessException:" + var4); ( line 224)
}
return var5;
}
}

public static synchronized Object get(String var0, String var1, Class var2, Object var3, Class var4) {
ICrypto var5 = CryptoUtil.getHelper(var4);
SharedPreferences var6 = context.getSharedPreferences(var0, 0);
if (var6 == null) {
Log.e("AndroidSharedPrefUtil", "sp is null");
return var3;
} else {
try {
Object var7;
if (Integer.class.equals(var2)) {
var7 = getInt(var6, var1, var5, var3);
} else if (Long.class.equals(var2)) {
var7 = getLong(var6, var1, var5, var3);
} else if (Float.class.equals(var2)) {
var7 = getFloat(var6, var1, var5, var3);
} else if (Boolean.class.equals(var2)) {
var7 = getBoolean(var6, var1, var5, var3);
} else if (String.class.equals(var2)) {
var7 = getString(var6, var1, var5, var3);
} else {
var7 = getObject(var6, var1, var5, var3, var2); ( line 135)
}

Line 224 is not a serious vulnerability. The security scanner believes that the SharedPreferences object var0, which is present in the getObject method, was created somewhere in the code with the unsafe MODE_WORLD_WRITEABLE permissions. However, this method occurs in this file on line 135, where the var0 parameter of the getObject(...) method uses context.getSharedPreferences(var0, 0), which is equivalent to context.getSharedPreferences(var0,Context.MODE_PRIVATE).

ru/cbdc/....java, line(s) 431:
if (xr10.E.B != null && xr10.d().getSharedPreferences(str3, 0).getInt("fingerprint_version", 0) == 2) {

ru/cbdc/....java, line(s) 348:
return new ido(str, context.getSharedPreferences(str, 0), (ai2) a3.a(ai2.class), (qtl) a2.a(qtl.class));

This is a bug described in #2414. Regexp was corrected to .getSharedPreferences(.{0,50}?2), but it did not help.

[github-actions]

👋 @Kira-ka
Issues is only for reporting a bug/feature request. For limited support, questions, and discussions, please join MobSF Slack channel
Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.

[ajinabraham]

I think this is a limitation of regex based approach. False positives/edge can occur.