Save only unique intent priorities in findings by dmarushkin · Pull Request #2474 · MobSF/Mobile-Security-Framework-MobSF

dmarushkin · 2024-12-08T21:03:51Z

Describe the Pull Request

Hi again! Another small fix, now manifest parser for android does not store and additional info about intents with high priorities (no intent names or filter schemas), but show all hits in reports:

So just added grouped high_intent_priority_found by priorities and add count of hits in title:

dmarushkin · 2024-12-08T21:37:12Z

Maybe better solution here is to add activity info in hit description, like it is in assetlinks.json checks:

ajinabraham · 2024-12-10T19:06:20Z

Thanks for the PR, I will review this when I get some time.

ajinabraham

LGTM

* Save only unique intent priorities in findings * Save only unique intent priorities in findings * Save only unique intent priorities in findings * Save only unique intent priorities in findings --------- Co-authored-by: Dmitry Maryushkin <dmmaryushkin@ozon.ru> Co-authored-by: Ajin Abraham <ajin25@gmail.com>

@0x33c0unt

* HOTFIX: EFR01 Enterprise feature request (MobSF#1908) * Replace Warning with Medium and added Hotspot * Add file analysis to hotspot * Enterprise Feature Request Flag * EFR01 changes * version bump * update quark & frida (MobSF#1903) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Update tldextract from 3.1.2 to 3.2.0 (MobSF#1910) * upgrade apktool to 2.6.1 (MobSF#1915) * Hotfix: Update slack link * Hotfix: update slack link * Hotfix: Slack link * Hotfix:Slack link * Hotfix:Slack link * Introduce jadx decompilation timeout with env var (MobSF#1916) * Introduce jadx decompilation timeout with env var - exception for timeout - replace subprocess.call for run Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Update ip2location from 8.6.4 to 8.7.2 (MobSF#1926) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Scheduled weekly dependency update for week 13 (MobSF#1931) * Update quark-engine from 22.2.1 to 22.3.1 * update lief Co-authored-by: Ajin Abraham <ajin25@gmail.com> * update apkid (MobSF#1939) * Fix dynamic report_json api bug (MobSF#1934) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Hotfix: LIEF * Update README.md (MobSF#1951) * update jadx to 1.3.4 (MobSF#1941) * update jadx to 1.3.4 * update lief * update jadx and requirements * Scheduled weekly dependency update for week 22 (MobSF#1972) * Update ip2location from 8.7.3 to 8.7.4 * Update quark-engine from 22.4.1 to 22.5.1 * Update frida from 15.1.17 to 15.1.23 * Update tldextract from 3.2.1 to 3.3.0 * Check for updates via GitHub releases (MobSF#1957) * Check the GitHub releases page for latest version number * Update utils.py Only log distro if not empty (or spaces) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Update cert_analysis.py (MobSF#1948) * Update cert_analysis.py Flag on MD5 hash algorithm in signer certificate * Update cert_analysis.py Co-authored-by: Ajin Abraham <ajin25@gmail.com> * HOTFIX: Update Readme with Rewards Banner * Update frida from 15.1.23 to 15.1.24 (MobSF#1975) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * HOTFIX: openSSL link and readme update * Hotfix: Broken slack channel link fix * Hotfix: Windows setup script * Feature Parity Allow iOS IPA download (MobSF#1977) * Allow iOS IPA download * Code QA * Add the checking of the parent element of the permission-related elements to manifest analysis (MobSF#1905) * Add the checking of the parent element of the permission-related elements to manifest analysis Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Remove RELRO (MobSF#1978) * Revert "Add the checking of the parent element of the permission-related elements to manifest analysis (MobSF#1905)" (MobSF#1984) HOTFIX: Revert MobSF#1905 * Scheduled weekly dependency update for week 26 (MobSF#1986) * Update ip2location from 8.7.4 to 8.8.0 * Update frida from 15.1.24 to 15.1.27 * Update quark-engine from 22.5.1 to 22.6.1 (MobSF#1989) * Scheduled weekly dependency update for week 28 (MobSF#1993) * Update frida from 15.1.27 to 15.1.28 * Update tldextract from 3.3.0 to 3.3.1 * HOTFIX: libsast, iOS Rule, M1 Mac support * Hotfix MobSF#1999 * Update frida from 15.1.28 to 15.2.2 (MobSF#2002) * Update README.md (MobSF#2020) add Badge App * Fix bug MobSF#1917 where checking for stripped debugging symbols produces false positives in iOS. (MobSF#2023) Co-authored-by: Toor <toor@DES-macOS-pentest.local> Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Update ip2location from 8.8.0 to 8.8.1 (MobSF#2035) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * update apkid to 2.1.4 (MobSF#2037) * Adding tarfile member sanitization to extractall() (MobSF#2039) Co-authored-by: TrellixVulnTeam <kasimir.schulz@trellix.com> Co-authored-by: Ajin Abraham <ajin25@gmail.com> * fix res directory not exist (MobSF#2042) Fix the problem that the res resource folder does not exist, the solution is to copy from the apktool_out directory * [EFR-02]Enterprise Feature Request - False Positive Triaging (MobSF#2000) * Suppression logic * Android code analysis suppression * Fixes MobSF#1981 * iOS source support bundle id extraction * iOS Source Code - Suppression support * Remove check in CFBundleURLName * iOS Binary code analysis suppression support * Add Code QL * Suppression support for Manifest analysis * Fixes MobSF#2014 * REST API + Docs * Address review comments * update suppression wordings * Fixes MobSF#2043 * Icon analysis code QA * Unit Test for False Positive Triaging * Adding numeric_owner as a keyword argument (MobSF#2050) numeric_owner needs to be a keyword argument. * Scheduled weekly dependency update for week 41 (MobSF#2046) * Update quark-engine from 22.6.1 to 22.9.1 * Update frida from 15.2.2 to 16.0.1 * Update tldextract from 3.3.1 to 3.4.0 * Update openstep-parser from 1.5.3 to 1.5.4 Co-authored-by: Ajin Abraham <ajin25@gmail.com> * HOTFIX: revert frida to 15.X * HOTFIX: UI changes and warning on mobsf.live (MobSF#2051) * UI changes and warning on mobsf.live * Update home.html * HOTFIX: Split certificate analysis out, suppression list fixes (MobSF#2052) * Hotfix: ui on donate page * Hotfix: Homescreen Navbar * Hotfix: UI icon * hotfix for quyark rules location (MobSF#2053) * HOTFIX: jadx update to 1.4.5 (MobSF#2064) * jadx update to 1.4.5 * MobSF version bump * Fixes CVE-2022-42889 in third party dependency * Installation script error: Solving spelling error (MobSF#2067) changed "installtion" to "installation" * Android APK support extracting icon SVG from XML (MobSF#2060) * Added support for SVG icon extraction * Add jar binaries * code refactoring * Update settings.py * HOTFIX: Setup improvement (MobSF#2078) * Improve setup scripts. * Python support to 3.8 - 3.10 * Delete MobSF data directory on running setup. * Bump applicable dependencies. * Apktool 2.7.0 update (MobSF#2082) * Update apktool to version 2.7.0 * HOTFIX: Icon should be a file * version bump * New Android Manifest Rule: App support vulnerable android versions (MobSF#2114) * add a new rule: dangerous os version * qa * lint checks * run lint test on one os * Support for filenames containing & (MobSF#2129) Co-authored-by: none <none@none.com> * HOTFIX: Fix docker build (MobSF#2135) * Fix Scorecard Severity Distribution chart data (MobSF#2140) * HOTIX: Update Dockerfile to install jq (MobSF#2149) * Update Dockerfile * Update tox.ini * [HOTFIX] Add support for environment variable for MobSF config (MobSF#2150) * add support for environment variable config * Fixes MobSF#2109 * update lief * HOTFIX: Fixes MobSF#2144 * HOTFIX: Android min SDK check on janus vulnerability detection (MobSF#2159) * Android min SDK check on janus check * Update README.md * [Enterprise Feature Request EFR02] Support summary of severity in each section. (MobSF#2160) * Summary for Android and iOS SCA * [EFR05] Enterprise Feature Request: AAR and JAR support (MobSF#2163) * AAR and JAR support * Enable binary analysis for aar/jar * Scheduled weekly dependency update for week 24 (MobSF#2187) * Update ip2location from 8.9.0 to 8.10.0 * Update quark-engine from 22.10.1 to 23.5.1 * Update LIEF from to 0.13.1 * Update tldextract from 3.4.0 to 3.4.4 * Update requirements.txt --------- Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Update requirements.txt 0.13.1 not available. * HOTFIX: update lief * Revert Hotfix * HOTFIX: Feature updates and Bug Fixes (MobSF#2197) * OFAC, jquery bump, tox fix * AAR handle multiple application tags * HOTFIX: MobSF Android Dynamic Analysis Docker Support (MobSF#2214) * MobSF Android Docker Support * Pin pip version * Update mobsf-test.yml * Update setup.py * Hotfix: Docker error fixes * Hotfix: Add Corellium support message * Hotfix: Broken donate link fix * Update dynamic_analysis.html (MobSF#2218) * Hotfix: Handle Docker <-> ADB connectivity internally (MobSF#2219) * host.docker.internal transilation for localhost * Replace urlparse with re * version bump * update ascii art * update apktool to 2.8.1 (MobSF#2220) * update apktool (MobSF#2225) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * HOTFIX: translate upstream proxy ip for docker * Dynamic Analysis support alert (MobSF#2227) * [HOTFIX] Regex + Rule Update (MobSF#2232) * IOS Swift Rules updates * Updated or added rules `ios_biometric_bool`, `ios_biometric_acl`, `ios_keychain_weak_acl_device_passcode`, `ios_keychain_weak_accessibility_value`, `ios_insecure_random_no_generator`, `ios_biometry_hardened` * Regex Hardening: Fixes possible Regex DoS in rules and MobSF code base * [HOTFIX][EFR06] Independent Shared Object (.so) Scan and Improved String search (MobSF#2228) * String extraction from APK, Source, AAR, JAR, SO * Strings sections to show source of strings extracted * Strings Refactor * Support for independent .SO scan * Android SCA rules update * Entropies scan support for strings * URLs/Email extraction refactor * Bug Fixes * iOS Source Report Fix * Frida APK Patcher (WIP) * Dynamic Analyzer identifier not available * Settings env var not working fix for enabled by default features * AppSec Score fix * Recent `scan not completed` fix for iOS zip * HOTFIX: Improve code string extraction * Update macho_analysis.py - SYMBOLS STRIPPED False Negative (MobSF#2234) * Update macho_analysis.py PR for this issue: MobSF#2233 * Update macho_analysis.py Co-authored-by: Ajin Abraham <ajin25@gmail.com> * HOTFIX: fix IPA download support * [HOTFIX][EFR-08] Dylib + Symbols + Other Features (MobSF#2239) * Dylib analysis support + PDF for iOS Binary * Dylib string extraction * Improved iOS Plist secret extraction * iOS/Android Form Validation QA * Independent Dylib scan * Symbols view for dylib and so * Trackers support for so * Fix missing exported components (MobSF#2176) Components which are exported and have no permission were not listed in the results because of a wrong template description key. Also added a warning if this happens again. Co-authored-by: Ajin Abraham <ajin25@gmail.com> * [HOTFIX][EFR09] AAR/JAR obfuscation and debug check + Exception Handed strings and symbols extraction (MobSF#2240) * AAR/JAR obfuscation and debug check * Exception handling symbols and strings from so/dylib * [HOTFIX][EFR10] Independent Static Library(.a) ELF/MachO Analysis + Graceful Analysis (MobSF#2242) * Independent Static Library(.a) ELF/MachO Analysis * Mac FAT binary only supported on Mac * Static and Dynamic Binary Analysis QA * Refactor Dex permissions * Fallback certificate analysis using apksigtool * Refactor Androguard `apk.APK()` usage * Pip to Poetry, Ubuntu Base image Bump, Dockerfile QA, Python 3.11 support (MobSF#2244) * Docker base image update * Docker file QA * Github Actions version update * Removed unwanted pinned repository * Pip to Poetry migration * Bump httptools * Jump yara-python-dex * Python 3.11 support * [HOTFIX] Docker Buildx test (MobSF#2247) * Docker image build test for PRs * [HOTFIX] bs4 malformed xml parsing + xml namespace detection (MobSF#2248) * Use BeautifulSoup4 to prettify malformed XML * Detect non standard XML namespace in AndroidManifest.xml (Fixes : MobSF#2198) * Updated android permissions list * Updated android permission update check script * [HOTFIX] Migrate from setup.py to poetry, tox QA (MobSF#2249) * Migrate from setup.py to use poetry build and publish * Tox QA * Version is now configured only at pyproject.toml * Added poetry build test * Updated mobsf PyPI publishing workflow * Update local DBs * Performance Improvements on SAST (MobSF#2251) * Performance improvements in SAST scans (Code Analysis, API Analysis, NIAP etc.) with libsast bump * Android API rule QA * Manifest analysis continuation on apktool failure * Linux setup script fix * Disable NIAP by default * [HOTFIX] add apksigner.jar for reading signatures (MobSF#2254) * Add `apksigner.jar` * Use apksigner to extract signature versions (v1, v2, v3, v4) * Fix: MobSF#2120 * [HOTFIX] add jar (MobSF#2255) * Add apksigner jar * [HOTFIX] Bump Frida to address crash on M1 Mac (MobSF#2258) * Update frida to 16.1.4 to resolve segmentation faults on Docker arm image --------- Co-authored-by: Mark Sowell <mark@marksowell.com> * [HOTFIX] simplify scan api (MobSF#2259) * Simplify Scan API * Need only scan hash to trigger a scan * Updated API Docs * [HOTFIX] iOS Framework Analysis + Multiple Feature QA (MobSF#2260) * iOS Framework Analysis * Static Analysis URL simplification * Replace hardcoded urls in template with `{% url %}` * Code QA * Remove unwanted template file * Remove `rescan` query param from url * Android icon SVG guessing improvements * Icon analysis refactoring, change icon storage location * Remove SVG to PNG converter. Support PNG and SVG icon. * Github docker release action update * [HOTFIX] Support webp for icon (MobSF#2267) * [HOTFIX] Fixed that the icon cannot be found (MobSF#2265) fixed that the icon cannot be found when the suffix name is uppercase * Allow jpeg icons (MobSF#2268) * [HOTFIX] Fix jadx and apktool failure due to JDK changes (MobSF#2269) * Fix jadx and apktool failure due to JDK zip64 changes * [HOTFIX][EFR] Priority Bug Fixes (MobSF#2275) * P1.1 AAR Permissions not properly listed * P1.2 Local variable table not listed in proper section * P1.3 static library strings are not listed * P1.5 Stripping of dynamic and static libraries are not correctly reported * Dependency bump * MobSF version bump * Hotfix: Bump deps * update apktool to 2.9.0 (MobSF#2278) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Build(deps): Bump django from 4.1.12 to 4.1.13 (MobSF#2282) Bumps [django](https://github.com/django/django) from 4.1.12 to 4.1.13. - [Commits](django/django@4.1.12...4.1.13) --- updated-dependencies: - dependency-name: django dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Hotfix: Support viewing kotlin files MobSF#2283 * iOS Dynamic Analysis with Corellium (MobSF#2194) * iOS Dynamic Analysis Support with Corellium Jailbroken iOS devices * Corellium API layer for complete device and project management * Frida instrumentation (attach, spawn and inject) over SSH local port forward * Shell access over SSH * MobSF httptools proxy integration over SSH remote port forward * Device File upload and download over SSH * Frida scripts for core defense bypass, monitoring, and tracing * Helper iOS Frida scripts for pentesting and malware analysis * Screen cast with touch, swipe and text input support from web UI * Dynamic Analysis device data dump and report Generation * Android Certificate analysis, replaced oscrypto with cryptography for public key parsing * Python minimum support is 3.10 * Bumped httptools to latest, fixes httptools repeat bug * Added unzip to docker to fix a bug * Relaxed bundleid regex * HOTFIX: Dynamic Analysis Improvements Android & iOS (MobSF#2295) iOS Screencast, better swipe Android Screencast to support touch, swipe and text input events Android Frida Logs update Android Improved Screencast Android Frida spawn, inject and attach support Added new Android Frida scripts Replaced Clipdump with Frida script for clipboard monitoring * Hotfix QA (MobSF#2297) * REST API update for android frida instrument * Code QA * [HOTFIX] More Android & iOS Frida Scripts (MobSF#2299) Improved existing frida scripts More Android & iOS frida Scripts Code QA * [HOTFIX] Android script loading, frida injected code view, paramiko SSH issues (MobSF#2300) * Android script loading bug fix * Frida injected code view * Paramiko SSH reactor to address some host key issues, revert from warning to autoadd. * Frida Injection refactoring * Enhancements to ARC and Stack Canary Checks in Mach-O Parsing (MobSF#2284) * Extend 'has_arc' check to include '_swift_release' Updated the has_arc method to detect the usage of ARC not only by the presence of the _objc_release symbol but also by the _swift_release symbol. This change broadens the scope of ARC detection to cover both Objective-C and Swift implementations. * Optimize has_canary function without using a set Refactored the has_canary method to directly check the presence of ___stack_chk_fail and ___stack_chk_guard symbols in imported_functions. Removed the unnecessary conversion to a set, streamlining the function and enhancing readability. Now, has_canary uses any() for efficient symbol existence checks. * [HOTFIX] RPC hook suggestions + Bug Fix (MobSF#2301) * String compare script improvements * Fix iOS Frida script bugs * Added RPC helpers for hook suggestion (TODO:Expose to UI) * Code QA * HOTFIX: Add missing RPC script, Frida Logs font size * version bump * update pktool to 2.9.1 (MobSF#2304) * [EFR][HOTFIX] QA Request (MobSF#2306) * Scan independent library file (.so, .dylib, Framework dylib) from APK/IPA Static Analysis Report * Library analysis refactored relative path helper for Django template. * Re-introduced RELRO checks for Android, added Dart binary check to avoid Flutter false positives. * Improved stripped debug symbol check for ELF and MachO using native OS tools such as nm and objdump when available. * Merge iOS Framework and Dylib Analysis. * Bug Fixes + Improvements (MobSF#2307) * Replace Android test APK * Added tests for Library analysis from binary (scan_library route) * iOS merge findings from swift and objective c rules with same rule identifier. Fixes MobSF#2287 * iOS Binary analysis, sort regex matches. Fixes MobSF#2252 * Framework dylibs with no extensions to skip PIE checks. Fixes MobSF#2307 * Select correct network_security config. Fixes MobSF#2049 * Android Manifest Analysis added support for detecting task hijacking (StrandHogg 1.0 and StrandHogg 2.0) . Fixes MobSF#2124 * Added new manifest analysis rule to warn on apps targeting older Android OS * Updated severity of findings * UI improvement for AppSec dashboard to show a loader * UI changes in Static Analysis to collapse large no of files in API and Code Analysis for better real estate * Improved certificate file analysis for android, jar, aar, and ios * MobSF version Bump * [HOTFIX] ChatGPT Permission Mapping + Improved Description (MobSF#2308) * Android Permission Mapping, generated with ChatGPT + axplorer. Addressed MobSF#1772 * Android Permission description enhancement generated with ChatGPT * Added new permissions to permission analyzer * Windows Python tempfile permission error fix (MobSF#2309) * Fix PermissionError: [Errno 13] Permission denied Windows Python tempfile permission error fix * Multiple Features Improved or Added (MobSF#2310) * Android added App Link assetlinks.json check * Added more new permission mappings * Updated Permission database * Improved Source code view content search * Added upstream proxy support for Corellium API calls * Updated Readme * [HOTFIX] Malware Permission Check for Android, API Rules + Version Bump (MobSF#2313) * Malware Permission Check for Android * New Android API rule to support Passkeys * Updated Readme * Version Bump * Bug Fix and QA (MobSF#2315) * Bug Fix * QA * Version bumps * HOTFIX: update apktool, fixes a security issue GHSA-2hqv-2xv4-5h5w * Update submodule * Using multithreading to improve code efficiency (MobSF#2319) * Using multithreading to improve code efficiency * Update manifest_analysis.py * QA * Handle asterik in host names. --------- Co-authored-by: Ajin Abraham <ajin25@gmail.com> * GPT Goodness (MobSF#2318) * QA * Version Bump * Update SECURITY.md (MobSF#2323) updated security policy * [HOTFIX][SECURITY] Fix an LFI, DSA Pub Key parsing bug and dependencies (MobSF#2326) * [SECURITY] Fixes an LFI reported by @0x33c0unt - A crafted APK resource with icon name containing arbitrary path will get copied by MobSF as the icon file to the download directory which is available under `/download/` route. Fixed by MobSF@a58f8a8 * Fixes MobSF#2324 , Bug in parsing DSA Public Key parameters for fingerprint calculation. * Update dependencies * Filter out invalid links (MobSF#2322) * Filter out invalid links [ERROR] 2024-01-10 10:28:29 - Well Known Assetlinks Check for URL: http://*/.well-known/assetlinks.json Traceback (most recent call last): requests.exceptions.InvalidURL: URL has an invalid label. * Update manifest_analysis.py --------- Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Fix Arbitrary file writes on Windows (MobSF#2328) * Runtime Exec Tampering Detection, iOS Dynamic REST APIs, Datatables Export (MobSF#2339) * Runtime Executable Tampering Detection * Add security.py * Code QA Performance * Code QA Runtime EXEC tampering detection * Corellium API QA + Domain support * REST API Docs + Datatables export * HOTFIX: Dependency bump * HOTFIX: Injected code overwrite revert * HOTFIX: Bump deps + ELF strings check fix * MOBSF_CORELLIUM_API_DOMAIN Update (MobSF#2347) * MOBSF_CORELLIUM_API_DOMAIN Update Set the default of `MOBSF_CORELLIUM_API_DOMAIN` to `https://app.corellium.com` was it was not being picked up properly in `dynamic_analyzer.py` for iOS * Update corellium_apis.py * Update settings.py --------- Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Add name parameter to create vm * Add name support in ui * feat(page): recent scans add default page and page_size, list 100 items * HOTFIX: Frida Logs API response code + Dependency bump * HOTFIX: Bump deps + expose Corellium stop app api * Fix MobSF#2343 * HOTFIX: target sdk bug * HOTFIX: Bump androguard + remove quark * HOTFIX: androguard bump * Fix MobSF#2349 * HOTFIX: Individual image publish * HOTFIX:[SECURITY] Fix GHSA-wfgj-wrgh-h3r3, dep bump, docker build qa * poetry pyqt5 fixes (MobSF#2362) * poetry pyqt5 fixes * QA * fix * Cert analysis qa * QA * pin pyqt5 * HOTFIX: Remove Androguard dependency use only features required by MobSF (MobSF#2363) This PR strips out androguard and it's dependencies from MobSF. Extract androguard related functions used by MobSF. Some dependencies such as pyQt5 from apkinspector is breaking the ARM64 docker image. This should address that issue. In future, we will have to copy over any fixes to axml, apk, public, types from androguard and ZipEntry from apkinspector. We won't be adding linting to these files. The extracted functions will be considered as an external tool. * Optimize rendering of big lists (MobSF#2351) * Optimize rendering of big lists * Dynamic rendering in browser to improve ux Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Fixes GHSA-m435-9v6r-v5f6 * Update SECURITY.md (MobSF#2364) * Update SECURITY.md (MobSF#2365) * Update SECURITY.md * HOTFIX: Build and push docker arm64 and amd64 together * HOTFIX: Possible SSRF * Resolve the situation where the function name is bytes (MobSF#2367) fix error: if function.name.endswith('_chk'): ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ TypeError: endswith first arg must be bytes or a tuple of bytes, not str Co-authored-by: Ajin Abraham <ajin25@gmail.com> * [HOTFIX][SECURITY] Fixes an SSRF vulnerability report from positive technologies (MobSF#2373) Address: GHSA-wpff-wm84-x5cx * Update SECURITY.md * feat(page): recent records add page jump * feat(page): recent records add page jump * Update README.md (MobSF#2383) * Update bug_report.md * Update SUPPORT.md (MobSF#2384) * Update CONTRIBUTING.md * Update auto-comment.yml * Lint fixes * Update home.py * [EFR] AuthZ and AuthN for MobSF + Bug Fixes (MobSF#2366) Authentication and Authorization (`Maintainer` , Viewer`) support in MobSF * Basic User Management * Bug Fixes in Runtime Executable Tampering * Ratelimiting support for login endpoint * Disable AuthZ/AuthN for REST API and also via ENV VAR `MOBSF_DISABLE_AUTHENTICATION=1` * Bug Fix MobSF#2285 * Bug Fix Icon Analysis Nonetype * Update SSRF Filter * Dependency Bump * Beta to Stable release from V4 * Runs with DEBUG=False * New home screen UI * [EFR][HOTFIX] SSO Support + Okta SSO Documentation (MobSF#2389) * Add support for SSO with SAML2.0 * Bump Deps * Docs Updated * Bump MobSF version * [HOTFIX] SSO Support hosts behind proxy (MobSF#2390) * Added support for proxy setup and custom SP host * HOTFIX: Fix docker run errors * QA * [HOTFIX] Support AAB with MobSF, Convert AAB to APK, Fixes MobSF#2387 (MobSF#2391) * AAB to APK conversion * relative urls fix for recent scan * [HOTFIX] Code QA (MobSF#2393) * QA * Add new android rule setAllow*FromFileURLs * android root bypass and debugger bypass scripts improvements * Dockerfile qa * prevent entrypoint exit if username already exists * [HOTFIX] AppSec PNW 2024, Deeplink Trigger Support for Android Dynamic Analyzer (MobSF#2402) * iOS Dynamic Analyzer String Compare Frida script improvement * Android Dynamic Analyzer Deeplink UI trigger support * Android & iOS Dynamic Analyzer UI Improvements * Android & iOS Dynamic Analyzer Bug fixes * HOTFIX: Fix and OpenRedirect vulnerability * Update SECURITY.md (MobSF#2418) * [EFR][HOTFIX] Realtime Scan status and logs (MobSF#2416) * Realtime Scan Status in UI and PDF reports * Scan Status REST API & tests * Fixes MobSF#2414 * Address MobSF#2413 * Code QA * Dependency and version bump * [SECURITY][HOTFIX] Fixes GHSA-4hh3-vj32-gr6j (MobSF#2421) * Fixes GHSA-4hh3-vj32-gr6j * update SECURITY.md * update dependencies * Bump deps (MobSF#2426) * Check for internet before attempting to download APK (MobSF#2422) * Check for internet before attempting to download APK * [HOTFIX] dep bups + Fix MobSF#2424 * [HOTFIX] Dockerfile and dependency upgrade, Bug Fixes (MobSF#2439) * Dockerfile: migrate from Ubuntu to Debian Bookworm * Update and MachO and ELF Analysis * Update docker compose with postgres * JDK bump to 22.0.2 * Python bump to 3.12 * Bump jadx, apktool, vd2svg, bundletool * Remove jadx from repo and download it dynamically during setup * Install jadx during docker build * Replace deprecated dependencies * Bump httptools * Postgres Support by default * Bump LIEF to latest, reintroduce PIE checks for ELF * Fixes MobSF#2430 MobSF#2432 MobSF#2395 * Bug Fixes * HOTFIX: Postgres env var * HOTFIX: Update wkhtmltopdf and dependencies * Multiple Features (Scan timeout, Firebase Remote Config, Search Scans) (MobSF#2441) Support time out for SAST and Binary scans Search by MD5, package name, file name and app name. Search REST API + docs + tests Firebase remote config check [FEATURE] Add support for Firebase Remote Config information MobSF#2429 autopep8 * Hotfix: Firebase + Dep bumps * HOTFIX: Libsast bump (MobSF#2443) * Libsast bump * Bump libsast to address match case * libsast bump * [HOTFIX] + Features (MobSF#2444) Add support for sample download in recent scans. Bug fix in firebase analysis (dict mutation errors) * 4.1.5 (MobSF#2445) * Support custom home from environment variables * Reduce iOS binary findings severity to warning from high * Code QA and dependency updates * docker-compose QA, added example nginx config * Added docker-compose_swarm.yml by @antonkap add support for docker secrets * IPA PNG Uncrush support for Windows and Linux MobSF#2397 * Add support for pulling split apks, Fixes MobSF#2271 (MobSF#2446) * Add support for pulling split apks from device, Fixes MobSF#2271 * Replace Quark with Behaviour analysis using quark rules * docker compose QA, explict requests timeout (MobSF#2447) * Dependency update * Explicit timeout for all requests * Support proxy for all http(s) calls * Optimize jadx download, support system proxy * 4.1.8 (MobSF#2448) * APKID QA. * Bash and Batch file script QA. * Android Report template optimizations on how exported components are displayed. * Clickable Android Activities, Services, Providers and Recievers. * Updated Android version support to 11.0 for Android Studio AVD. * Created helper scripts for AVDs `scripts/start_avd.sh` and `scripts/start_avd.ps1`. * 4.1.9 (MobSF#2449) * Anti-analysis bypass - JADX fallback to DEX files on APK decompilation failure - apktool fallback to androguard for AndroidManifest.xml extraction - apksigner.jar fallback to apksigtool/androguard for signature version extraction - Graceful erorrs for failures instead of exceptions * 4.2.0 (MobSF#2450) - Added malware lookup using SHA2 with VirusTotal, Triage, Hybrid Analysis, and MetaDefender. - Fixed permissions of extracted files to counter anti-analysis techniques. - Resolved APK parsing errors in `androguard`. - Handled exceptions in `string_on_binary`. - Optimized APK ZIP analysis for improved performance. - Fixed untar permission errors in dynamic analysis. - Added bypass for SSL pinning in Boye's `AbstractVerifier`. - Updated bypass for SSL pinning in Appmattus's `CertificateTransparencyInterceptor`. - Introduced SSL pinning detector script. - Improved Frida intent dumper script. - Added Frida intent tracer script. - Introduced timeouts for all HTTP calls. - Added `django-q2`-based asynchronous scans for Android and iOS binaries and source code. - Fixed bug in certificate analysis. - Enabled asynchronous scans in Docker Compose setup. - Performed QA for Android and iOS SAST modules. - Added Frida script for `audit-webview`. - Introduced Frida script for `trace-javascript-interface`. - Upgraded `libsast` for improved file reading, multiprocessing, and multithreading. - Fixed PNG crush issues on Darwin systems. - Performed QA on the home screen UI. - Updated `httptools` and `libsast` dependencies. * 4.2.1 (MobSF#2451) * Improvements in scan queue * Fix TOCTOU in delete scans view * 4.2.2 (MobSF#2452) * QA * Verbose * Version bump * DjangoQ2 config * Update status on task timeout (MobSF#2454) * [4.2.4] Async analysis REST API support, fix timeout handle function, Qa (MobSF#2456) * Async analysis REST API support & Docs * Fix timeout handle function * Code QA untar permissions * 4.2.5 (MobSF#2457) * Unified async scan timeout * Allow incomplete scan delete after async scan timeout duration * Added support for Android SBOM analysis * Make dependencies unpinned (Address MobSF#2458) * 4.2.6 (MobSF#2459) * Updated permissions * Added and updated permission mapping rules * Handle errors gracefully from get_app_name and icon_analysis * Add new scans in tasks view without needing and explicit refresh * Optimizing downloads, adding downloads for source code types and windows appx * CodeQL config update * [4.2.7] Androguard & ApkInspector Bump + Patch AXMLParsing (MobSF#2461) * Androguard 293ab2d89ab9ce011c7dbbc5df3c876172875a1c update * AXML Parser warn "reserved must be zero!" instead of raise * Fallback on get app name when androguard returns empty string * [4.2.7] Updates (MobSF#2462) Bump to google fork of baksmali 3.0.8 IPA: Graceful handling of plist dump exception * [4.2.8] Multiple APK Analysis improvements, general Code QA & bug fixes (MobSF#2470) * Dockerfile QA * Add sdk-build-tools to Docker image * Replace biplist with plistlib std lib * Fixed a bug in iOS pbxproj parsing * Added support for APK parsing with aapt2/aapt * Use aapt/aapt2 as a fallback for APK parsing, files listing and string extraction * Added "started at" to Scan task queue model MobSF#2463 * Tasks List API to return string status MobSF#2464 * Replaced all minidom calls with defusedxml.minidom * Code QA on android manifest data extraction and parsing * Improved android file analysis * Improved android manifest data extraction * Improved android icon file extraction * Improved android app name extraction * Improved android appstore package details extraction * Android string extraction to fallback on aapt2 strings * APK analysis arguments refactor * Handle packed APKs, refactor unzip to handle malformed APK files * Handle reserved filename conflict during ZIP extraction * Explicit Zipslip handling during ZIP extraction * Graceful files extraction on unzip failure * Removed bail out and continue analysis * Moved androguard parsing to the start of static analysis * AndroidManifest.xml fallback from apktool to androguard during extraction and parsing * Updated Tasks UI to show started at * Helper script for migration * DjangoQ2 Scan Queue QA + Updated defaults * Fix frida on_message for docker compose * Fix x86_64 Android AVD in Windows (MobSF#2471) * Fixes a stored XSS in Recent Scans diff APK, GHSA-5jc6-h9w7-jm3p * Fixes a stored XSS in Recent Scans diff APK, GHSA-5jc6-h9w7-jm3p * Update README.md * HOTFIX: Show Abused Permissions, Fix Download AAB, Dependency bump * dependencies bump + show resources * Save only unique intent priorities in findings (MobSF#2474) * Save only unique intent priorities in findings * Save only unique intent priorities in findings * Save only unique intent priorities in findings * Save only unique intent priorities in findings --------- Co-authored-by: Dmitry Maryushkin <dmmaryushkin@ozon.ru> Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Add files list in scorecard desc (MobSF#2473) * Add files list in scorecard desc * fix lint --------- Co-authored-by: Dmitry Maryushkin <dmmaryushkin@ozon.ru> Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Byte snipers patch 2 (MobSF#2477) * Fix for missing 'packaging.metadata module Changed the packaging version to 24.2 Co-authored-by: ByteSnipers GmbH <55362478+ByteSnipers@users.noreply.github.com> * Dep bump + Support HTTPS upgrade for Assetlinks check (MobSF#2484) * Fix false positives caused in Android manifest analysis * Dep bumps + Support HTTPS upgrade for Assetlinks check * MobSF version bump to 4.3.0 --------- Co-authored-by: Nick Lupien <github@worg.io> * [SECURITY] Security update to fix vulnerabilities reported by Positive Technologies researchers (MobSF#2488) * Fix Stored XSS in iOS Dynamic Analysis, GHSA-cxqq-w3x5-7ph3 * Fix DOS by loose re_path check and strict check inside function, GHSA-jrm8-xgf3-fwqr * Fix API Key leakage, replace REST API with authenticated endpoint, GHSA-79f6-p65j-3m2m * Update SECURITY.md * Saml group mapping (MobSF#2487) * add SSO groups mapping * typo corrected --------- Co-authored-by: Khabarov Konstantin Olegovich <kkhabarov@ozon.ru> Co-authored-by: Ajin Abraham <ajin25@gmail.com> * March 25 QA (MobSF#2504) * Dependency bump * Strict firebaseio domain check * Fix frida server download proxy SSL verify config * Fix CI build on mac * [SECURITY] Improve SSRF checks, strict path check for well_known_path (MobSF#2510) * Improved SSRF checks (credential checks, length check, port check, path, query, and params check, ipv6, ipv4 coverage, handle possible decimal or hex IP bypasses) * Add additional strict path check for Applink well known path * Moved `valid_host` to `security.py` * Update `security.md` * Bump dependencies * Fix docker build * Fix lint errors * Removed xmlsec. pyproject does not strictly follow MobSf vesions Where I can, I have upgraded libraries to match the latest version (v4.4.2) * Update poetry.lock file * Fix issue where Cyberspect exception in converted to a string. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Ajin Abraham <ajin25@gmail.com> Co-authored-by: superpoussin22 <vincent.nadal@orange.fr> Co-authored-by: pyup.io bot <github-bot@pyup.io> Co-authored-by: Matej Soroka <hi@matejsoroka.com> Co-authored-by: N1neSun <917549681@qq.com> Co-authored-by: Ajin.Abraham <ajin.abraham@chime.com> Co-authored-by: Dapo Adedire <adedireadedapo19@gmail.com> Co-authored-by: Atarii <atarii@users.noreply.github.com> Co-authored-by: Han0nly <byxiaohanzhang@foxmail.com> Co-authored-by: rustaska <11994805+rustaska@users.noreply.github.com> Co-authored-by: Toor <toor@DES-macOS-pentest.local> Co-authored-by: TrellixVulnTeam <112716341+TrellixVulnTeam@users.noreply.github.com> Co-authored-by: TrellixVulnTeam <kasimir.schulz@trellix.com> Co-authored-by: ohyeah521 <ohyeah521@gmail.com> Co-authored-by: th3-d4v1d-c0de <116191845+th3-d4v1d-c0de@users.noreply.github.com> Co-authored-by: evmxattr <evmxattr@users.noreply.github.com> Co-authored-by: none <none@none.com> Co-authored-by: antoinbo <87284775+antoinbo@users.noreply.github.com> Co-authored-by: Karmaz <51202595+Karmaz95@users.noreply.github.com> Co-authored-by: Abb4d0n <Abb4d0n@users.noreply.github.com> Co-authored-by: Mark Sowell <mark@marksowell.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: cpuu <cpuu@icloud.com> Co-authored-by: JJ <124142040+HackJJ@users.noreply.github.com> Co-authored-by: miaoyc <miaoyc666@outlook.com> Co-authored-by: JPSxzy8 <147696419+JPSxzy8@users.noreply.github.com> Co-authored-by: Ayushman Chhabra <14110965+ayushmanchhabra@users.noreply.github.com> Co-authored-by: Dmitrii Mariushkin <d.v.marushkin@gmail.com> Co-authored-by: Dmitry Maryushkin <dmmaryushkin@ozon.ru> Co-authored-by: ByteSnipers GmbH <55362478+ByteSnipers@users.noreply.github.com> Co-authored-by: Nick Lupien <github@worg.io> Co-authored-by: Antiksec <159251060+Antiksec@users.noreply.github.com> Co-authored-by: Khabarov Konstantin Olegovich <kkhabarov@ozon.ru>

@0x33c0unt

* Hotfix:Slack link * Introduce jadx decompilation timeout with env var (MobSF#1916) * Introduce jadx decompilation timeout with env var - exception for timeout - replace subprocess.call for run Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Update ip2location from 8.6.4 to 8.7.2 (MobSF#1926) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Scheduled weekly dependency update for week 13 (MobSF#1931) * Update quark-engine from 22.2.1 to 22.3.1 * update lief Co-authored-by: Ajin Abraham <ajin25@gmail.com> * update apkid (MobSF#1939) * Fix dynamic report_json api bug (MobSF#1934) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Hotfix: LIEF * Update README.md (MobSF#1951) * update jadx to 1.3.4 (MobSF#1941) * update jadx to 1.3.4 * update lief * update jadx and requirements * Scheduled weekly dependency update for week 22 (MobSF#1972) * Update ip2location from 8.7.3 to 8.7.4 * Update quark-engine from 22.4.1 to 22.5.1 * Update frida from 15.1.17 to 15.1.23 * Update tldextract from 3.2.1 to 3.3.0 * Check for updates via GitHub releases (MobSF#1957) * Check the GitHub releases page for latest version number * Update utils.py Only log distro if not empty (or spaces) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Update cert_analysis.py (MobSF#1948) * Update cert_analysis.py Flag on MD5 hash algorithm in signer certificate * Update cert_analysis.py Co-authored-by: Ajin Abraham <ajin25@gmail.com> * HOTFIX: Update Readme with Rewards Banner * Update frida from 15.1.23 to 15.1.24 (MobSF#1975) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * HOTFIX: openSSL link and readme update * Hotfix: Broken slack channel link fix * Hotfix: Windows setup script * Feature Parity Allow iOS IPA download (MobSF#1977) * Allow iOS IPA download * Code QA * Add the checking of the parent element of the permission-related elements to manifest analysis (MobSF#1905) * Add the checking of the parent element of the permission-related elements to manifest analysis Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Remove RELRO (MobSF#1978) * Revert "Add the checking of the parent element of the permission-related elements to manifest analysis (MobSF#1905)" (MobSF#1984) HOTFIX: Revert MobSF#1905 * Scheduled weekly dependency update for week 26 (MobSF#1986) * Update ip2location from 8.7.4 to 8.8.0 * Update frida from 15.1.24 to 15.1.27 * Update quark-engine from 22.5.1 to 22.6.1 (MobSF#1989) * Scheduled weekly dependency update for week 28 (MobSF#1993) * Update frida from 15.1.27 to 15.1.28 * Update tldextract from 3.3.0 to 3.3.1 * HOTFIX: libsast, iOS Rule, M1 Mac support * Hotfix MobSF#1999 * Update frida from 15.1.28 to 15.2.2 (MobSF#2002) * Update README.md (MobSF#2020) add Badge App * Fix bug MobSF#1917 where checking for stripped debugging symbols produces false positives in iOS. (MobSF#2023) Co-authored-by: Toor <toor@DES-macOS-pentest.local> Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Update ip2location from 8.8.0 to 8.8.1 (MobSF#2035) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * update apkid to 2.1.4 (MobSF#2037) * Adding tarfile member sanitization to extractall() (MobSF#2039) Co-authored-by: TrellixVulnTeam <kasimir.schulz@trellix.com> Co-authored-by: Ajin Abraham <ajin25@gmail.com> * fix res directory not exist (MobSF#2042) Fix the problem that the res resource folder does not exist, the solution is to copy from the apktool_out directory * [EFR-02]Enterprise Feature Request - False Positive Triaging (MobSF#2000) * Suppression logic * Android code analysis suppression * Fixes MobSF#1981 * iOS source support bundle id extraction * iOS Source Code - Suppression support * Remove check in CFBundleURLName * iOS Binary code analysis suppression support * Add Code QL * Suppression support for Manifest analysis * Fixes MobSF#2014 * REST API + Docs * Address review comments * update suppression wordings * Fixes MobSF#2043 * Icon analysis code QA * Unit Test for False Positive Triaging * Adding numeric_owner as a keyword argument (MobSF#2050) numeric_owner needs to be a keyword argument. * Scheduled weekly dependency update for week 41 (MobSF#2046) * Update quark-engine from 22.6.1 to 22.9.1 * Update frida from 15.2.2 to 16.0.1 * Update tldextract from 3.3.1 to 3.4.0 * Update openstep-parser from 1.5.3 to 1.5.4 Co-authored-by: Ajin Abraham <ajin25@gmail.com> * HOTFIX: revert frida to 15.X * HOTFIX: UI changes and warning on mobsf.live (MobSF#2051) * UI changes and warning on mobsf.live * Update home.html * HOTFIX: Split certificate analysis out, suppression list fixes (MobSF#2052) * Hotfix: ui on donate page * Hotfix: Homescreen Navbar * Hotfix: UI icon * hotfix for quyark rules location (MobSF#2053) * HOTFIX: jadx update to 1.4.5 (MobSF#2064) * jadx update to 1.4.5 * MobSF version bump * Fixes CVE-2022-42889 in third party dependency * Installation script error: Solving spelling error (MobSF#2067) changed "installtion" to "installation" * Android APK support extracting icon SVG from XML (MobSF#2060) * Added support for SVG icon extraction * Add jar binaries * code refactoring * Update settings.py * HOTFIX: Setup improvement (MobSF#2078) * Improve setup scripts. * Python support to 3.8 - 3.10 * Delete MobSF data directory on running setup. * Bump applicable dependencies. * Apktool 2.7.0 update (MobSF#2082) * Update apktool to version 2.7.0 * HOTFIX: Icon should be a file * version bump * New Android Manifest Rule: App support vulnerable android versions (MobSF#2114) * add a new rule: dangerous os version * qa * lint checks * run lint test on one os * Support for filenames containing & (MobSF#2129) Co-authored-by: none <none@none.com> * HOTFIX: Fix docker build (MobSF#2135) * Fix Scorecard Severity Distribution chart data (MobSF#2140) * HOTIX: Update Dockerfile to install jq (MobSF#2149) * Update Dockerfile * Update tox.ini * [HOTFIX] Add support for environment variable for MobSF config (MobSF#2150) * add support for environment variable config * Fixes MobSF#2109 * update lief * HOTFIX: Fixes MobSF#2144 * HOTFIX: Android min SDK check on janus vulnerability detection (MobSF#2159) * Android min SDK check on janus check * Update README.md * [Enterprise Feature Request EFR02] Support summary of severity in each section. (MobSF#2160) * Summary for Android and iOS SCA * [EFR05] Enterprise Feature Request: AAR and JAR support (MobSF#2163) * AAR and JAR support * Enable binary analysis for aar/jar * Scheduled weekly dependency update for week 24 (MobSF#2187) * Update ip2location from 8.9.0 to 8.10.0 * Update quark-engine from 22.10.1 to 23.5.1 * Update LIEF from to 0.13.1 * Update tldextract from 3.4.0 to 3.4.4 * Update requirements.txt --------- Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Update requirements.txt 0.13.1 not available. * HOTFIX: update lief * Revert Hotfix * HOTFIX: Feature updates and Bug Fixes (MobSF#2197) * OFAC, jquery bump, tox fix * AAR handle multiple application tags * HOTFIX: MobSF Android Dynamic Analysis Docker Support (MobSF#2214) * MobSF Android Docker Support * Pin pip version * Update mobsf-test.yml * Update setup.py * Hotfix: Docker error fixes * Hotfix: Add Corellium support message * Hotfix: Broken donate link fix * Update dynamic_analysis.html (MobSF#2218) * Hotfix: Handle Docker <-> ADB connectivity internally (MobSF#2219) * host.docker.internal transilation for localhost * Replace urlparse with re * version bump * update ascii art * update apktool to 2.8.1 (MobSF#2220) * update apktool (MobSF#2225) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * HOTFIX: translate upstream proxy ip for docker * Dynamic Analysis support alert (MobSF#2227) * [HOTFIX] Regex + Rule Update (MobSF#2232) * IOS Swift Rules updates * Updated or added rules `ios_biometric_bool`, `ios_biometric_acl`, `ios_keychain_weak_acl_device_passcode`, `ios_keychain_weak_accessibility_value`, `ios_insecure_random_no_generator`, `ios_biometry_hardened` * Regex Hardening: Fixes possible Regex DoS in rules and MobSF code base * [HOTFIX][EFR06] Independent Shared Object (.so) Scan and Improved String search (MobSF#2228) * String extraction from APK, Source, AAR, JAR, SO * Strings sections to show source of strings extracted * Strings Refactor * Support for independent .SO scan * Android SCA rules update * Entropies scan support for strings * URLs/Email extraction refactor * Bug Fixes * iOS Source Report Fix * Frida APK Patcher (WIP) * Dynamic Analyzer identifier not available * Settings env var not working fix for enabled by default features * AppSec Score fix * Recent `scan not completed` fix for iOS zip * HOTFIX: Improve code string extraction * Update macho_analysis.py - SYMBOLS STRIPPED False Negative (MobSF#2234) * Update macho_analysis.py PR for this issue: MobSF#2233 * Update macho_analysis.py Co-authored-by: Ajin Abraham <ajin25@gmail.com> * HOTFIX: fix IPA download support * [HOTFIX][EFR-08] Dylib + Symbols + Other Features (MobSF#2239) * Dylib analysis support + PDF for iOS Binary * Dylib string extraction * Improved iOS Plist secret extraction * iOS/Android Form Validation QA * Independent Dylib scan * Symbols view for dylib and so * Trackers support for so * Fix missing exported components (MobSF#2176) Components which are exported and have no permission were not listed in the results because of a wrong template description key. Also added a warning if this happens again. Co-authored-by: Ajin Abraham <ajin25@gmail.com> * [HOTFIX][EFR09] AAR/JAR obfuscation and debug check + Exception Handed strings and symbols extraction (MobSF#2240) * AAR/JAR obfuscation and debug check * Exception handling symbols and strings from so/dylib * [HOTFIX][EFR10] Independent Static Library(.a) ELF/MachO Analysis + Graceful Analysis (MobSF#2242) * Independent Static Library(.a) ELF/MachO Analysis * Mac FAT binary only supported on Mac * Static and Dynamic Binary Analysis QA * Refactor Dex permissions * Fallback certificate analysis using apksigtool * Refactor Androguard `apk.APK()` usage * Pip to Poetry, Ubuntu Base image Bump, Dockerfile QA, Python 3.11 support (MobSF#2244) * Docker base image update * Docker file QA * Github Actions version update * Removed unwanted pinned repository * Pip to Poetry migration * Bump httptools * Jump yara-python-dex * Python 3.11 support * [HOTFIX] Docker Buildx test (MobSF#2247) * Docker image build test for PRs * [HOTFIX] bs4 malformed xml parsing + xml namespace detection (MobSF#2248) * Use BeautifulSoup4 to prettify malformed XML * Detect non standard XML namespace in AndroidManifest.xml (Fixes : MobSF#2198) * Updated android permissions list * Updated android permission update check script * [HOTFIX] Migrate from setup.py to poetry, tox QA (MobSF#2249) * Migrate from setup.py to use poetry build and publish * Tox QA * Version is now configured only at pyproject.toml * Added poetry build test * Updated mobsf PyPI publishing workflow * Update local DBs * Performance Improvements on SAST (MobSF#2251) * Performance improvements in SAST scans (Code Analysis, API Analysis, NIAP etc.) with libsast bump * Android API rule QA * Manifest analysis continuation on apktool failure * Linux setup script fix * Disable NIAP by default * [HOTFIX] add apksigner.jar for reading signatures (MobSF#2254) * Add `apksigner.jar` * Use apksigner to extract signature versions (v1, v2, v3, v4) * Fix: MobSF#2120 * [HOTFIX] add jar (MobSF#2255) * Add apksigner jar * [HOTFIX] Bump Frida to address crash on M1 Mac (MobSF#2258) * Update frida to 16.1.4 to resolve segmentation faults on Docker arm image --------- Co-authored-by: Mark Sowell <mark@marksowell.com> * [HOTFIX] simplify scan api (MobSF#2259) * Simplify Scan API * Need only scan hash to trigger a scan * Updated API Docs * [HOTFIX] iOS Framework Analysis + Multiple Feature QA (MobSF#2260) * iOS Framework Analysis * Static Analysis URL simplification * Replace hardcoded urls in template with `{% url %}` * Code QA * Remove unwanted template file * Remove `rescan` query param from url * Android icon SVG guessing improvements * Icon analysis refactoring, change icon storage location * Remove SVG to PNG converter. Support PNG and SVG icon. * Github docker release action update * [HOTFIX] Support webp for icon (MobSF#2267) * [HOTFIX] Fixed that the icon cannot be found (MobSF#2265) fixed that the icon cannot be found when the suffix name is uppercase * Allow jpeg icons (MobSF#2268) * [HOTFIX] Fix jadx and apktool failure due to JDK changes (MobSF#2269) * Fix jadx and apktool failure due to JDK zip64 changes * [HOTFIX][EFR] Priority Bug Fixes (MobSF#2275) * P1.1 AAR Permissions not properly listed * P1.2 Local variable table not listed in proper section * P1.3 static library strings are not listed * P1.5 Stripping of dynamic and static libraries are not correctly reported * Dependency bump * MobSF version bump * Hotfix: Bump deps * update apktool to 2.9.0 (MobSF#2278) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Build(deps): Bump django from 4.1.12 to 4.1.13 (MobSF#2282) Bumps [django](https://github.com/django/django) from 4.1.12 to 4.1.13. - [Commits](django/django@4.1.12...4.1.13) --- updated-dependencies: - dependency-name: django dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Hotfix: Support viewing kotlin files MobSF#2283 * iOS Dynamic Analysis with Corellium (MobSF#2194) * iOS Dynamic Analysis Support with Corellium Jailbroken iOS devices * Corellium API layer for complete device and project management * Frida instrumentation (attach, spawn and inject) over SSH local port forward * Shell access over SSH * MobSF httptools proxy integration over SSH remote port forward * Device File upload and download over SSH * Frida scripts for core defense bypass, monitoring, and tracing * Helper iOS Frida scripts for pentesting and malware analysis * Screen cast with touch, swipe and text input support from web UI * Dynamic Analysis device data dump and report Generation * Android Certificate analysis, replaced oscrypto with cryptography for public key parsing * Python minimum support is 3.10 * Bumped httptools to latest, fixes httptools repeat bug * Added unzip to docker to fix a bug * Relaxed bundleid regex * HOTFIX: Dynamic Analysis Improvements Android & iOS (MobSF#2295) iOS Screencast, better swipe Android Screencast to support touch, swipe and text input events Android Frida Logs update Android Improved Screencast Android Frida spawn, inject and attach support Added new Android Frida scripts Replaced Clipdump with Frida script for clipboard monitoring * Hotfix QA (MobSF#2297) * REST API update for android frida instrument * Code QA * [HOTFIX] More Android & iOS Frida Scripts (MobSF#2299) Improved existing frida scripts More Android & iOS frida Scripts Code QA * [HOTFIX] Android script loading, frida injected code view, paramiko SSH issues (MobSF#2300) * Android script loading bug fix * Frida injected code view * Paramiko SSH reactor to address some host key issues, revert from warning to autoadd. * Frida Injection refactoring * Enhancements to ARC and Stack Canary Checks in Mach-O Parsing (MobSF#2284) * Extend 'has_arc' check to include '_swift_release' Updated the has_arc method to detect the usage of ARC not only by the presence of the _objc_release symbol but also by the _swift_release symbol. This change broadens the scope of ARC detection to cover both Objective-C and Swift implementations. * Optimize has_canary function without using a set Refactored the has_canary method to directly check the presence of ___stack_chk_fail and ___stack_chk_guard symbols in imported_functions. Removed the unnecessary conversion to a set, streamlining the function and enhancing readability. Now, has_canary uses any() for efficient symbol existence checks. * [HOTFIX] RPC hook suggestions + Bug Fix (MobSF#2301) * String compare script improvements * Fix iOS Frida script bugs * Added RPC helpers for hook suggestion (TODO:Expose to UI) * Code QA * HOTFIX: Add missing RPC script, Frida Logs font size * version bump * update pktool to 2.9.1 (MobSF#2304) * [EFR][HOTFIX] QA Request (MobSF#2306) * Scan independent library file (.so, .dylib, Framework dylib) from APK/IPA Static Analysis Report * Library analysis refactored relative path helper for Django template. * Re-introduced RELRO checks for Android, added Dart binary check to avoid Flutter false positives. * Improved stripped debug symbol check for ELF and MachO using native OS tools such as nm and objdump when available. * Merge iOS Framework and Dylib Analysis. * Bug Fixes + Improvements (MobSF#2307) * Replace Android test APK * Added tests for Library analysis from binary (scan_library route) * iOS merge findings from swift and objective c rules with same rule identifier. Fixes MobSF#2287 * iOS Binary analysis, sort regex matches. Fixes MobSF#2252 * Framework dylibs with no extensions to skip PIE checks. Fixes MobSF#2307 * Select correct network_security config. Fixes MobSF#2049 * Android Manifest Analysis added support for detecting task hijacking (StrandHogg 1.0 and StrandHogg 2.0) . Fixes MobSF#2124 * Added new manifest analysis rule to warn on apps targeting older Android OS * Updated severity of findings * UI improvement for AppSec dashboard to show a loader * UI changes in Static Analysis to collapse large no of files in API and Code Analysis for better real estate * Improved certificate file analysis for android, jar, aar, and ios * MobSF version Bump * [HOTFIX] ChatGPT Permission Mapping + Improved Description (MobSF#2308) * Android Permission Mapping, generated with ChatGPT + axplorer. Addressed MobSF#1772 * Android Permission description enhancement generated with ChatGPT * Added new permissions to permission analyzer * Windows Python tempfile permission error fix (MobSF#2309) * Fix PermissionError: [Errno 13] Permission denied Windows Python tempfile permission error fix * Multiple Features Improved or Added (MobSF#2310) * Android added App Link assetlinks.json check * Added more new permission mappings * Updated Permission database * Improved Source code view content search * Added upstream proxy support for Corellium API calls * Updated Readme * [HOTFIX] Malware Permission Check for Android, API Rules + Version Bump (MobSF#2313) * Malware Permission Check for Android * New Android API rule to support Passkeys * Updated Readme * Version Bump * Bug Fix and QA (MobSF#2315) * Bug Fix * QA * Version bumps * HOTFIX: update apktool, fixes a security issue GHSA-2hqv-2xv4-5h5w * Update submodule * Using multithreading to improve code efficiency (MobSF#2319) * Using multithreading to improve code efficiency * Update manifest_analysis.py * QA * Handle asterik in host names. --------- Co-authored-by: Ajin Abraham <ajin25@gmail.com> * GPT Goodness (MobSF#2318) * QA * Version Bump * Update SECURITY.md (MobSF#2323) updated security policy * [HOTFIX][SECURITY] Fix an LFI, DSA Pub Key parsing bug and dependencies (MobSF#2326) * [SECURITY] Fixes an LFI reported by @0x33c0unt - A crafted APK resource with icon name containing arbitrary path will get copied by MobSF as the icon file to the download directory which is available under `/download/` route. Fixed by MobSF@a58f8a8 * Fixes MobSF#2324 , Bug in parsing DSA Public Key parameters for fingerprint calculation. * Update dependencies * Filter out invalid links (MobSF#2322) * Filter out invalid links [ERROR] 2024-01-10 10:28:29 - Well Known Assetlinks Check for URL: http://*/.well-known/assetlinks.json Traceback (most recent call last): requests.exceptions.InvalidURL: URL has an invalid label. * Update manifest_analysis.py --------- Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Fix Arbitrary file writes on Windows (MobSF#2328) * Runtime Exec Tampering Detection, iOS Dynamic REST APIs, Datatables Export (MobSF#2339) * Runtime Executable Tampering Detection * Add security.py * Code QA Performance * Code QA Runtime EXEC tampering detection * Corellium API QA + Domain support * REST API Docs + Datatables export * HOTFIX: Dependency bump * HOTFIX: Injected code overwrite revert * HOTFIX: Bump deps + ELF strings check fix * MOBSF_CORELLIUM_API_DOMAIN Update (MobSF#2347) * MOBSF_CORELLIUM_API_DOMAIN Update Set the default of `MOBSF_CORELLIUM_API_DOMAIN` to `https://app.corellium.com` was it was not being picked up properly in `dynamic_analyzer.py` for iOS * Update corellium_apis.py * Update settings.py --------- Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Add name parameter to create vm * Add name support in ui * feat(page): recent scans add default page and page_size, list 100 items * HOTFIX: Frida Logs API response code + Dependency bump * HOTFIX: Bump deps + expose Corellium stop app api * Fix MobSF#2343 * HOTFIX: target sdk bug * HOTFIX: Bump androguard + remove quark * HOTFIX: androguard bump * Fix MobSF#2349 * HOTFIX: Individual image publish * HOTFIX:[SECURITY] Fix GHSA-wfgj-wrgh-h3r3, dep bump, docker build qa * poetry pyqt5 fixes (MobSF#2362) * poetry pyqt5 fixes * QA * fix * Cert analysis qa * QA * pin pyqt5 * HOTFIX: Remove Androguard dependency use only features required by MobSF (MobSF#2363) This PR strips out androguard and it's dependencies from MobSF. Extract androguard related functions used by MobSF. Some dependencies such as pyQt5 from apkinspector is breaking the ARM64 docker image. This should address that issue. In future, we will have to copy over any fixes to axml, apk, public, types from androguard and ZipEntry from apkinspector. We won't be adding linting to these files. The extracted functions will be considered as an external tool. * Optimize rendering of big lists (MobSF#2351) * Optimize rendering of big lists * Dynamic rendering in browser to improve ux Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Fixes GHSA-m435-9v6r-v5f6 * Update SECURITY.md (MobSF#2364) * Update SECURITY.md (MobSF#2365) * Update SECURITY.md * HOTFIX: Build and push docker arm64 and amd64 together * HOTFIX: Possible SSRF * Resolve the situation where the function name is bytes (MobSF#2367) fix error: if function.name.endswith('_chk'): ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ TypeError: endswith first arg must be bytes or a tuple of bytes, not str Co-authored-by: Ajin Abraham <ajin25@gmail.com> * [HOTFIX][SECURITY] Fixes an SSRF vulnerability report from positive technologies (MobSF#2373) Address: GHSA-wpff-wm84-x5cx * Update SECURITY.md * feat(page): recent records add page jump * feat(page): recent records add page jump * Update README.md (MobSF#2383) * Update bug_report.md * Update SUPPORT.md (MobSF#2384) * Update CONTRIBUTING.md * Update auto-comment.yml * Lint fixes * Update home.py * [EFR] AuthZ and AuthN for MobSF + Bug Fixes (MobSF#2366) Authentication and Authorization (`Maintainer` , Viewer`) support in MobSF * Basic User Management * Bug Fixes in Runtime Executable Tampering * Ratelimiting support for login endpoint * Disable AuthZ/AuthN for REST API and also via ENV VAR `MOBSF_DISABLE_AUTHENTICATION=1` * Bug Fix MobSF#2285 * Bug Fix Icon Analysis Nonetype * Update SSRF Filter * Dependency Bump * Beta to Stable release from V4 * Runs with DEBUG=False * New home screen UI * [EFR][HOTFIX] SSO Support + Okta SSO Documentation (MobSF#2389) * Add support for SSO with SAML2.0 * Bump Deps * Docs Updated * Bump MobSF version * [HOTFIX] SSO Support hosts behind proxy (MobSF#2390) * Added support for proxy setup and custom SP host * HOTFIX: Fix docker run errors * QA * [HOTFIX] Support AAB with MobSF, Convert AAB to APK, Fixes MobSF#2387 (MobSF#2391) * AAB to APK conversion * relative urls fix for recent scan * [HOTFIX] Code QA (MobSF#2393) * QA * Add new android rule setAllow*FromFileURLs * android root bypass and debugger bypass scripts improvements * Dockerfile qa * prevent entrypoint exit if username already exists * [HOTFIX] AppSec PNW 2024, Deeplink Trigger Support for Android Dynamic Analyzer (MobSF#2402) * iOS Dynamic Analyzer String Compare Frida script improvement * Android Dynamic Analyzer Deeplink UI trigger support * Android & iOS Dynamic Analyzer UI Improvements * Android & iOS Dynamic Analyzer Bug fixes * HOTFIX: Fix and OpenRedirect vulnerability * Update SECURITY.md (MobSF#2418) * [EFR][HOTFIX] Realtime Scan status and logs (MobSF#2416) * Realtime Scan Status in UI and PDF reports * Scan Status REST API & tests * Fixes MobSF#2414 * Address MobSF#2413 * Code QA * Dependency and version bump * [SECURITY][HOTFIX] Fixes GHSA-4hh3-vj32-gr6j (MobSF#2421) * Fixes GHSA-4hh3-vj32-gr6j * update SECURITY.md * update dependencies * Bump deps (MobSF#2426) * Check for internet before attempting to download APK (MobSF#2422) * Check for internet before attempting to download APK * [HOTFIX] dep bups + Fix MobSF#2424 * [HOTFIX] Dockerfile and dependency upgrade, Bug Fixes (MobSF#2439) * Dockerfile: migrate from Ubuntu to Debian Bookworm * Update and MachO and ELF Analysis * Update docker compose with postgres * JDK bump to 22.0.2 * Python bump to 3.12 * Bump jadx, apktool, vd2svg, bundletool * Remove jadx from repo and download it dynamically during setup * Install jadx during docker build * Replace deprecated dependencies * Bump httptools * Postgres Support by default * Bump LIEF to latest, reintroduce PIE checks for ELF * Fixes MobSF#2430 MobSF#2432 MobSF#2395 * Bug Fixes * HOTFIX: Postgres env var * HOTFIX: Update wkhtmltopdf and dependencies * Multiple Features (Scan timeout, Firebase Remote Config, Search Scans) (MobSF#2441) Support time out for SAST and Binary scans Search by MD5, package name, file name and app name. Search REST API + docs + tests Firebase remote config check [FEATURE] Add support for Firebase Remote Config information MobSF#2429 autopep8 * Hotfix: Firebase + Dep bumps * HOTFIX: Libsast bump (MobSF#2443) * Libsast bump * Bump libsast to address match case * libsast bump * [HOTFIX] + Features (MobSF#2444) Add support for sample download in recent scans. Bug fix in firebase analysis (dict mutation errors) * 4.1.5 (MobSF#2445) * Support custom home from environment variables * Reduce iOS binary findings severity to warning from high * Code QA and dependency updates * docker-compose QA, added example nginx config * Added docker-compose_swarm.yml by @antonkap add support for docker secrets * IPA PNG Uncrush support for Windows and Linux MobSF#2397 * Add support for pulling split apks, Fixes MobSF#2271 (MobSF#2446) * Add support for pulling split apks from device, Fixes MobSF#2271 * Replace Quark with Behaviour analysis using quark rules * docker compose QA, explict requests timeout (MobSF#2447) * Dependency update * Explicit timeout for all requests * Support proxy for all http(s) calls * Optimize jadx download, support system proxy * 4.1.8 (MobSF#2448) * APKID QA. * Bash and Batch file script QA. * Android Report template optimizations on how exported components are displayed. * Clickable Android Activities, Services, Providers and Recievers. * Updated Android version support to 11.0 for Android Studio AVD. * Created helper scripts for AVDs `scripts/start_avd.sh` and `scripts/start_avd.ps1`. * 4.1.9 (MobSF#2449) * Anti-analysis bypass - JADX fallback to DEX files on APK decompilation failure - apktool fallback to androguard for AndroidManifest.xml extraction - apksigner.jar fallback to apksigtool/androguard for signature version extraction - Graceful erorrs for failures instead of exceptions * 4.2.0 (MobSF#2450) - Added malware lookup using SHA2 with VirusTotal, Triage, Hybrid Analysis, and MetaDefender. - Fixed permissions of extracted files to counter anti-analysis techniques. - Resolved APK parsing errors in `androguard`. - Handled exceptions in `string_on_binary`. - Optimized APK ZIP analysis for improved performance. - Fixed untar permission errors in dynamic analysis. - Added bypass for SSL pinning in Boye's `AbstractVerifier`. - Updated bypass for SSL pinning in Appmattus's `CertificateTransparencyInterceptor`. - Introduced SSL pinning detector script. - Improved Frida intent dumper script. - Added Frida intent tracer script. - Introduced timeouts for all HTTP calls. - Added `django-q2`-based asynchronous scans for Android and iOS binaries and source code. - Fixed bug in certificate analysis. - Enabled asynchronous scans in Docker Compose setup. - Performed QA for Android and iOS SAST modules. - Added Frida script for `audit-webview`. - Introduced Frida script for `trace-javascript-interface`. - Upgraded `libsast` for improved file reading, multiprocessing, and multithreading. - Fixed PNG crush issues on Darwin systems. - Performed QA on the home screen UI. - Updated `httptools` and `libsast` dependencies. * 4.2.1 (MobSF#2451) * Improvements in scan queue * Fix TOCTOU in delete scans view * 4.2.2 (MobSF#2452) * QA * Verbose * Version bump * DjangoQ2 config * Update status on task timeout (MobSF#2454) * [4.2.4] Async analysis REST API support, fix timeout handle function, Qa (MobSF#2456) * Async analysis REST API support & Docs * Fix timeout handle function * Code QA untar permissions * 4.2.5 (MobSF#2457) * Unified async scan timeout * Allow incomplete scan delete after async scan timeout duration * Added support for Android SBOM analysis * Make dependencies unpinned (Address MobSF#2458) * 4.2.6 (MobSF#2459) * Updated permissions * Added and updated permission mapping rules * Handle errors gracefully from get_app_name and icon_analysis * Add new scans in tasks view without needing and explicit refresh * Optimizing downloads, adding downloads for source code types and windows appx * CodeQL config update * [4.2.7] Androguard & ApkInspector Bump + Patch AXMLParsing (MobSF#2461) * Androguard 293ab2d89ab9ce011c7dbbc5df3c876172875a1c update * AXML Parser warn "reserved must be zero!" instead of raise * Fallback on get app name when androguard returns empty string * [4.2.7] Updates (MobSF#2462) Bump to google fork of baksmali 3.0.8 IPA: Graceful handling of plist dump exception * [4.2.8] Multiple APK Analysis improvements, general Code QA & bug fixes (MobSF#2470) * Dockerfile QA * Add sdk-build-tools to Docker image * Replace biplist with plistlib std lib * Fixed a bug in iOS pbxproj parsing * Added support for APK parsing with aapt2/aapt * Use aapt/aapt2 as a fallback for APK parsing, files listing and string extraction * Added "started at" to Scan task queue model MobSF#2463 * Tasks List API to return string status MobSF#2464 * Replaced all minidom calls with defusedxml.minidom * Code QA on android manifest data extraction and parsing * Improved android file analysis * Improved android manifest data extraction * Improved android icon file extraction * Improved android app name extraction * Improved android appstore package details extraction * Android string extraction to fallback on aapt2 strings * APK analysis arguments refactor * Handle packed APKs, refactor unzip to handle malformed APK files * Handle reserved filename conflict during ZIP extraction * Explicit Zipslip handling during ZIP extraction * Graceful files extraction on unzip failure * Removed bail out and continue analysis * Moved androguard parsing to the start of static analysis * AndroidManifest.xml fallback from apktool to androguard during extraction and parsing * Updated Tasks UI to show started at * Helper script for migration * DjangoQ2 Scan Queue QA + Updated defaults * Fix frida on_message for docker compose * Fix x86_64 Android AVD in Windows (MobSF#2471) * Fixes a stored XSS in Recent Scans diff APK, GHSA-5jc6-h9w7-jm3p * Fixes a stored XSS in Recent Scans diff APK, GHSA-5jc6-h9w7-jm3p * Update README.md * HOTFIX: Show Abused Permissions, Fix Download AAB, Dependency bump * dependencies bump + show resources * Save only unique intent priorities in findings (MobSF#2474) * Save only unique intent priorities in findings * Save only unique intent priorities in findings * Save only unique intent priorities in findings * Save only unique intent priorities in findings --------- Co-authored-by: Dmitry Maryushkin <dmmaryushkin@ozon.ru> Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Add files list in scorecard desc (MobSF#2473) * Add files list in scorecard desc * fix lint --------- Co-authored-by: Dmitry Maryushkin <dmmaryushkin@ozon.ru> Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Byte snipers patch 2 (MobSF#2477) * Fix for missing 'packaging.metadata module Changed the packaging version to 24.2 Co-authored-by: ByteSnipers GmbH <55362478+ByteSnipers@users.noreply.github.com> * Dep bump + Support HTTPS upgrade for Assetlinks check (MobSF#2484) * Fix false positives caused in Android manifest analysis * Dep bumps + Support HTTPS upgrade for Assetlinks check * MobSF version bump to 4.3.0 --------- Co-authored-by: Nick Lupien <github@worg.io> * [SECURITY] Security update to fix vulnerabilities reported by Positive Technologies researchers (MobSF#2488) * Fix Stored XSS in iOS Dynamic Analysis, GHSA-cxqq-w3x5-7ph3 * Fix DOS by loose re_path check and strict check inside function, GHSA-jrm8-xgf3-fwqr * Fix API Key leakage, replace REST API with authenticated endpoint, GHSA-79f6-p65j-3m2m * Update SECURITY.md * Saml group mapping (MobSF#2487) * add SSO groups mapping * typo corrected --------- Co-authored-by: Khabarov Konstantin Olegovich <kkhabarov@ozon.ru> Co-authored-by: Ajin Abraham <ajin25@gmail.com> * March 25 QA (MobSF#2504) * Dependency bump * Strict firebaseio domain check * Fix frida server download proxy SSL verify config * Fix CI build on mac * [SECURITY] Improve SSRF checks, strict path check for well_known_path (MobSF#2510) * Improved SSRF checks (credential checks, length check, port check, path, query, and params check, ipv6, ipv4 coverage, handle possible decimal or hex IP bypasses) * Add additional strict path check for Applink well known path * Moved `valid_host` to `security.py` * Update `security.md` * Bump dependencies * Fix docker build * Fix misspelling of the word unpatched (MobSF#2515) * Correct CVSS calculation by accessing findings key properly (MobSF#2511) Fixed an issue where the average CVSS score calculation was incorrect due to improper access to the findings key within the JSON structure. The calculation logic was bypassing the findings key and therefore failing to extract valid CVSS scores. Co-authored-by: Ajin Abraham <ajin25@gmail.com> * pin lxml version as well * Lint fixing: * update postgres to 14 * v4.3.3 Security Updates (MobSF#2518) * Fix GHSA-mwfg-948f-2cc5 * stricter email case validation * Fix GHSA-c5vg-26p8-q8cr * Bump deps * Lint QA * June 22nd 2025 updates (MobSF#2530) * Breaking change: Frida 17+ support and script updates * Breaking change: Corellium iOS device must install frida >=17 * Updated Frida scripts for logging, ssl/cert pinning bypass * Added bridges support to frida * Poetry dependency updates * Fix Frida Code Editor code alignment issues * Fix Google Play Scrapper timeout issues behind proxy * Apply MobSF proxy settings to standalone tools_download.py * fix(ios_analyzer): Correctly resolve executable path in .app bundles (MobSF#2533) * fix(ios_analyzer): Correctly resolve executable path in .app bundles The previous method for locating the executable within an IPA file was failing for apps with spaces in their `.app` bundle name. The logic incorrectly performed a string replacement on the full path of the bundle, resulting in an invalid path to the binary. This commit refactors the path resolution logic to use `pathlib` features correctly. It now finds the `.app` directory as a `Path` object and uses the `.stem` attribute to reliably determine the executable's name. This approach is more robust, properly handles spaces and special characters in filenames, and avoids fragile string manipulation. * Add doc string back * Update mobsf/StaticAnalyzer/views/ios/binary_analysis.py Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Ajin Abraham <ajin25@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * [Security] Fix Vulnerabilities Aug 2025 MobSF v4.4.1 (MobSF#2545) Bump dependencies Fix Security Vulnerabilities reported by @noname1337h1 GHSA-9gh8-9r95-3fc3 GHSA-ccc3-fvfx-mw3v * Added missing permissions section * Repaired urlpatterns entries from mistaken merge conflict resolution * Add Queue tab to base layout * Tie postgres to v14 * Update version to 4.4.1 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Ajin Abraham <ajin25@gmail.com> Co-authored-by: Matej Soroka <hi@matejsoroka.com> Co-authored-by: pyup.io bot <github-bot@pyup.io> Co-authored-by: superpoussin22 <vincent.nadal@orange.fr> Co-authored-by: N1neSun <917549681@qq.com> Co-authored-by: Ajin.Abraham <ajin.abraham@chime.com> Co-authored-by: Dapo Adedire <adedireadedapo19@gmail.com> Co-authored-by: Atarii <atarii@users.noreply.github.com> Co-authored-by: Han0nly <byxiaohanzhang@foxmail.com> Co-authored-by: rustaska <11994805+rustaska@users.noreply.github.com> Co-authored-by: Toor <toor@DES-macOS-pentest.local> Co-authored-by: TrellixVulnTeam <112716341+TrellixVulnTeam@users.noreply.github.com> Co-authored-by: TrellixVulnTeam <kasimir.schulz@trellix.com> Co-authored-by: ohyeah521 <ohyeah521@gmail.com> Co-authored-by: th3-d4v1d-c0de <116191845+th3-d4v1d-c0de@users.noreply.github.com> Co-authored-by: evmxattr <evmxattr@users.noreply.github.com> Co-authored-by: none <none@none.com> Co-authored-by: antoinbo <87284775+antoinbo@users.noreply.github.com> Co-authored-by: Karmaz <51202595+Karmaz95@users.noreply.github.com> Co-authored-by: Abb4d0n <Abb4d0n@users.noreply.github.com> Co-authored-by: Mark Sowell <mark@marksowell.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: cpuu <cpuu@icloud.com> Co-authored-by: JJ <124142040+HackJJ@users.noreply.github.com> Co-authored-by: miaoyc <miaoyc666@outlook.com> Co-authored-by: JPSxzy8 <147696419+JPSxzy8@users.noreply.github.com> Co-authored-by: Ayushman Chhabra <14110965+ayushmanchhabra@users.noreply.github.com> Co-authored-by: Dmitrii Mariushkin <d.v.marushkin@gmail.com> Co-authored-by: Dmitry Maryushkin <dmmaryushkin@ozon.ru> Co-authored-by: ByteSnipers GmbH <55362478+ByteSnipers@users.noreply.github.com> Co-authored-by: Nick Lupien <github@worg.io> Co-authored-by: Antiksec <159251060+Antiksec@users.noreply.github.com> Co-authored-by: Khabarov Konstantin Olegovich <kkhabarov@ozon.ru> Co-authored-by: jpierson-at-riis <77620925+jpierson-at-riis@users.noreply.github.com> Co-authored-by: lorakste <36819466+lorakste@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

@0x33c0unt

* upgrade apktool to 2.6.1 (MobSF#1915) * Hotfix: Update slack link * Hotfix: update slack link * Hotfix: Slack link * Hotfix:Slack link * Hotfix:Slack link * Introduce jadx decompilation timeout with env var (MobSF#1916) * Introduce jadx decompilation timeout with env var - exception for timeout - replace subprocess.call for run Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Update ip2location from 8.6.4 to 8.7.2 (MobSF#1926) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Scheduled weekly dependency update for week 13 (MobSF#1931) * Update quark-engine from 22.2.1 to 22.3.1 * update lief Co-authored-by: Ajin Abraham <ajin25@gmail.com> * update apkid (MobSF#1939) * Fix dynamic report_json api bug (MobSF#1934) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Hotfix: LIEF * Update README.md (MobSF#1951) * update jadx to 1.3.4 (MobSF#1941) * update jadx to 1.3.4 * update lief * update jadx and requirements * Scheduled weekly dependency update for week 22 (MobSF#1972) * Update ip2location from 8.7.3 to 8.7.4 * Update quark-engine from 22.4.1 to 22.5.1 * Update frida from 15.1.17 to 15.1.23 * Update tldextract from 3.2.1 to 3.3.0 * Check for updates via GitHub releases (MobSF#1957) * Check the GitHub releases page for latest version number * Update utils.py Only log distro if not empty (or spaces) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Update cert_analysis.py (MobSF#1948) * Update cert_analysis.py Flag on MD5 hash algorithm in signer certificate * Update cert_analysis.py Co-authored-by: Ajin Abraham <ajin25@gmail.com> * HOTFIX: Update Readme with Rewards Banner * Update frida from 15.1.23 to 15.1.24 (MobSF#1975) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * HOTFIX: openSSL link and readme update * Hotfix: Broken slack channel link fix * Hotfix: Windows setup script * Feature Parity Allow iOS IPA download (MobSF#1977) * Allow iOS IPA download * Code QA * Add the checking of the parent element of the permission-related elements to manifest analysis (MobSF#1905) * Add the checking of the parent element of the permission-related elements to manifest analysis Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Remove RELRO (MobSF#1978) * Revert "Add the checking of the parent element of the permission-related elements to manifest analysis (MobSF#1905)" (MobSF#1984) HOTFIX: Revert MobSF#1905 * Scheduled weekly dependency update for week 26 (MobSF#1986) * Update ip2location from 8.7.4 to 8.8.0 * Update frida from 15.1.24 to 15.1.27 * Update quark-engine from 22.5.1 to 22.6.1 (MobSF#1989) * Scheduled weekly dependency update for week 28 (MobSF#1993) * Update frida from 15.1.27 to 15.1.28 * Update tldextract from 3.3.0 to 3.3.1 * HOTFIX: libsast, iOS Rule, M1 Mac support * Hotfix MobSF#1999 * Update frida from 15.1.28 to 15.2.2 (MobSF#2002) * Update README.md (MobSF#2020) add Badge App * Fix bug MobSF#1917 where checking for stripped debugging symbols produces false positives in iOS. (MobSF#2023) Co-authored-by: Toor <toor@DES-macOS-pentest.local> Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Update ip2location from 8.8.0 to 8.8.1 (MobSF#2035) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * update apkid to 2.1.4 (MobSF#2037) * Adding tarfile member sanitization to extractall() (MobSF#2039) Co-authored-by: TrellixVulnTeam <kasimir.schulz@trellix.com> Co-authored-by: Ajin Abraham <ajin25@gmail.com> * fix res directory not exist (MobSF#2042) Fix the problem that the res resource folder does not exist, the solution is to copy from the apktool_out directory * [EFR-02]Enterprise Feature Request - False Positive Triaging (MobSF#2000) * Suppression logic * Android code analysis suppression * Fixes MobSF#1981 * iOS source support bundle id extraction * iOS Source Code - Suppression support * Remove check in CFBundleURLName * iOS Binary code analysis suppression support * Add Code QL * Suppression support for Manifest analysis * Fixes MobSF#2014 * REST API + Docs * Address review comments * update suppression wordings * Fixes MobSF#2043 * Icon analysis code QA * Unit Test for False Positive Triaging * Adding numeric_owner as a keyword argument (MobSF#2050) numeric_owner needs to be a keyword argument. * Scheduled weekly dependency update for week 41 (MobSF#2046) * Update quark-engine from 22.6.1 to 22.9.1 * Update frida from 15.2.2 to 16.0.1 * Update tldextract from 3.3.1 to 3.4.0 * Update openstep-parser from 1.5.3 to 1.5.4 Co-authored-by: Ajin Abraham <ajin25@gmail.com> * HOTFIX: revert frida to 15.X * HOTFIX: UI changes and warning on mobsf.live (MobSF#2051) * UI changes and warning on mobsf.live * Update home.html * HOTFIX: Split certificate analysis out, suppression list fixes (MobSF#2052) * Hotfix: ui on donate page * Hotfix: Homescreen Navbar * Hotfix: UI icon * hotfix for quyark rules location (MobSF#2053) * HOTFIX: jadx update to 1.4.5 (MobSF#2064) * jadx update to 1.4.5 * MobSF version bump * Fixes CVE-2022-42889 in third party dependency * Installation script error: Solving spelling error (MobSF#2067) changed "installtion" to "installation" * Android APK support extracting icon SVG from XML (MobSF#2060) * Added support for SVG icon extraction * Add jar binaries * code refactoring * Update settings.py * HOTFIX: Setup improvement (MobSF#2078) * Improve setup scripts. * Python support to 3.8 - 3.10 * Delete MobSF data directory on running setup. * Bump applicable dependencies. * Apktool 2.7.0 update (MobSF#2082) * Update apktool to version 2.7.0 * HOTFIX: Icon should be a file * version bump * New Android Manifest Rule: App support vulnerable android versions (MobSF#2114) * add a new rule: dangerous os version * qa * lint checks * run lint test on one os * Support for filenames containing & (MobSF#2129) Co-authored-by: none <none@none.com> * HOTFIX: Fix docker build (MobSF#2135) * Fix Scorecard Severity Distribution chart data (MobSF#2140) * HOTIX: Update Dockerfile to install jq (MobSF#2149) * Update Dockerfile * Update tox.ini * [HOTFIX] Add support for environment variable for MobSF config (MobSF#2150) * add support for environment variable config * Fixes MobSF#2109 * update lief * HOTFIX: Fixes MobSF#2144 * HOTFIX: Android min SDK check on janus vulnerability detection (MobSF#2159) * Android min SDK check on janus check * Update README.md * [Enterprise Feature Request EFR02] Support summary of severity in each section. (MobSF#2160) * Summary for Android and iOS SCA * [EFR05] Enterprise Feature Request: AAR and JAR support (MobSF#2163) * AAR and JAR support * Enable binary analysis for aar/jar * Scheduled weekly dependency update for week 24 (MobSF#2187) * Update ip2location from 8.9.0 to 8.10.0 * Update quark-engine from 22.10.1 to 23.5.1 * Update LIEF from to 0.13.1 * Update tldextract from 3.4.0 to 3.4.4 * Update requirements.txt --------- Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Update requirements.txt 0.13.1 not available. * HOTFIX: update lief * Revert Hotfix * HOTFIX: Feature updates and Bug Fixes (MobSF#2197) * OFAC, jquery bump, tox fix * AAR handle multiple application tags * HOTFIX: MobSF Android Dynamic Analysis Docker Support (MobSF#2214) * MobSF Android Docker Support * Pin pip version * Update mobsf-test.yml * Update setup.py * Hotfix: Docker error fixes * Hotfix: Add Corellium support message * Hotfix: Broken donate link fix * Update dynamic_analysis.html (MobSF#2218) * Hotfix: Handle Docker <-> ADB connectivity internally (MobSF#2219) * host.docker.internal transilation for localhost * Replace urlparse with re * version bump * update ascii art * update apktool to 2.8.1 (MobSF#2220) * update apktool (MobSF#2225) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * HOTFIX: translate upstream proxy ip for docker * Dynamic Analysis support alert (MobSF#2227) * [HOTFIX] Regex + Rule Update (MobSF#2232) * IOS Swift Rules updates * Updated or added rules `ios_biometric_bool`, `ios_biometric_acl`, `ios_keychain_weak_acl_device_passcode`, `ios_keychain_weak_accessibility_value`, `ios_insecure_random_no_generator`, `ios_biometry_hardened` * Regex Hardening: Fixes possible Regex DoS in rules and MobSF code base * [HOTFIX][EFR06] Independent Shared Object (.so) Scan and Improved String search (MobSF#2228) * String extraction from APK, Source, AAR, JAR, SO * Strings sections to show source of strings extracted * Strings Refactor * Support for independent .SO scan * Android SCA rules update * Entropies scan support for strings * URLs/Email extraction refactor * Bug Fixes * iOS Source Report Fix * Frida APK Patcher (WIP) * Dynamic Analyzer identifier not available * Settings env var not working fix for enabled by default features * AppSec Score fix * Recent `scan not completed` fix for iOS zip * HOTFIX: Improve code string extraction * Update macho_analysis.py - SYMBOLS STRIPPED False Negative (MobSF#2234) * Update macho_analysis.py PR for this issue: MobSF#2233 * Update macho_analysis.py Co-authored-by: Ajin Abraham <ajin25@gmail.com> * HOTFIX: fix IPA download support * [HOTFIX][EFR-08] Dylib + Symbols + Other Features (MobSF#2239) * Dylib analysis support + PDF for iOS Binary * Dylib string extraction * Improved iOS Plist secret extraction * iOS/Android Form Validation QA * Independent Dylib scan * Symbols view for dylib and so * Trackers support for so * Fix missing exported components (MobSF#2176) Components which are exported and have no permission were not listed in the results because of a wrong template description key. Also added a warning if this happens again. Co-authored-by: Ajin Abraham <ajin25@gmail.com> * [HOTFIX][EFR09] AAR/JAR obfuscation and debug check + Exception Handed strings and symbols extraction (MobSF#2240) * AAR/JAR obfuscation and debug check * Exception handling symbols and strings from so/dylib * [HOTFIX][EFR10] Independent Static Library(.a) ELF/MachO Analysis + Graceful Analysis (MobSF#2242) * Independent Static Library(.a) ELF/MachO Analysis * Mac FAT binary only supported on Mac * Static and Dynamic Binary Analysis QA * Refactor Dex permissions * Fallback certificate analysis using apksigtool * Refactor Androguard `apk.APK()` usage * Pip to Poetry, Ubuntu Base image Bump, Dockerfile QA, Python 3.11 support (MobSF#2244) * Docker base image update * Docker file QA * Github Actions version update * Removed unwanted pinned repository * Pip to Poetry migration * Bump httptools * Jump yara-python-dex * Python 3.11 support * [HOTFIX] Docker Buildx test (MobSF#2247) * Docker image build test for PRs * [HOTFIX] bs4 malformed xml parsing + xml namespace detection (MobSF#2248) * Use BeautifulSoup4 to prettify malformed XML * Detect non standard XML namespace in AndroidManifest.xml (Fixes : MobSF#2198) * Updated android permissions list * Updated android permission update check script * [HOTFIX] Migrate from setup.py to poetry, tox QA (MobSF#2249) * Migrate from setup.py to use poetry build and publish * Tox QA * Version is now configured only at pyproject.toml * Added poetry build test * Updated mobsf PyPI publishing workflow * Update local DBs * Performance Improvements on SAST (MobSF#2251) * Performance improvements in SAST scans (Code Analysis, API Analysis, NIAP etc.) with libsast bump * Android API rule QA * Manifest analysis continuation on apktool failure * Linux setup script fix * Disable NIAP by default * [HOTFIX] add apksigner.jar for reading signatures (MobSF#2254) * Add `apksigner.jar` * Use apksigner to extract signature versions (v1, v2, v3, v4) * Fix: MobSF#2120 * [HOTFIX] add jar (MobSF#2255) * Add apksigner jar * [HOTFIX] Bump Frida to address crash on M1 Mac (MobSF#2258) * Update frida to 16.1.4 to resolve segmentation faults on Docker arm image --------- Co-authored-by: Mark Sowell <mark@marksowell.com> * [HOTFIX] simplify scan api (MobSF#2259) * Simplify Scan API * Need only scan hash to trigger a scan * Updated API Docs * [HOTFIX] iOS Framework Analysis + Multiple Feature QA (MobSF#2260) * iOS Framework Analysis * Static Analysis URL simplification * Replace hardcoded urls in template with `{% url %}` * Code QA * Remove unwanted template file * Remove `rescan` query param from url * Android icon SVG guessing improvements * Icon analysis refactoring, change icon storage location * Remove SVG to PNG converter. Support PNG and SVG icon. * Github docker release action update * [HOTFIX] Support webp for icon (MobSF#2267) * [HOTFIX] Fixed that the icon cannot be found (MobSF#2265) fixed that the icon cannot be found when the suffix name is uppercase * Allow jpeg icons (MobSF#2268) * [HOTFIX] Fix jadx and apktool failure due to JDK changes (MobSF#2269) * Fix jadx and apktool failure due to JDK zip64 changes * [HOTFIX][EFR] Priority Bug Fixes (MobSF#2275) * P1.1 AAR Permissions not properly listed * P1.2 Local variable table not listed in proper section * P1.3 static library strings are not listed * P1.5 Stripping of dynamic and static libraries are not correctly reported * Dependency bump * MobSF version bump * Hotfix: Bump deps * update apktool to 2.9.0 (MobSF#2278) Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Build(deps): Bump django from 4.1.12 to 4.1.13 (MobSF#2282) Bumps [django](https://github.com/django/django) from 4.1.12 to 4.1.13. - [Commits](django/django@4.1.12...4.1.13) --- updated-dependencies: - dependency-name: django dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Hotfix: Support viewing kotlin files MobSF#2283 * iOS Dynamic Analysis with Corellium (MobSF#2194) * iOS Dynamic Analysis Support with Corellium Jailbroken iOS devices * Corellium API layer for complete device and project management * Frida instrumentation (attach, spawn and inject) over SSH local port forward * Shell access over SSH * MobSF httptools proxy integration over SSH remote port forward * Device File upload and download over SSH * Frida scripts for core defense bypass, monitoring, and tracing * Helper iOS Frida scripts for pentesting and malware analysis * Screen cast with touch, swipe and text input support from web UI * Dynamic Analysis device data dump and report Generation * Android Certificate analysis, replaced oscrypto with cryptography for public key parsing * Python minimum support is 3.10 * Bumped httptools to latest, fixes httptools repeat bug * Added unzip to docker to fix a bug * Relaxed bundleid regex * HOTFIX: Dynamic Analysis Improvements Android & iOS (MobSF#2295) iOS Screencast, better swipe Android Screencast to support touch, swipe and text input events Android Frida Logs update Android Improved Screencast Android Frida spawn, inject and attach support Added new Android Frida scripts Replaced Clipdump with Frida script for clipboard monitoring * Hotfix QA (MobSF#2297) * REST API update for android frida instrument * Code QA * [HOTFIX] More Android & iOS Frida Scripts (MobSF#2299) Improved existing frida scripts More Android & iOS frida Scripts Code QA * [HOTFIX] Android script loading, frida injected code view, paramiko SSH issues (MobSF#2300) * Android script loading bug fix * Frida injected code view * Paramiko SSH reactor to address some host key issues, revert from warning to autoadd. * Frida Injection refactoring * Enhancements to ARC and Stack Canary Checks in Mach-O Parsing (MobSF#2284) * Extend 'has_arc' check to include '_swift_release' Updated the has_arc method to detect the usage of ARC not only by the presence of the _objc_release symbol but also by the _swift_release symbol. This change broadens the scope of ARC detection to cover both Objective-C and Swift implementations. * Optimize has_canary function without using a set Refactored the has_canary method to directly check the presence of ___stack_chk_fail and ___stack_chk_guard symbols in imported_functions. Removed the unnecessary conversion to a set, streamlining the function and enhancing readability. Now, has_canary uses any() for efficient symbol existence checks. * [HOTFIX] RPC hook suggestions + Bug Fix (MobSF#2301) * String compare script improvements * Fix iOS Frida script bugs * Added RPC helpers for hook suggestion (TODO:Expose to UI) * Code QA * HOTFIX: Add missing RPC script, Frida Logs font size * version bump * update pktool to 2.9.1 (MobSF#2304) * [EFR][HOTFIX] QA Request (MobSF#2306) * Scan independent library file (.so, .dylib, Framework dylib) from APK/IPA Static Analysis Report * Library analysis refactored relative path helper for Django template. * Re-introduced RELRO checks for Android, added Dart binary check to avoid Flutter false positives. * Improved stripped debug symbol check for ELF and MachO using native OS tools such as nm and objdump when available. * Merge iOS Framework and Dylib Analysis. * Bug Fixes + Improvements (MobSF#2307) * Replace Android test APK * Added tests for Library analysis from binary (scan_library route) * iOS merge findings from swift and objective c rules with same rule identifier. Fixes MobSF#2287 * iOS Binary analysis, sort regex matches. Fixes MobSF#2252 * Framework dylibs with no extensions to skip PIE checks. Fixes MobSF#2307 * Select correct network_security config. Fixes MobSF#2049 * Android Manifest Analysis added support for detecting task hijacking (StrandHogg 1.0 and StrandHogg 2.0) . Fixes MobSF#2124 * Added new manifest analysis rule to warn on apps targeting older Android OS * Updated severity of findings * UI improvement for AppSec dashboard to show a loader * UI changes in Static Analysis to collapse large no of files in API and Code Analysis for better real estate * Improved certificate file analysis for android, jar, aar, and ios * MobSF version Bump * [HOTFIX] ChatGPT Permission Mapping + Improved Description (MobSF#2308) * Android Permission Mapping, generated with ChatGPT + axplorer. Addressed MobSF#1772 * Android Permission description enhancement generated with ChatGPT * Added new permissions to permission analyzer * Windows Python tempfile permission error fix (MobSF#2309) * Fix PermissionError: [Errno 13] Permission denied Windows Python tempfile permission error fix * Multiple Features Improved or Added (MobSF#2310) * Android added App Link assetlinks.json check * Added more new permission mappings * Updated Permission database * Improved Source code view content search * Added upstream proxy support for Corellium API calls * Updated Readme * [HOTFIX] Malware Permission Check for Android, API Rules + Version Bump (MobSF#2313) * Malware Permission Check for Android * New Android API rule to support Passkeys * Updated Readme * Version Bump * Bug Fix and QA (MobSF#2315) * Bug Fix * QA * Version bumps * HOTFIX: update apktool, fixes a security issue GHSA-2hqv-2xv4-5h5w * Update submodule * Using multithreading to improve code efficiency (MobSF#2319) * Using multithreading to improve code efficiency * Update manifest_analysis.py * QA * Handle asterik in host names. --------- Co-authored-by: Ajin Abraham <ajin25@gmail.com> * GPT Goodness (MobSF#2318) * QA * Version Bump * Update SECURITY.md (MobSF#2323) updated security policy * [HOTFIX][SECURITY] Fix an LFI, DSA Pub Key parsing bug and dependencies (MobSF#2326) * [SECURITY] Fixes an LFI reported by @0x33c0unt - A crafted APK resource with icon name containing arbitrary path will get copied by MobSF as the icon file to the download directory which is available under `/download/` route. Fixed by MobSF@a58f8a8 * Fixes MobSF#2324 , Bug in parsing DSA Public Key parameters for fingerprint calculation. * Update dependencies * Filter out invalid links (MobSF#2322) * Filter out invalid links [ERROR] 2024-01-10 10:28:29 - Well Known Assetlinks Check for URL: http://*/.well-known/assetlinks.json Traceback (most recent call last): requests.exceptions.InvalidURL: URL has an invalid label. * Update manifest_analysis.py --------- Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Fix Arbitrary file writes on Windows (MobSF#2328) * Runtime Exec Tampering Detection, iOS Dynamic REST APIs, Datatables Export (MobSF#2339) * Runtime Executable Tampering Detection * Add security.py * Code QA Performance * Code QA Runtime EXEC tampering detection * Corellium API QA + Domain support * REST API Docs + Datatables export * HOTFIX: Dependency bump * HOTFIX: Injected code overwrite revert * HOTFIX: Bump deps + ELF strings check fix * MOBSF_CORELLIUM_API_DOMAIN Update (MobSF#2347) * MOBSF_CORELLIUM_API_DOMAIN Update Set the default of `MOBSF_CORELLIUM_API_DOMAIN` to `https://app.corellium.com` was it was not being picked up properly in `dynamic_analyzer.py` for iOS * Update corellium_apis.py * Update settings.py --------- Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Add name parameter to create vm * Add name support in ui * feat(page): recent scans add default page and page_size, list 100 items * HOTFIX: Frida Logs API response code + Dependency bump * HOTFIX: Bump deps + expose Corellium stop app api * Fix MobSF#2343 * HOTFIX: target sdk bug * HOTFIX: Bump androguard + remove quark * HOTFIX: androguard bump * Fix MobSF#2349 * HOTFIX: Individual image publish * HOTFIX:[SECURITY] Fix GHSA-wfgj-wrgh-h3r3, dep bump, docker build qa * poetry pyqt5 fixes (MobSF#2362) * poetry pyqt5 fixes * QA * fix * Cert analysis qa * QA * pin pyqt5 * HOTFIX: Remove Androguard dependency use only features required by MobSF (MobSF#2363) This PR strips out androguard and it's dependencies from MobSF. Extract androguard related functions used by MobSF. Some dependencies such as pyQt5 from apkinspector is breaking the ARM64 docker image. This should address that issue. In future, we will have to copy over any fixes to axml, apk, public, types from androguard and ZipEntry from apkinspector. We won't be adding linting to these files. The extracted functions will be considered as an external tool. * Optimize rendering of big lists (MobSF#2351) * Optimize rendering of big lists * Dynamic rendering in browser to improve ux Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Fixes GHSA-m435-9v6r-v5f6 * Update SECURITY.md (MobSF#2364) * Update SECURITY.md (MobSF#2365) * Update SECURITY.md * HOTFIX: Build and push docker arm64 and amd64 together * HOTFIX: Possible SSRF * Resolve the situation where the function name is bytes (MobSF#2367) fix error: if function.name.endswith('_chk'): ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ TypeError: endswith first arg must be bytes or a tuple of bytes, not str Co-authored-by: Ajin Abraham <ajin25@gmail.com> * [HOTFIX][SECURITY] Fixes an SSRF vulnerability report from positive technologies (MobSF#2373) Address: GHSA-wpff-wm84-x5cx * Update SECURITY.md * feat(page): recent records add page jump * feat(page): recent records add page jump * Update README.md (MobSF#2383) * Update bug_report.md * Update SUPPORT.md (MobSF#2384) * Update CONTRIBUTING.md * Update auto-comment.yml * Lint fixes * Update home.py * [EFR] AuthZ and AuthN for MobSF + Bug Fixes (MobSF#2366) Authentication and Authorization (`Maintainer` , Viewer`) support in MobSF * Basic User Management * Bug Fixes in Runtime Executable Tampering * Ratelimiting support for login endpoint * Disable AuthZ/AuthN for REST API and also via ENV VAR `MOBSF_DISABLE_AUTHENTICATION=1` * Bug Fix MobSF#2285 * Bug Fix Icon Analysis Nonetype * Update SSRF Filter * Dependency Bump * Beta to Stable release from V4 * Runs with DEBUG=False * New home screen UI * [EFR][HOTFIX] SSO Support + Okta SSO Documentation (MobSF#2389) * Add support for SSO with SAML2.0 * Bump Deps * Docs Updated * Bump MobSF version * [HOTFIX] SSO Support hosts behind proxy (MobSF#2390) * Added support for proxy setup and custom SP host * HOTFIX: Fix docker run errors * QA * [HOTFIX] Support AAB with MobSF, Convert AAB to APK, Fixes MobSF#2387 (MobSF#2391) * AAB to APK conversion * relative urls fix for recent scan * [HOTFIX] Code QA (MobSF#2393) * QA * Add new android rule setAllow*FromFileURLs * android root bypass and debugger bypass scripts improvements * Dockerfile qa * prevent entrypoint exit if username already exists * [HOTFIX] AppSec PNW 2024, Deeplink Trigger Support for Android Dynamic Analyzer (MobSF#2402) * iOS Dynamic Analyzer String Compare Frida script improvement * Android Dynamic Analyzer Deeplink UI trigger support * Android & iOS Dynamic Analyzer UI Improvements * Android & iOS Dynamic Analyzer Bug fixes * HOTFIX: Fix and OpenRedirect vulnerability * Update SECURITY.md (MobSF#2418) * [EFR][HOTFIX] Realtime Scan status and logs (MobSF#2416) * Realtime Scan Status in UI and PDF reports * Scan Status REST API & tests * Fixes MobSF#2414 * Address MobSF#2413 * Code QA * Dependency and version bump * [SECURITY][HOTFIX] Fixes GHSA-4hh3-vj32-gr6j (MobSF#2421) * Fixes GHSA-4hh3-vj32-gr6j * update SECURITY.md * update dependencies * Bump deps (MobSF#2426) * Check for internet before attempting to download APK (MobSF#2422) * Check for internet before attempting to download APK * [HOTFIX] dep bups + Fix MobSF#2424 * [HOTFIX] Dockerfile and dependency upgrade, Bug Fixes (MobSF#2439) * Dockerfile: migrate from Ubuntu to Debian Bookworm * Update and MachO and ELF Analysis * Update docker compose with postgres * JDK bump to 22.0.2 * Python bump to 3.12 * Bump jadx, apktool, vd2svg, bundletool * Remove jadx from repo and download it dynamically during setup * Install jadx during docker build * Replace deprecated dependencies * Bump httptools * Postgres Support by default * Bump LIEF to latest, reintroduce PIE checks for ELF * Fixes MobSF#2430 MobSF#2432 MobSF#2395 * Bug Fixes * HOTFIX: Postgres env var * HOTFIX: Update wkhtmltopdf and dependencies * Multiple Features (Scan timeout, Firebase Remote Config, Search Scans) (MobSF#2441) Support time out for SAST and Binary scans Search by MD5, package name, file name and app name. Search REST API + docs + tests Firebase remote config check [FEATURE] Add support for Firebase Remote Config information MobSF#2429 autopep8 * Hotfix: Firebase + Dep bumps * HOTFIX: Libsast bump (MobSF#2443) * Libsast bump * Bump libsast to address match case * libsast bump * [HOTFIX] + Features (MobSF#2444) Add support for sample download in recent scans. Bug fix in firebase analysis (dict mutation errors) * 4.1.5 (MobSF#2445) * Support custom home from environment variables * Reduce iOS binary findings severity to warning from high * Code QA and dependency updates * docker-compose QA, added example nginx config * Added docker-compose_swarm.yml by @antonkap add support for docker secrets * IPA PNG Uncrush support for Windows and Linux MobSF#2397 * Add support for pulling split apks, Fixes MobSF#2271 (MobSF#2446) * Add support for pulling split apks from device, Fixes MobSF#2271 * Replace Quark with Behaviour analysis using quark rules * docker compose QA, explict requests timeout (MobSF#2447) * Dependency update * Explicit timeout for all requests * Support proxy for all http(s) calls * Optimize jadx download, support system proxy * 4.1.8 (MobSF#2448) * APKID QA. * Bash and Batch file script QA. * Android Report template optimizations on how exported components are displayed. * Clickable Android Activities, Services, Providers and Recievers. * Updated Android version support to 11.0 for Android Studio AVD. * Created helper scripts for AVDs `scripts/start_avd.sh` and `scripts/start_avd.ps1`. * 4.1.9 (MobSF#2449) * Anti-analysis bypass - JADX fallback to DEX files on APK decompilation failure - apktool fallback to androguard for AndroidManifest.xml extraction - apksigner.jar fallback to apksigtool/androguard for signature version extraction - Graceful erorrs for failures instead of exceptions * 4.2.0 (MobSF#2450) - Added malware lookup using SHA2 with VirusTotal, Triage, Hybrid Analysis, and MetaDefender. - Fixed permissions of extracted files to counter anti-analysis techniques. - Resolved APK parsing errors in `androguard`. - Handled exceptions in `string_on_binary`. - Optimized APK ZIP analysis for improved performance. - Fixed untar permission errors in dynamic analysis. - Added bypass for SSL pinning in Boye's `AbstractVerifier`. - Updated bypass for SSL pinning in Appmattus's `CertificateTransparencyInterceptor`. - Introduced SSL pinning detector script. - Improved Frida intent dumper script. - Added Frida intent tracer script. - Introduced timeouts for all HTTP calls. - Added `django-q2`-based asynchronous scans for Android and iOS binaries and source code. - Fixed bug in certificate analysis. - Enabled asynchronous scans in Docker Compose setup. - Performed QA for Android and iOS SAST modules. - Added Frida script for `audit-webview`. - Introduced Frida script for `trace-javascript-interface`. - Upgraded `libsast` for improved file reading, multiprocessing, and multithreading. - Fixed PNG crush issues on Darwin systems. - Performed QA on the home screen UI. - Updated `httptools` and `libsast` dependencies. * 4.2.1 (MobSF#2451) * Improvements in scan queue * Fix TOCTOU in delete scans view * 4.2.2 (MobSF#2452) * QA * Verbose * Version bump * DjangoQ2 config * Update status on task timeout (MobSF#2454) * [4.2.4] Async analysis REST API support, fix timeout handle function, Qa (MobSF#2456) * Async analysis REST API support & Docs * Fix timeout handle function * Code QA untar permissions * 4.2.5 (MobSF#2457) * Unified async scan timeout * Allow incomplete scan delete after async scan timeout duration * Added support for Android SBOM analysis * Make dependencies unpinned (Address MobSF#2458) * 4.2.6 (MobSF#2459) * Updated permissions * Added and updated permission mapping rules * Handle errors gracefully from get_app_name and icon_analysis * Add new scans in tasks view without needing and explicit refresh * Optimizing downloads, adding downloads for source code types and windows appx * CodeQL config update * [4.2.7] Androguard & ApkInspector Bump + Patch AXMLParsing (MobSF#2461) * Androguard 293ab2d89ab9ce011c7dbbc5df3c876172875a1c update * AXML Parser warn "reserved must be zero!" instead of raise * Fallback on get app name when androguard returns empty string * [4.2.7] Updates (MobSF#2462) Bump to google fork of baksmali 3.0.8 IPA: Graceful handling of plist dump exception * [4.2.8] Multiple APK Analysis improvements, general Code QA & bug fixes (MobSF#2470) * Dockerfile QA * Add sdk-build-tools to Docker image * Replace biplist with plistlib std lib * Fixed a bug in iOS pbxproj parsing * Added support for APK parsing with aapt2/aapt * Use aapt/aapt2 as a fallback for APK parsing, files listing and string extraction * Added "started at" to Scan task queue model MobSF#2463 * Tasks List API to return string status MobSF#2464 * Replaced all minidom calls with defusedxml.minidom * Code QA on android manifest data extraction and parsing * Improved android file analysis * Improved android manifest data extraction * Improved android icon file extraction * Improved android app name extraction * Improved android appstore package details extraction * Android string extraction to fallback on aapt2 strings * APK analysis arguments refactor * Handle packed APKs, refactor unzip to handle malformed APK files * Handle reserved filename conflict during ZIP extraction * Explicit Zipslip handling during ZIP extraction * Graceful files extraction on unzip failure * Removed bail out and continue analysis * Moved androguard parsing to the start of static analysis * AndroidManifest.xml fallback from apktool to androguard during extraction and parsing * Updated Tasks UI to show started at * Helper script for migration * DjangoQ2 Scan Queue QA + Updated defaults * Fix frida on_message for docker compose * Fix x86_64 Android AVD in Windows (MobSF#2471) * Fixes a stored XSS in Recent Scans diff APK, GHSA-5jc6-h9w7-jm3p * Fixes a stored XSS in Recent Scans diff APK, GHSA-5jc6-h9w7-jm3p * Update README.md * HOTFIX: Show Abused Permissions, Fix Download AAB, Dependency bump * dependencies bump + show resources * Save only unique intent priorities in findings (MobSF#2474) * Save only unique intent priorities in findings * Save only unique intent priorities in findings * Save only unique intent priorities in findings * Save only unique intent priorities in findings --------- Co-authored-by: Dmitry Maryushkin <dmmaryushkin@ozon.ru> Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Add files list in scorecard desc (MobSF#2473) * Add files list in scorecard desc * fix lint --------- Co-authored-by: Dmitry Maryushkin <dmmaryushkin@ozon.ru> Co-authored-by: Ajin Abraham <ajin25@gmail.com> * Byte snipers patch 2 (MobSF#2477) * Fix for missing 'packaging.metadata module Changed the packaging version to 24.2 Co-authored-by: ByteSnipers GmbH <55362478+ByteSnipers@users.noreply.github.com> * Dep bump + Support HTTPS upgrade for Assetlinks check (MobSF#2484) * Fix false positives caused in Android manifest analysis * Dep bumps + Support HTTPS upgrade for Assetlinks check * MobSF version bump to 4.3.0 --------- Co-authored-by: Nick Lupien <github@worg.io> * [SECURITY] Security update to fix vulnerabilities reported by Positive Technologies researchers (MobSF#2488) * Fix Stored XSS in iOS Dynamic Analysis, GHSA-cxqq-w3x5-7ph3 * Fix DOS by loose re_path check and strict check inside function, GHSA-jrm8-xgf3-fwqr * Fix API Key leakage, replace REST API with authenticated endpoint, GHSA-79f6-p65j-3m2m * Update SECURITY.md * Saml group mapping (MobSF#2487) * add SSO groups mapping * typo corrected --------- Co-authored-by: Khabarov Konstantin Olegovich <kkhabarov@ozon.ru> Co-authored-by: Ajin Abraham <ajin25@gmail.com> * March 25 QA (MobSF#2504) * Dependency bump * Strict firebaseio domain check * Fix frida server download proxy SSL verify config * Fix CI build on mac * [SECURITY] Improve SSRF checks, strict path check for well_known_path (MobSF#2510) * Improved SSRF checks (credential checks, length check, port check, path, query, and params check, ipv6, ipv4 coverage, handle possible decimal or hex IP bypasses) * Add additional strict path check for Applink well known path * Moved `valid_host` to `security.py` * Update `security.md` * Bump dependencies * Fix docker build * Fix misspelling of the word unpatched (MobSF#2515) * Correct CVSS calculation by accessing findings key properly (MobSF#2511) Fixed an issue where the average CVSS score calculation was incorrect due to improper access to the findings key within the JSON structure. The calculation logic was bypassing the findings key and therefore failing to extract valid CVSS scores. Co-authored-by: Ajin Abraham <ajin25@gmail.com> * pin lxml version as well * Lint fixing: * update postgres to 14 * v4.3.3 Security Updates (MobSF#2518) * Fix GHSA-mwfg-948f-2cc5 * stricter email case validation * Fix GHSA-c5vg-26p8-q8cr * Bump deps * Lint QA * June 22nd 2025 updates (MobSF#2530) * Breaking change: Frida 17+ support and script updates * Breaking change: Corellium iOS device must install frida >=17 * Updated Frida scripts for logging, ssl/cert pinning bypass * Added bridges support to frida * Poetry dependency updates * Fix Frida Code Editor code alignment issues * Fix Google Play Scrapper timeout issues behind proxy * Apply MobSF proxy settings to standalone tools_download.py * fix(ios_analyzer): Correctly resolve executable path in .app bundles (MobSF#2533) * fix(ios_analyzer): Correctly resolve executable path in .app bundles The previous method for locating the executable within an IPA file was failing for apps with spaces in their `.app` bundle name. The logic incorrectly performed a string replacement on the full path of the bundle, resulting in an invalid path to the binary. This commit refactors the path resolution logic to use `pathlib` features correctly. It now finds the `.app` directory as a `Path` object and uses the `.stem` attribute to reliably determine the executable's name. This approach is more robust, properly handles spaces and special characters in filenames, and avoids fragile string manipulation. * Add doc string back * Update mobsf/StaticAnalyzer/views/ios/binary_analysis.py Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Ajin Abraham <ajin25@gmail.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * [Security] Fix Vulnerabilities Aug 2025 MobSF v4.4.1 (MobSF#2545) Bump dependencies Fix Security Vulnerabilities reported by @noname1337h1 GHSA-9gh8-9r95-3fc3 GHSA-ccc3-fvfx-mw3v * Python 3.13 Support (MobSF#2546) * Python Support updated to 3.12-3.13 * Bump mitmproxy * Bump httptools * Remove pinned xmlsec, lxml * Android Permission Update * Updates Signatures --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: superpoussin22 <vincent.nadal@orange.fr> Co-authored-by: Ajin Abraham <ajin25@gmail.com> Co-authored-by: Matej Soroka <hi@matejsoroka.com> Co-authored-by: pyup.io bot <github-bot@pyup.io> Co-authored-by: N1neSun <917549681@qq.com> Co-authored-by: Ajin.Abraham <ajin.abraham@chime.com> Co-authored-by: Dapo Adedire <adedireadedapo19@gmail.com> Co-authored-by: Atarii <atarii@users.noreply.github.com> Co-authored-by: Han0nly <byxiaohanzhang@foxmail.com> Co-authored-by: rustaska <11994805+rustaska@users.noreply.github.com> Co-authored-by: Toor <toor@DES-macOS-pentest.local> Co-authored-by: TrellixVulnTeam <112716341+TrellixVulnTeam@users.noreply.github.com> Co-authored-by: TrellixVulnTeam <kasimir.schulz@trellix.com> Co-authored-by: ohyeah521 <ohyeah521@gmail.com> Co-authored-by: th3-d4v1d-c0de <116191845+th3-d4v1d-c0de@users.noreply.github.com> Co-authored-by: evmxattr <evmxattr@users.noreply.github.com> Co-authored-by: none <none@none.com> Co-authored-by: antoinbo <87284775+antoinbo@users.noreply.github.com> Co-authored-by: Karmaz <51202595+Karmaz95@users.noreply.github.com> Co-authored-by: Abb4d0n <Abb4d0n@users.noreply.github.com> Co-authored-by: Mark Sowell <mark@marksowell.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: cpuu <cpuu@icloud.com> Co-authored-by: JJ <124142040+HackJJ@users.noreply.github.com> Co-authored-by: miaoyc <miaoyc666@outlook.com> Co-authored-by: JPSxzy8 <147696419+JPSxzy8@users.noreply.github.com> Co-authored-by: Ayushman Chhabra <14110965+ayushmanchhabra@users.noreply.github.com> Co-authored-by: Dmitrii Mariushkin <d.v.marushkin@gmail.com> Co-authored-by: Dmitry Maryushkin <dmmaryushkin@ozon.ru> Co-authored-by: ByteSnipers GmbH <55362478+ByteSnipers@users.noreply.github.com> Co-authored-by: Nick Lupien <github@worg.io> Co-authored-by: Antiksec <159251060+Antiksec@users.noreply.github.com> Co-authored-by: Khabarov Konstantin Olegovich <kkhabarov@ozon.ru> Co-authored-by: jpierson-at-riis <77620925+jpierson-at-riis@users.noreply.github.com> Co-authored-by: lorakste <36819466+lorakste@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Dmitry Maryushkin added 4 commits December 8, 2024 23:27

Save only unique intent priorities in findings

bb9a6e0

Save only unique intent priorities in findings

c8316d2

Save only unique intent priorities in findings

bb98cf2

Save only unique intent priorities in findings

5329b79

Merge branch 'master' into intent-priority-fix

04720ba

ajinabraham approved these changes Dec 18, 2024

View reviewed changes

ajinabraham merged commit 17332e8 into MobSF:master Dec 18, 2024
9 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Save only unique intent priorities in findings#2474

Save only unique intent priorities in findings#2474
ajinabraham merged 5 commits intoMobSF:masterfrom
dmarushkin:intent-priority-fix

dmarushkin commented Dec 8, 2024

Uh oh!

dmarushkin commented Dec 8, 2024 •

edited

Loading

Uh oh!

ajinabraham commented Dec 10, 2024

Uh oh!

ajinabraham left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

dmarushkin commented Dec 8, 2024

Describe the Pull Request

Uh oh!

dmarushkin commented Dec 8, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ajinabraham commented Dec 10, 2024

Uh oh!

ajinabraham left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

dmarushkin commented Dec 8, 2024 •

edited

Loading