[HOTFIX] Malware Permission Check for Android, API Rules + Version Bu…

…mp (#2313) * Malware Permission Check for Android * New Android API rule to support Passkeys * Updated Readme * Version Bump
MobSF · Dec 23, 2023 · 3342311 · 3342311
1 parent b48276a
commit 3342311
Show file tree

Hide file tree

Showing 20 changed files with 341 additions and 22 deletions.
diff --git a/README.md b/README.md
@@ -1,5 +1,5 @@
 # Mobile Security Framework (MobSF)
-Version: v3.8 beta
+Version: v3.9 beta
 
 ![](https://cloud.githubusercontent.com/assets/4301109/20019521/cc61f7fc-a2f2-11e6-95f3-407030d9fdde.png)
 
@@ -28,13 +28,13 @@ Made with ![Love](https://cloud.githubusercontent.com/assets/4301109/16754758/82
 
 MobSF is also bundled with [Android Tamer](https://tamerplatform.com), [BlackArch](https://blackarch.org/mobile.html) and [Pentoo](https://www.pentoo.ch/).
 
-## Support MobSF
+### Support MobSF
 
 [![Donate to MobSF](https://user-images.githubusercontent.com/4301109/117404264-7aab5480-aebe-11eb-9cbd-da82d7346bb3.png)](https://opensecurity.in/donate)
 
 If you liked MobSF and find it useful, please consider donating.
 
-*It's easy to build open source, maintaining one is a different another story. Long live open source!*
+*It's easy to build open source, maintaining one is a different story. Long live open source!*
 
 ## Documentation
 
@@ -87,11 +87,15 @@ docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:la
 
 ### Dynamic Analysis - Android APK
 
-![mobsf_dynamic_analysis](https://user-images.githubusercontent.com/4301109/95514697-5e782100-098a-11eb-8390-47bb3822a2d7.gif)
+![mobsf_android_dynamic_analysis](https://user-images.githubusercontent.com/4301109/95514697-5e782100-098a-11eb-8390-47bb3822a2d7.gif)
 
 ### Web API Viewer
 
-![ mobsf_web_api_fuzzing_with_burp](https://user-images.githubusercontent.com/4301109/95516560-69808080-098d-11eb-9e0b-fb5a25e96585.gif)
+![mobsf_web_api_fuzzing_with_burp](https://user-images.githubusercontent.com/4301109/95516560-69808080-098d-11eb-9e0b-fb5a25e96585.gif)
+
+### Dynamic Analysis - iOS IPA
+
+![mobsf_ios_dynamic_analysis](https://github.com/MobSF/Mobile-Security-Framework-MobSF/assets/4301109/34014c4d-1535-48ad-9944-a4b1b728a030)
 
 ## Past Collaborators
 

diff --git a/mobsf/MalwareAnalyzer/views/apkid.py → mobsf/MalwareAnalyzer/views/android/apkid.py b/mobsf/MalwareAnalyzer/views/apkid.py → mobsf/MalwareAnalyzer/views/android/apkid.py
diff --git a/mobsf/MalwareAnalyzer/views/android/permissions.py b/mobsf/MalwareAnalyzer/views/android/permissions.py
@@ -0,0 +1,100 @@
+# -*- coding: utf_8 -*-
+# Check against most common malware permissions.
+import logging
+
+
+TOP_MALWARE_PERMISSIONS = [
+    'android.permission.ACCEPT_HANDOVER',
+    'android.permission.ACCESS_COARSE_LOCATION',
+    'android.permission.ACCESS_FINE_LOCATION',
+    'android.permission.ACCESS_NETWORK_STATE',
+    'android.permission.CAMERA',
+    'android.permission.GET_ACCOUNTS',
+    'android.permission.GET_TASKS',
+    'android.permission.INTERNET',
+    'android.permission.SET_WALLPAPER',
+    'android.permission.WRITE_SETTINGS',
+    'android.permission.READ_SMS',
+    'android.permission.SEND_SMS',
+    'android.permission.RECEIVE_SMS',
+    'android.permission.READ_CALL_LOG',
+    'android.permission.READ_CONTACTS',
+    'android.permission.RECORD_AUDIO',
+    'android.permission.ACCESS_WIFI_STATE',
+    'android.permission.READ_PHONE_STATE',
+    'android.permission.RECEIVE_BOOT_COMPLETED',
+    'android.permission.SYSTEM_ALERT_WINDOW',
+    'android.permission.WAKE_LOCK',
+    'android.permission.WRITE_EXTERNAL_STORAGE',
+    'android.permission.READ_EXTERNAL_STORAGE',
+    'android.permission.VIBRATE',
+]
+OTHER_PERMISSIONS = [
+    'android.permission.ACCESS_BACKGROUND_LOCATION',
+    'android.permission.ACCESS_CHECKIN_PROPERTIES',
+    'android.permission.ACCESS_LOCATION_EXTRA_COMMANDS',
+    'android.permission.ACCESS_MOCK_LOCATION',
+    'android.permission.ACCESS_NOTIFICATION_POLICY',
+    'android.permission.ACCESS_SUPERUSER',
+    'android.permission.ACCESS_SURFACE_FLINGER',
+    'android.permission.ACCOUNT_MANAGER',
+    'android.permission.ACTIVITY_RECOGNITION',
+    'android.permission.AUTHENTICATE_ACCOUNTS',
+    'android.permission.BATTERY_STATS',
+    'android.permission.BIND_APPWIDGET',
+    'android.permission.BIND_DEVICE_ADMIN',
+    'android.permission.BIND_INPUT_METHOD',
+    'android.permission.BIND_REMOTEVIEWS',
+    'android.permission.BIND_WALLPAPER',
+    'android.permission.BLUETOOTH',
+    'android.permission.BLUETOOTH_ADMIN',
+    'android.permission.BRICK',
+    'android.permission.BROADCAST_PACKAGE_REMOVED',
+    'android.permission.BROADCAST_SMS',
+    'android.permission.BROADCAST_STICKY',
+    'android.permission.BROADCAST_WAP_PUSH',
+    'android.permission.CALL_PHONE',
+    'android.permission.CHANGE_NETWORK_STATE',
+    'android.permission.CHANGE_WIFI_STATE',
+    'android.permission.DIAGNOSTIC',
+    'android.permission.FLASHLIGHT',
+    'android.permission.FORCE_STOP_PACKAGES',
+    'android.permission.FOREGROUND_SERVICE',
+    'android.permission.GET_ACCOUNTS_PRIVELEGED',
+    'android.permission.MODIFY_AUDIO_SETTINGS',
+    'android.permission.MOUNT_FORMAT_FILESYSTEMS',
+    'android.permission.PROCESS_OUTGOING_CALLS',
+    'android.permission.READ_CALENDAR',
+    'android.permission.PACKAGE_USAGE_STATS',
+    'android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS',
+    'android.permission.REQUEST_INSTALL_PACKAGES',
+    'android.permission.WRITE_CONTACTS',
+    'android.permission.WRITE_SMS',
+    'com.android.launcher.permission.INSTALL_SHORTCUT',
+    'com.google.android.c2dm.permission.RECEIVE',
+    'com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE',
+    'com.google.android.gms.permission.ACTIVITY_RECOGNITION',
+    'com.google.android.gms.permission.AD_ID',
+]
+
+
+logger = logging.getLogger(__name__)
+
+
+def check_malware_permission(perms):
+    """Check against most common malware permissions."""
+    logger.info('Checking for Malware Permissions')
+    malware_perms = []
+    other_perms = []
+    for permission in perms:
+        if permission in TOP_MALWARE_PERMISSIONS:
+            malware_perms.append(permission)
+        if permission in OTHER_PERMISSIONS:
+            other_perms.append(permission)
+    data = {
+        'top_malware_permissions': malware_perms,
+        'other_abused_permissions': other_perms,
+        'total_malware_permissions': len(TOP_MALWARE_PERMISSIONS),
+        'total_other_permissions': len(OTHER_PERMISSIONS),
+    }
+    return data
diff --git a/mobsf/MalwareAnalyzer/views/quark.py → mobsf/MalwareAnalyzer/views/android/quark.py b/mobsf/MalwareAnalyzer/views/quark.py → mobsf/MalwareAnalyzer/views/android/quark.py
diff --git a/mobsf/MobSF/init.py b/mobsf/MobSF/init.py
@@ -10,13 +10,13 @@
 
 logger = logging.getLogger(__name__)
 
-VERSION = '3.8.9'
+VERSION = '3.9.0'
 BANNER = """
-  __  __       _    ____  _____       _____  ___  
- |  \/  | ___ | |__/ ___||  ___|_   _|___ / ( _ ) 
- | |\/| |/ _ \| '_ \___ \| |_  \ \ / / |_ \ / _ \ 
- | |  | | (_) | |_) |__) |  _|  \ V / ___) | (_) |
- |_|  |_|\___/|_.__/____/|_|     \_/ |____(_)___/ 
+  __  __       _    ____  _____       _____ ___  
+ |  \/  | ___ | |__/ ___||  ___|_   _|___ // _ \ 
+ | |\/| |/ _ \| '_ \___ \| |_  \ \ / / |_ \ (_) |
+ | |  | | (_) | |_) |__) |  _|  \ V / ___) \__, |
+ |_|  |_|\___/|_.__/____/|_|     \_/ |____(_)/_/ 
 """  # noqa: W291
 # ASCII Font: Standard
 

diff --git a/mobsf/MobSF/settings.py b/mobsf/MobSF/settings.py
@@ -334,6 +334,8 @@
     CVSS_SCORE_ENABLED = bool(os.getenv('MOBSF_CVSS_SCORE_ENABLED', ''))
     # NIAP Scan
     NIAP_ENABLED = os.getenv('MOBSF_NIAP_ENABLED', '')
+    # Permission to Code Mapping
+    PERM_MAPPING_ENABLED = os.getenv('MOBSF_PERM_MAPPING_ENABLED', '1')
     # Dex 2 Smali Conversion
     DEX2SMALI_ENABLED = os.getenv('MOBSF_DEX2SMALI_ENABLED', '1')
     # Android Shared Object Binary Analysis

diff --git a/mobsf/MobSF/utils.py b/mobsf/MobSF/utils.py
@@ -101,17 +101,22 @@ def print_version():
     """Print MobSF Version."""
     logger.info(settings.BANNER)
     ver = settings.MOBSF_VER
+    logger.info('Author: Ajin Abraham | opensecurity.in')
     if platform.system() == 'Windows':
         logger.info('Mobile Security Framework %s', ver)
         print('REST API Key: ' + api_key())
     else:
         logger.info('\033[1m\033[34mMobile Security Framework %s\033[0m', ver)
         print('REST API Key: ' + Color.BOLD + api_key() + Color.END)
-    logger.info('OS: %s', platform.system())
-    logger.info('Platform: %s', platform.platform())
-    dist = ' '.join(distro.linux_distribution(full_distribution_name=False))
-    if dist.strip():
-        logger.info('Dist: %s', dist)
+    os = platform.system()
+    pltfm = platform.platform()
+    dist = ' '.join(distro.linux_distribution(
+        full_distribution_name=False)).strip()
+    dst_str = ' '
+    if dist:
+        dst_str = f' ({dist}) '
+    env_str = f'OS Environment: {os}{dst_str}{pltfm}'
+    logger.info(env_str)
     find_java_binary()
     check_basic_env()
     thread = threading.Thread(target=check_update, name='check_update')

diff --git a/mobsf/StaticAnalyzer/models.py b/mobsf/StaticAnalyzer/models.py
@@ -39,6 +39,7 @@ class StaticAnalyzerAndroid(models.Model):
     VERSION_CODE = models.CharField(max_length=50, default='')
     ICON_PATH = models.TextField(default='')
     PERMISSIONS = models.TextField(default={})
+    MALWARE_PERMISSIONS = models.TextField(default={})
     CERTIFICATE_ANALYSIS = models.TextField(default={})
     MANIFEST_ANALYSIS = models.TextField(default=[])
     BINARY_ANALYSIS = models.TextField(default=[])

diff --git a/mobsf/StaticAnalyzer/views/android/code_analysis.py b/mobsf/StaticAnalyzer/views/android/code_analysis.py
@@ -13,6 +13,7 @@
 from mobsf.MobSF.utils import (
     filename_from_path,
     get_android_src_dir,
+    settings_enabled,
 )
 from mobsf.StaticAnalyzer.views.common.shared_func import (
     url_n_email_extract,
@@ -28,6 +29,8 @@
 def get_perm_rules(perm_rules, android_permissions):
     """Get applicablepermission rules."""
     try:
+        if not settings_enabled('PERM_MAPPING_ENABLED'):
+            return None
         if not android_permissions:
             return None
         dynamic_rules = []

diff --git a/mobsf/StaticAnalyzer/views/android/db_interaction.py b/mobsf/StaticAnalyzer/views/android/db_interaction.py
@@ -57,6 +57,8 @@ def get_context_from_db_entry(db_entry: QuerySet) -> dict:
             'version_code': db_entry[0].VERSION_CODE,
             'icon_path': db_entry[0].ICON_PATH,
             'permissions': python_dict(db_entry[0].PERMISSIONS),
+            'malware_permissions': python_dict(
+                db_entry[0].MALWARE_PERMISSIONS),
             'certificate_analysis': python_dict(
                 db_entry[0].CERTIFICATE_ANALYSIS),
             'manifest_analysis': manifest_analysis,
@@ -130,6 +132,7 @@ def get_context_from_analysis(app_dic,
             'icon_path': app_dic['icon_path'],
             'certificate_analysis': cert_dic,
             'permissions': man_an_dic['permissions'],
+            'malware_permissions': man_an_dic['malware_permissions'],
             'manifest_analysis': manifest_analysis,
             'network_security': man_an_dic['network_security'],
             'binary_analysis': bin_anal,
@@ -193,6 +196,7 @@ def save_or_update(update_type,
             'ICON_PATH': app_dic['icon_path'],
             'CERTIFICATE_ANALYSIS': cert_dic,
             'PERMISSIONS': man_an_dic['permissions'],
+            'MALWARE_PERMISSIONS': man_an_dic['malware_permissions'],
             'MANIFEST_ANALYSIS': man_an_dic['manifest_anal'],
             'BINARY_ANALYSIS': bin_anal,
             'FILE_ANALYSIS': app_dic['certz'],

diff --git a/mobsf/StaticAnalyzer/views/android/jar_aar.py b/mobsf/StaticAnalyzer/views/android/jar_aar.py
@@ -7,6 +7,7 @@
 
 import mobsf.MalwareAnalyzer.views.Trackers as Trackers
 import mobsf.MalwareAnalyzer.views.VirusTotal as VirusTotal
+from mobsf.MalwareAnalyzer.views.android import permissions
 from mobsf.MobSF.utils import (
     file_size,
     print_n_send_error_response,
@@ -96,6 +97,12 @@ def common_analysis(request, app_dic, rescan, api, analysis_type):
                 '',
                 app_dic['app_dir'],
             )
+
+            # Malware Permission check
+            mal_perms = permissions.check_malware_permission(
+                man_data_dic['perm'])
+            man_an_dic['malware_permissions'] = mal_perms
+
             cert_dic = cert_info(
                 apk,
                 app_dic,
@@ -135,6 +142,7 @@ def common_analysis(request, app_dic, rescan, api, analysis_type):
                     'network_findings': [],
                     'network_summary': {},
                 },
+                'malware_permissions': {},
             }
             cert_dic = {
                 'certificate_info': '',

diff --git a/mobsf/StaticAnalyzer/views/android/rules/android_apis.yaml b/mobsf/StaticAnalyzer/views/android/rules/android_apis.yaml
@@ -465,3 +465,9 @@
   pattern: \@JavascriptInterface|\@android\.webkit\.JavascriptInterface
   input_case: exact
   severity: info
+- id: api_passkeys
+  message: Passkeys
+  type: Regex
+  pattern: CredentialManager\.create\(|GetPublicKeyCredentialOption\(|\.getAuthenticationResponseJson\(|CreatePublicKeyCredentialRequest\(
+  input_case: exact
+  severity: info
diff --git a/mobsf/StaticAnalyzer/views/android/so.py b/mobsf/StaticAnalyzer/views/android/so.py
@@ -81,6 +81,7 @@ def so_analysis(request, app_dic, rescan, api):
                 'network_findings': [],
                 'network_summary': {},
             },
+            'malware_permissions': {},
         }
         cert_dic = {
             'certificate_info': '',

diff --git a/mobsf/StaticAnalyzer/views/android/static_analyzer.py b/mobsf/StaticAnalyzer/views/android/static_analyzer.py
@@ -8,8 +8,11 @@
 
 import mobsf.MalwareAnalyzer.views.Trackers as Trackers
 import mobsf.MalwareAnalyzer.views.VirusTotal as VirusTotal
-from mobsf.MalwareAnalyzer.views.apkid import apkid_analysis
-from mobsf.MalwareAnalyzer.views.quark import quark_analysis
+from mobsf.MalwareAnalyzer.views.android import (
+    apkid,
+    permissions,
+    quark,
+)
 from mobsf.MalwareAnalyzer.views.MalwareDomainCheck import MalwareDomainCheck
 
 from django.conf import settings
@@ -222,6 +225,11 @@ def static_analyzer(request, checksum, api=False):
                     '',
                     app_dic['app_dir'],
                 )
+                # Malware Permission check
+                mal_perms = permissions.check_malware_permission(
+                    man_data_dic['perm'])
+                man_an_dic['malware_permissions'] = mal_perms
+
                 # Get icon
                 # apktool should run before this
                 get_icon_apk(apk, app_dic)
@@ -234,7 +242,7 @@ def static_analyzer(request, checksum, api=False):
                     apk,
                     app_dic,
                     man_data_dic)
-                apkid_results = apkid_analysis(app_dic[
+                apkid_results = apkid.apkid_analysis(app_dic[
                     'app_dir'], app_dic['app_path'], app_dic['app_name'])
                 tracker = Trackers.Trackers(
                     app_dic['app_dir'], app_dic['tools_dir'])
@@ -251,7 +259,7 @@ def static_analyzer(request, checksum, api=False):
                     app_dic['manifest_file'],
                     man_data_dic['perm'])
 
-                quark_results = quark_analysis(
+                quark_results = quark.quark_analysis(
                     app_dic['app_dir'],
                     app_dic['app_path'])
 
@@ -402,6 +410,12 @@ def static_analyzer(request, checksum, api=False):
                         pro_type,
                         app_dic['app_dir'],
                     )
+
+                    # Malware Permission check
+                    mal_perms = permissions.check_malware_permission(
+                        man_data_dic['perm'])
+                    man_an_dic['malware_permissions'] = mal_perms
+
                     # Get icon
                     get_icon_from_src(app_dic, man_data_dic['icons'])
 

diff --git a/mobsf/StaticAnalyzer/views/common/binary/lib_analysis.py b/mobsf/StaticAnalyzer/views/common/binary/lib_analysis.py
@@ -45,6 +45,8 @@ def library_analysis(src, checksum, arch):
         # Supports Static Library, Shared objects, Dynamic Library,
         # from APK, SO, AAR, JAR, IPA, DYLIB, and A
         for libfile in Path(src).rglob(ext):
+            if '__MACOSX' in libfile.as_posix():
+                continue
             rel_path = libfile.relative_to(base_dir).as_posix()
             logger.info('Analyzing %s', rel_path)
             if arch == 'ar':

diff --git a/mobsf/templates/general/about.html b/mobsf/templates/general/about.html
@@ -14,7 +14,7 @@
                 <h1>About Mobile Security Framework</h1>
 
                   <p class="lead">
-                  Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF support mobile app binaries (APK, XAPK, IPA & APPX) along with zipped source code and provides APIs for seamless integration with your CI/CD or DevSecOps pipeline. The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.
+                    Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. MobSF can be used for a variety of use cases such as mobile application security, penetration testing, malware analysis, and privacy analysis. The Static Analyzer supports popular mobile app binaries like APK, IPA, APPX and source code. Meanwhile, the Dynamic Analyzer supports both Android and iOS applications and offers a platform for interactive instrumented testing, runtime data and network traffic analysis. MobSF seamlessly integrates with your DevSecOps or CI/CD pipeline, facilitated by REST APIs and CLI tools, enhancing your security workflow with ease.
                  </p>
                   <p> <strong>Author:</strong> <a href="//twitter.com/ajinabraham">Ajin Abraham</a> </p>      
                   <h2>Active Collaborators</h2>