diff --git a/README.md b/README.md index 322416aba2..d735ce4b1b 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # Mobile Security Framework (MobSF) -Version: v3.8 beta +Version: v3.9 beta ![](https://cloud.githubusercontent.com/assets/4301109/20019521/cc61f7fc-a2f2-11e6-95f3-407030d9fdde.png) @@ -28,13 +28,13 @@ Made with ![Love](https://cloud.githubusercontent.com/assets/4301109/16754758/82 MobSF is also bundled with [Android Tamer](https://tamerplatform.com), [BlackArch](https://blackarch.org/mobile.html) and [Pentoo](https://www.pentoo.ch/). -## Support MobSF +### Support MobSF [![Donate to MobSF](https://user-images.githubusercontent.com/4301109/117404264-7aab5480-aebe-11eb-9cbd-da82d7346bb3.png)](https://opensecurity.in/donate) If you liked MobSF and find it useful, please consider donating. -*It's easy to build open source, maintaining one is a different another story. Long live open source!* +*It's easy to build open source, maintaining one is a different story. Long live open source!* ## Documentation @@ -87,11 +87,15 @@ docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:la ### Dynamic Analysis - Android APK -![mobsf_dynamic_analysis](https://user-images.githubusercontent.com/4301109/95514697-5e782100-098a-11eb-8390-47bb3822a2d7.gif) +![mobsf_android_dynamic_analysis](https://user-images.githubusercontent.com/4301109/95514697-5e782100-098a-11eb-8390-47bb3822a2d7.gif) ### Web API Viewer -![ mobsf_web_api_fuzzing_with_burp](https://user-images.githubusercontent.com/4301109/95516560-69808080-098d-11eb-9e0b-fb5a25e96585.gif) +![mobsf_web_api_fuzzing_with_burp](https://user-images.githubusercontent.com/4301109/95516560-69808080-098d-11eb-9e0b-fb5a25e96585.gif) + +### Dynamic Analysis - iOS IPA + +![mobsf_ios_dynamic_analysis](https://github.com/MobSF/Mobile-Security-Framework-MobSF/assets/4301109/34014c4d-1535-48ad-9944-a4b1b728a030) ## Past Collaborators diff --git a/mobsf/MalwareAnalyzer/views/apkid.py b/mobsf/MalwareAnalyzer/views/android/apkid.py similarity index 100% rename from mobsf/MalwareAnalyzer/views/apkid.py rename to mobsf/MalwareAnalyzer/views/android/apkid.py diff --git a/mobsf/MalwareAnalyzer/views/android/permissions.py b/mobsf/MalwareAnalyzer/views/android/permissions.py new file mode 100644 index 0000000000..137813e51c --- /dev/null +++ b/mobsf/MalwareAnalyzer/views/android/permissions.py @@ -0,0 +1,100 @@ +# -*- coding: utf_8 -*- +# Check against most common malware permissions. +import logging + + +TOP_MALWARE_PERMISSIONS = [ + 'android.permission.ACCEPT_HANDOVER', + 'android.permission.ACCESS_COARSE_LOCATION', + 'android.permission.ACCESS_FINE_LOCATION', + 'android.permission.ACCESS_NETWORK_STATE', + 'android.permission.CAMERA', + 'android.permission.GET_ACCOUNTS', + 'android.permission.GET_TASKS', + 'android.permission.INTERNET', + 'android.permission.SET_WALLPAPER', + 'android.permission.WRITE_SETTINGS', + 'android.permission.READ_SMS', + 'android.permission.SEND_SMS', + 'android.permission.RECEIVE_SMS', + 'android.permission.READ_CALL_LOG', + 'android.permission.READ_CONTACTS', + 'android.permission.RECORD_AUDIO', + 'android.permission.ACCESS_WIFI_STATE', + 'android.permission.READ_PHONE_STATE', + 'android.permission.RECEIVE_BOOT_COMPLETED', + 'android.permission.SYSTEM_ALERT_WINDOW', + 'android.permission.WAKE_LOCK', + 'android.permission.WRITE_EXTERNAL_STORAGE', + 'android.permission.READ_EXTERNAL_STORAGE', + 'android.permission.VIBRATE', +] +OTHER_PERMISSIONS = [ + 'android.permission.ACCESS_BACKGROUND_LOCATION', + 'android.permission.ACCESS_CHECKIN_PROPERTIES', + 'android.permission.ACCESS_LOCATION_EXTRA_COMMANDS', + 'android.permission.ACCESS_MOCK_LOCATION', + 'android.permission.ACCESS_NOTIFICATION_POLICY', + 'android.permission.ACCESS_SUPERUSER', + 'android.permission.ACCESS_SURFACE_FLINGER', + 'android.permission.ACCOUNT_MANAGER', + 'android.permission.ACTIVITY_RECOGNITION', + 'android.permission.AUTHENTICATE_ACCOUNTS', + 'android.permission.BATTERY_STATS', + 'android.permission.BIND_APPWIDGET', + 'android.permission.BIND_DEVICE_ADMIN', + 'android.permission.BIND_INPUT_METHOD', + 'android.permission.BIND_REMOTEVIEWS', + 'android.permission.BIND_WALLPAPER', + 'android.permission.BLUETOOTH', + 'android.permission.BLUETOOTH_ADMIN', + 'android.permission.BRICK', + 'android.permission.BROADCAST_PACKAGE_REMOVED', + 'android.permission.BROADCAST_SMS', + 'android.permission.BROADCAST_STICKY', + 'android.permission.BROADCAST_WAP_PUSH', + 'android.permission.CALL_PHONE', + 'android.permission.CHANGE_NETWORK_STATE', + 'android.permission.CHANGE_WIFI_STATE', + 'android.permission.DIAGNOSTIC', + 'android.permission.FLASHLIGHT', + 'android.permission.FORCE_STOP_PACKAGES', + 'android.permission.FOREGROUND_SERVICE', + 'android.permission.GET_ACCOUNTS_PRIVELEGED', + 'android.permission.MODIFY_AUDIO_SETTINGS', + 'android.permission.MOUNT_FORMAT_FILESYSTEMS', + 'android.permission.PROCESS_OUTGOING_CALLS', + 'android.permission.READ_CALENDAR', + 'android.permission.PACKAGE_USAGE_STATS', + 'android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS', + 'android.permission.REQUEST_INSTALL_PACKAGES', + 'android.permission.WRITE_CONTACTS', + 'android.permission.WRITE_SMS', + 'com.android.launcher.permission.INSTALL_SHORTCUT', + 'com.google.android.c2dm.permission.RECEIVE', + 'com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE', + 'com.google.android.gms.permission.ACTIVITY_RECOGNITION', + 'com.google.android.gms.permission.AD_ID', +] + + +logger = logging.getLogger(__name__) + + +def check_malware_permission(perms): + """Check against most common malware permissions.""" + logger.info('Checking for Malware Permissions') + malware_perms = [] + other_perms = [] + for permission in perms: + if permission in TOP_MALWARE_PERMISSIONS: + malware_perms.append(permission) + if permission in OTHER_PERMISSIONS: + other_perms.append(permission) + data = { + 'top_malware_permissions': malware_perms, + 'other_abused_permissions': other_perms, + 'total_malware_permissions': len(TOP_MALWARE_PERMISSIONS), + 'total_other_permissions': len(OTHER_PERMISSIONS), + } + return data diff --git a/mobsf/MalwareAnalyzer/views/quark.py b/mobsf/MalwareAnalyzer/views/android/quark.py similarity index 100% rename from mobsf/MalwareAnalyzer/views/quark.py rename to mobsf/MalwareAnalyzer/views/android/quark.py diff --git a/mobsf/MobSF/init.py b/mobsf/MobSF/init.py index f705369686..0d331b83df 100644 --- a/mobsf/MobSF/init.py +++ b/mobsf/MobSF/init.py @@ -10,13 +10,13 @@ logger = logging.getLogger(__name__) -VERSION = '3.8.9' +VERSION = '3.9.0' BANNER = """ - __ __ _ ____ _____ _____ ___ - | \/ | ___ | |__/ ___|| ___|_ _|___ / ( _ ) - | |\/| |/ _ \| '_ \___ \| |_ \ \ / / |_ \ / _ \ - | | | | (_) | |_) |__) | _| \ V / ___) | (_) | - |_| |_|\___/|_.__/____/|_| \_/ |____(_)___/ + __ __ _ ____ _____ _____ ___ + | \/ | ___ | |__/ ___|| ___|_ _|___ // _ \ + | |\/| |/ _ \| '_ \___ \| |_ \ \ / / |_ \ (_) | + | | | | (_) | |_) |__) | _| \ V / ___) \__, | + |_| |_|\___/|_.__/____/|_| \_/ |____(_)/_/ """ # noqa: W291 # ASCII Font: Standard diff --git a/mobsf/MobSF/settings.py b/mobsf/MobSF/settings.py index c53b219634..ea0c88cb9c 100644 --- a/mobsf/MobSF/settings.py +++ b/mobsf/MobSF/settings.py @@ -334,6 +334,8 @@ CVSS_SCORE_ENABLED = bool(os.getenv('MOBSF_CVSS_SCORE_ENABLED', '')) # NIAP Scan NIAP_ENABLED = os.getenv('MOBSF_NIAP_ENABLED', '') + # Permission to Code Mapping + PERM_MAPPING_ENABLED = os.getenv('MOBSF_PERM_MAPPING_ENABLED', '1') # Dex 2 Smali Conversion DEX2SMALI_ENABLED = os.getenv('MOBSF_DEX2SMALI_ENABLED', '1') # Android Shared Object Binary Analysis diff --git a/mobsf/MobSF/utils.py b/mobsf/MobSF/utils.py index 52848aa55f..7b4dd8f661 100755 --- a/mobsf/MobSF/utils.py +++ b/mobsf/MobSF/utils.py @@ -101,17 +101,22 @@ def print_version(): """Print MobSF Version.""" logger.info(settings.BANNER) ver = settings.MOBSF_VER + logger.info('Author: Ajin Abraham | opensecurity.in') if platform.system() == 'Windows': logger.info('Mobile Security Framework %s', ver) print('REST API Key: ' + api_key()) else: logger.info('\033[1m\033[34mMobile Security Framework %s\033[0m', ver) print('REST API Key: ' + Color.BOLD + api_key() + Color.END) - logger.info('OS: %s', platform.system()) - logger.info('Platform: %s', platform.platform()) - dist = ' '.join(distro.linux_distribution(full_distribution_name=False)) - if dist.strip(): - logger.info('Dist: %s', dist) + os = platform.system() + pltfm = platform.platform() + dist = ' '.join(distro.linux_distribution( + full_distribution_name=False)).strip() + dst_str = ' ' + if dist: + dst_str = f' ({dist}) ' + env_str = f'OS Environment: {os}{dst_str}{pltfm}' + logger.info(env_str) find_java_binary() check_basic_env() thread = threading.Thread(target=check_update, name='check_update') diff --git a/mobsf/StaticAnalyzer/models.py b/mobsf/StaticAnalyzer/models.py index ede4b1077f..76c5677bd5 100755 --- a/mobsf/StaticAnalyzer/models.py +++ b/mobsf/StaticAnalyzer/models.py @@ -39,6 +39,7 @@ class StaticAnalyzerAndroid(models.Model): VERSION_CODE = models.CharField(max_length=50, default='') ICON_PATH = models.TextField(default='') PERMISSIONS = models.TextField(default={}) + MALWARE_PERMISSIONS = models.TextField(default={}) CERTIFICATE_ANALYSIS = models.TextField(default={}) MANIFEST_ANALYSIS = models.TextField(default=[]) BINARY_ANALYSIS = models.TextField(default=[]) diff --git a/mobsf/StaticAnalyzer/views/android/code_analysis.py b/mobsf/StaticAnalyzer/views/android/code_analysis.py index 2b1cd702c0..58a0e0b396 100755 --- a/mobsf/StaticAnalyzer/views/android/code_analysis.py +++ b/mobsf/StaticAnalyzer/views/android/code_analysis.py @@ -13,6 +13,7 @@ from mobsf.MobSF.utils import ( filename_from_path, get_android_src_dir, + settings_enabled, ) from mobsf.StaticAnalyzer.views.common.shared_func import ( url_n_email_extract, @@ -28,6 +29,8 @@ def get_perm_rules(perm_rules, android_permissions): """Get applicablepermission rules.""" try: + if not settings_enabled('PERM_MAPPING_ENABLED'): + return None if not android_permissions: return None dynamic_rules = [] diff --git a/mobsf/StaticAnalyzer/views/android/db_interaction.py b/mobsf/StaticAnalyzer/views/android/db_interaction.py index 2d6c3885da..7bdf5a157b 100755 --- a/mobsf/StaticAnalyzer/views/android/db_interaction.py +++ b/mobsf/StaticAnalyzer/views/android/db_interaction.py @@ -57,6 +57,8 @@ def get_context_from_db_entry(db_entry: QuerySet) -> dict: 'version_code': db_entry[0].VERSION_CODE, 'icon_path': db_entry[0].ICON_PATH, 'permissions': python_dict(db_entry[0].PERMISSIONS), + 'malware_permissions': python_dict( + db_entry[0].MALWARE_PERMISSIONS), 'certificate_analysis': python_dict( db_entry[0].CERTIFICATE_ANALYSIS), 'manifest_analysis': manifest_analysis, @@ -130,6 +132,7 @@ def get_context_from_analysis(app_dic, 'icon_path': app_dic['icon_path'], 'certificate_analysis': cert_dic, 'permissions': man_an_dic['permissions'], + 'malware_permissions': man_an_dic['malware_permissions'], 'manifest_analysis': manifest_analysis, 'network_security': man_an_dic['network_security'], 'binary_analysis': bin_anal, @@ -193,6 +196,7 @@ def save_or_update(update_type, 'ICON_PATH': app_dic['icon_path'], 'CERTIFICATE_ANALYSIS': cert_dic, 'PERMISSIONS': man_an_dic['permissions'], + 'MALWARE_PERMISSIONS': man_an_dic['malware_permissions'], 'MANIFEST_ANALYSIS': man_an_dic['manifest_anal'], 'BINARY_ANALYSIS': bin_anal, 'FILE_ANALYSIS': app_dic['certz'], diff --git a/mobsf/StaticAnalyzer/views/android/jar_aar.py b/mobsf/StaticAnalyzer/views/android/jar_aar.py index 02bb7c047e..c5f1d7c675 100644 --- a/mobsf/StaticAnalyzer/views/android/jar_aar.py +++ b/mobsf/StaticAnalyzer/views/android/jar_aar.py @@ -7,6 +7,7 @@ import mobsf.MalwareAnalyzer.views.Trackers as Trackers import mobsf.MalwareAnalyzer.views.VirusTotal as VirusTotal +from mobsf.MalwareAnalyzer.views.android import permissions from mobsf.MobSF.utils import ( file_size, print_n_send_error_response, @@ -96,6 +97,12 @@ def common_analysis(request, app_dic, rescan, api, analysis_type): '', app_dic['app_dir'], ) + + # Malware Permission check + mal_perms = permissions.check_malware_permission( + man_data_dic['perm']) + man_an_dic['malware_permissions'] = mal_perms + cert_dic = cert_info( apk, app_dic, @@ -135,6 +142,7 @@ def common_analysis(request, app_dic, rescan, api, analysis_type): 'network_findings': [], 'network_summary': {}, }, + 'malware_permissions': {}, } cert_dic = { 'certificate_info': '', diff --git a/mobsf/StaticAnalyzer/views/android/rules/android_apis.yaml b/mobsf/StaticAnalyzer/views/android/rules/android_apis.yaml index aa447f417a..e080092d6f 100644 --- a/mobsf/StaticAnalyzer/views/android/rules/android_apis.yaml +++ b/mobsf/StaticAnalyzer/views/android/rules/android_apis.yaml @@ -465,3 +465,9 @@ pattern: \@JavascriptInterface|\@android\.webkit\.JavascriptInterface input_case: exact severity: info +- id: api_passkeys + message: Passkeys + type: Regex + pattern: CredentialManager\.create\(|GetPublicKeyCredentialOption\(|\.getAuthenticationResponseJson\(|CreatePublicKeyCredentialRequest\( + input_case: exact + severity: info diff --git a/mobsf/StaticAnalyzer/views/android/so.py b/mobsf/StaticAnalyzer/views/android/so.py index e1ce96a26a..76039be087 100644 --- a/mobsf/StaticAnalyzer/views/android/so.py +++ b/mobsf/StaticAnalyzer/views/android/so.py @@ -81,6 +81,7 @@ def so_analysis(request, app_dic, rescan, api): 'network_findings': [], 'network_summary': {}, }, + 'malware_permissions': {}, } cert_dic = { 'certificate_info': '', diff --git a/mobsf/StaticAnalyzer/views/android/static_analyzer.py b/mobsf/StaticAnalyzer/views/android/static_analyzer.py index fa1e001114..75aac08ee5 100755 --- a/mobsf/StaticAnalyzer/views/android/static_analyzer.py +++ b/mobsf/StaticAnalyzer/views/android/static_analyzer.py @@ -8,8 +8,11 @@ import mobsf.MalwareAnalyzer.views.Trackers as Trackers import mobsf.MalwareAnalyzer.views.VirusTotal as VirusTotal -from mobsf.MalwareAnalyzer.views.apkid import apkid_analysis -from mobsf.MalwareAnalyzer.views.quark import quark_analysis +from mobsf.MalwareAnalyzer.views.android import ( + apkid, + permissions, + quark, +) from mobsf.MalwareAnalyzer.views.MalwareDomainCheck import MalwareDomainCheck from django.conf import settings @@ -222,6 +225,11 @@ def static_analyzer(request, checksum, api=False): '', app_dic['app_dir'], ) + # Malware Permission check + mal_perms = permissions.check_malware_permission( + man_data_dic['perm']) + man_an_dic['malware_permissions'] = mal_perms + # Get icon # apktool should run before this get_icon_apk(apk, app_dic) @@ -234,7 +242,7 @@ def static_analyzer(request, checksum, api=False): apk, app_dic, man_data_dic) - apkid_results = apkid_analysis(app_dic[ + apkid_results = apkid.apkid_analysis(app_dic[ 'app_dir'], app_dic['app_path'], app_dic['app_name']) tracker = Trackers.Trackers( app_dic['app_dir'], app_dic['tools_dir']) @@ -251,7 +259,7 @@ def static_analyzer(request, checksum, api=False): app_dic['manifest_file'], man_data_dic['perm']) - quark_results = quark_analysis( + quark_results = quark.quark_analysis( app_dic['app_dir'], app_dic['app_path']) @@ -402,6 +410,12 @@ def static_analyzer(request, checksum, api=False): pro_type, app_dic['app_dir'], ) + + # Malware Permission check + mal_perms = permissions.check_malware_permission( + man_data_dic['perm']) + man_an_dic['malware_permissions'] = mal_perms + # Get icon get_icon_from_src(app_dic, man_data_dic['icons']) diff --git a/mobsf/StaticAnalyzer/views/common/binary/lib_analysis.py b/mobsf/StaticAnalyzer/views/common/binary/lib_analysis.py index 868d4ff052..3a37800169 100644 --- a/mobsf/StaticAnalyzer/views/common/binary/lib_analysis.py +++ b/mobsf/StaticAnalyzer/views/common/binary/lib_analysis.py @@ -45,6 +45,8 @@ def library_analysis(src, checksum, arch): # Supports Static Library, Shared objects, Dynamic Library, # from APK, SO, AAR, JAR, IPA, DYLIB, and A for libfile in Path(src).rglob(ext): + if '__MACOSX' in libfile.as_posix(): + continue rel_path = libfile.relative_to(base_dir).as_posix() logger.info('Analyzing %s', rel_path) if arch == 'ar': diff --git a/mobsf/templates/general/about.html b/mobsf/templates/general/about.html index 64b2ce9164..81f834cbba 100644 --- a/mobsf/templates/general/about.html +++ b/mobsf/templates/general/about.html @@ -14,7 +14,7 @@

About Mobile Security Framework

- Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF support mobile app binaries (APK, XAPK, IPA & APPX) along with zipped source code and provides APIs for seamless integration with your CI/CD or DevSecOps pipeline. The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing. + Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. MobSF can be used for a variety of use cases such as mobile application security, penetration testing, malware analysis, and privacy analysis. The Static Analyzer supports popular mobile app binaries like APK, IPA, APPX and source code. Meanwhile, the Dynamic Analyzer supports both Android and iOS applications and offers a platform for interactive instrumented testing, runtime data and network traffic analysis. MobSF seamlessly integrates with your DevSecOps or CI/CD pipeline, facilitated by REST APIs and CLI tools, enhancing your security workflow with ease.

Author: Ajin Abraham

Active Collaborators

diff --git a/mobsf/templates/pdf/android_report.html b/mobsf/templates/pdf/android_report.html index ea05b820a5..a925260886 100755 --- a/mobsf/templates/pdf/android_report.html +++ b/mobsf/templates/pdf/android_report.html @@ -744,6 +744,45 @@

QUARK

{% endif %} --> + + {% if malware_permissions %} +

ABUSED PERMISSIONS

+ + + + + + + + + + + + + + + + + + + + + +
TYPEMATCHESPERMISSIONS
Malware Permissions{{ malware_permissions.top_malware_permissions | length}}/{{malware_permissions.total_malware_permissions}} + {{ malware_permissions.top_malware_permissions | join:", "}} +
Other Common Permissions{{ malware_permissions.other_abused_permissions | length}}/{{malware_permissions.total_other_permissions}} + {{ malware_permissions.other_abused_permissions | join:", "}} +
+
+

+

Malware Permissions:

Top permissions that are widely abused by known malware. +
+

Other Common Permissions:

Permissions that are commonly abused by known malware. +

+ {% endif %} + + + {% if domains %}

OFAC SANCTIONED COUNTRIES

This app may communicate with the following OFAC sanctioned list of countries.

diff --git a/mobsf/templates/static_analysis/android_binary_analysis.html b/mobsf/templates/static_analysis/android_binary_analysis.html index 62b46a2ccb..6c22b285cf 100755 --- a/mobsf/templates/static_analysis/android_binary_analysis.html +++ b/mobsf/templates/static_analysis/android_binary_analysis.html @@ -201,6 +201,12 @@ {% endif %} +
  • + + +

    Abused Permissions

    +     +
  • @@ -1556,6 +1562,7 @@
    {{ code_analysis.summary.suppressed }}
    +
    @@ -1738,6 +1745,64 @@
    {{ code_analysis.summary.suppressed }}
    {% endif %} + +
    +
    +
    +
    +
    +
    +

    + ABUSED PERMISSIONS +

    +
    + + {% if malware_permissions %} + +
    +
    +
    +
    + Top Malware Permissions + {{ malware_permissions.top_malware_permissions | length}}/{{malware_permissions.total_malware_permissions}} +
    +
    +
    + + {{ malware_permissions.top_malware_permissions | join:", "}} + +
    +
    +
    +
    + Other Common Permissions + {{ malware_permissions.other_abused_permissions | length}}/{{ malware_permissions.total_other_permissions}} +
    +
    +
    + + {{ malware_permissions.other_abused_permissions | join:", "}} + +
    +
    +
    +
    +
    +

    + Malware Permissions are the top permissions that are widely abused by known malware. +
    + Other Common Permissions are permissions that are commonly abused by known malware. +

    + {% endif %} +
    +
    +
    +
    + +
    +
    +
    +