From 67e8d46918f3184d9ff5b65208734749f7b3dacc Mon Sep 17 00:00:00 2001 From: Nick Lupien Date: Tue, 7 Jan 2025 04:32:08 -0500 Subject: [PATCH 1/2] Fix false positives caused in Android manifest analysis --- .../views/android/manifest_analysis.py | 22 ++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/mobsf/StaticAnalyzer/views/android/manifest_analysis.py b/mobsf/StaticAnalyzer/views/android/manifest_analysis.py index 2d9a56f94..ccd3a7366 100755 --- a/mobsf/StaticAnalyzer/views/android/manifest_analysis.py +++ b/mobsf/StaticAnalyzer/views/android/manifest_analysis.py @@ -82,6 +82,15 @@ def assetlinks_check(act_name, well_knowns): return findings +def is_tls_redirect(url_from: str, url_to: str): + """Check if redirect is a simple TLS (i.e. safe) upgrade.""" + if not url_from.startswith("http://") or not url_to.startswith("https://"): + return False + + if url_from[7:] == url_to[8:]: + return True + + def _check_url(host, w_url): try: iden = 'sha256_cert_fingerprints' @@ -96,9 +105,16 @@ def _check_url(host, w_url): verify=verify) status_code = r.status_code - if status_code == 302: - logger.warning('302 Redirect detected, skipping check') - status = False + if status_code in (301, 302): + redirect_url = r.headers.get('Location') + + # recurse (redirect) only if redirect URL is a simple TLS upgrade + if redirect_url and is_tls_redirect(w_url, redirect_url): + logger.info(f'{status_code} Redirect detected (TLS upgrade) || From: {w_url} || To: {redirect_url}') + return _check_url(host, redirect_url) + else: + logger.warning(f'{status_code} Redirect detected || From: {w_url} || To: {redirect_url}') + status = False if (str(status_code).startswith('2') and iden in str(r.json())): status = True From 3527433e48153ce76d5c4da6e20c21f58969dc7d Mon Sep 17 00:00:00 2001 From: Nick Lupien Date: Tue, 7 Jan 2025 05:25:12 -0500 Subject: [PATCH 2/2] Fix false positives caused in Android manifest analysis --- .../views/android/manifest_analysis.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/mobsf/StaticAnalyzer/views/android/manifest_analysis.py b/mobsf/StaticAnalyzer/views/android/manifest_analysis.py index ccd3a7366..25903f98c 100755 --- a/mobsf/StaticAnalyzer/views/android/manifest_analysis.py +++ b/mobsf/StaticAnalyzer/views/android/manifest_analysis.py @@ -86,9 +86,11 @@ def is_tls_redirect(url_from: str, url_to: str): """Check if redirect is a simple TLS (i.e. safe) upgrade.""" if not url_from.startswith("http://") or not url_to.startswith("https://"): return False - + if url_from[7:] == url_to[8:]: return True + else: + return False def _check_url(host, w_url): @@ -107,13 +109,15 @@ def _check_url(host, w_url): status_code = r.status_code if status_code in (301, 302): redirect_url = r.headers.get('Location') - + # recurse (redirect) only if redirect URL is a simple TLS upgrade if redirect_url and is_tls_redirect(w_url, redirect_url): - logger.info(f'{status_code} Redirect detected (TLS upgrade) || From: {w_url} || To: {redirect_url}') + logger.info( + f'{status_code} Redirect detected (TLS upgrade) || From: {w_url} || To: {redirect_url}') return _check_url(host, redirect_url) else: - logger.warning(f'{status_code} Redirect detected || From: {w_url} || To: {redirect_url}') + logger.warning( + f'{status_code} Redirect detected || From: {w_url} || To: {redirect_url}') status = False if (str(status_code).startswith('2') and iden in str(r.json())): status = True