MobSF · nick-lupien · Jan 7, 2025 · Jan 7, 2025
diff --git a/mobsf/StaticAnalyzer/views/android/manifest_analysis.py b/mobsf/StaticAnalyzer/views/android/manifest_analysis.py
@@ -82,6 +82,17 @@ def assetlinks_check(act_name, well_knowns):
     return findings
 
 
+def is_tls_redirect(url_from: str, url_to: str):
+    """Check if redirect is a simple TLS (i.e. safe) upgrade."""
+    if not url_from.startswith("http://") or not url_to.startswith("https://"):
+        return False
+
+    if url_from[7:] == url_to[8:]:
+        return True
+    else:
+        return False
+
+
 def _check_url(host, w_url):
     try:
         iden = 'sha256_cert_fingerprints'
@@ -96,9 +107,18 @@ def _check_url(host, w_url):
                          verify=verify)
 
         status_code = r.status_code
-        if status_code == 302:
-            logger.warning('302 Redirect detected, skipping check')
-            status = False
+        if status_code in (301, 302):
+            redirect_url = r.headers.get('Location')
+
+            # recurse (redirect) only if redirect URL is a simple TLS upgrade
+            if redirect_url and is_tls_redirect(w_url, redirect_url):
+                logger.info(
+                    f'{status_code} Redirect detected (TLS upgrade) || From: {w_url} || To: {redirect_url}')
+                return _check_url(host, redirect_url)
+            else:
+                logger.warning(
+                    f'{status_code} Redirect detected || From: {w_url} || To: {redirect_url}')
+                status = False
         if (str(status_code).startswith('2') and iden in str(r.json())):
             status = True