Merge pull request #9 from MobSF/master

June 2024 update

.github/workflows/mobsf-test.yml

@@ -12,7 +12,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-22.04, macos-latest, windows-latest]
-        python-version: [3.9, '3.10', '3.11']
+        python-version: ['3.10', '3.11']
 
     runs-on: ${{ matrix.os }}
     steps:

.sonarcloud.properties

@@ -1,4 +1,4 @@
 sonar.sources=.
 sonar.exclusions=mobsf/static/**/*,mobsf/templates/**/*
 sonar.sourceEncoding=UTF-8
-sonar.python.version=3.7, 3.8, 3.9, 3.10, 3.11
+sonar.python.version=3.10, 3.11

Dockerfile

@@ -32,8 +32,10 @@ RUN apt update -y && apt install -y  --no-install-recommends \
     curl \
     git \
     jq \
+    unzip \
     android-tools-adb && \
-    locale-gen en_US.UTF-8 
+    locale-gen en_US.UTF-8 && \
+    apt upgrade -y
 
 ENV MOBSF_USER=mobsf \
     MOBSF_PLATFORM=docker \

README.md

@@ -1,20 +1,19 @@
 # Mobile Security Framework (MobSF)
-Version: v3.7 beta
+Version: v3.9 beta
 
 ![](https://cloud.githubusercontent.com/assets/4301109/20019521/cc61f7fc-a2f2-11e6-95f3-407030d9fdde.png)
 
-Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF supports mobile app binaries (APK, XAPK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.
+Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. MobSF can be used for a variety of use cases such as mobile application security, penetration testing, malware analysis, and privacy analysis. The Static Analyzer supports popular mobile app binaries like APK, IPA, APPX and source code. Meanwhile, the Dynamic Analyzer supports both Android and iOS applications and offers a platform for interactive instrumented testing, runtime data and network traffic analysis. MobSF seamlessly integrates with your DevSecOps or CI/CD pipeline, facilitated by REST APIs and CLI tools, enhancing your security workflow with ease.
 
 Made with ![Love](https://cloud.githubusercontent.com/assets/4301109/16754758/82e3a63c-4813-11e6-9430-6015d98aeaab.png) in India
 
-[![python](https://img.shields.io/badge/python-3.9+-blue.svg?logo=python&labelColor=yellow)](https://www.python.org/downloads/)
+[![python](https://img.shields.io/badge/python-3.10+-blue.svg?logo=python&labelColor=yellow)](https://www.python.org/downloads/)
 [![PyPI version](https://badge.fury.io/py/mobsf.svg)](https://badge.fury.io/py/mobsf)
 [![platform](https://img.shields.io/badge/platform-osx%2Flinux%2Fwindows-green.svg)](https://github.com/MobSF/Mobile-Security-Framework-MobSF/)
 [![License](https://img.shields.io/:license-GPL--3.0--only-blue.svg)](https://www.gnu.org/licenses/gpl-3.0.html)
 [![Docker Pulls](https://img.shields.io/docker/pulls/opensecurity/mobile-security-framework-mobsf?style=social)](https://hub.docker.com/r/opensecurity/mobile-security-framework-mobsf/)
 
 [![MobSF tests](https://github.com/MobSF/Mobile-Security-Framework-MobSF/workflows/MobSF%20tests/badge.svg?branch=master)](https://github.com/MobSF/Mobile-Security-Framework-MobSF/actions)
-[![Requirements Status](https://pyup.io/repos/github/MobSF/Mobile-Security-Framework-MobSF/shield.svg)](https://pyup.io/repos/github/MobSF/Mobile-Security-Framework-MobSF/)
 [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=MobSF_Mobile-Security-Framework-MobSF&metric=alert_status)](https://sonarcloud.io/dashboard?id=MobSF_Mobile-Security-Framework-MobSF)
 ![GitHub closed issues](https://img.shields.io/github/issues-closed/MobSF/Mobile-Security-Framework-MobSF)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/6392/badge)](https://bestpractices.coreinfrastructure.org/projects/6392)
@@ -24,16 +23,18 @@ Made with ![Love](https://cloud.githubusercontent.com/assets/4301109/16754758/82
 [![ToolsWatch Best Security Tools 2017](https://img.shields.io/badge/ToolsWatch-Rank%209%20%7C%20Year%202017-red.svg)](http://www.toolswatch.org/2018/01/black-hat-arsenal-top-10-security-tools/)
 [![Blackhat Arsenal Asia 2015](https://img.shields.io/badge/Black%20Hat%20Arsenal-Asia%202015-blue.svg)](https://www.blackhat.com/asia-15/arsenal.html#yso-mobile-security-framework)
 [![Blackhat Arsenal Asia 2018](https://img.shields.io/badge/Black%20Hat%20Arsenal-Asia%202018-blue.svg)](https://www.blackhat.com/asia-18/arsenal.html#mobile-security-framework-mobsf)
+[![Blackhat Arsenal Europe 2023](https://img.shields.io/badge/Black%20Hat%20Arsenal-Europe%202023-blue.svg)](https://www.blackhat.com/eu-23/arsenal/schedule/index.html#mobile-security-framework---mobsf-35327)
+
 
 MobSF is also bundled with [Android Tamer](https://tamerplatform.com), [BlackArch](https://blackarch.org/mobile.html) and [Pentoo](https://www.pentoo.ch/).
 
-## Support MobSF
+### Support MobSF
 
 [![Donate to MobSF](https://user-images.githubusercontent.com/4301109/117404264-7aab5480-aebe-11eb-9cbd-da82d7346bb3.png)](https://opensecurity.in/donate)
 
 If you liked MobSF and find it useful, please consider donating.
 
-*It's easy to build open source, try maintaining a project once. Long live open source!*
+*It's easy to build open source, maintaining one is a different story. Long live open source!*
 
 ## Documentation
 
@@ -80,21 +81,21 @@ docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:la
 
 ![mobsf_android_static_analysis](https://user-images.githubusercontent.com/4301109/95506503-f9b6c980-097d-11eb-803a-f88321e1feb7.gif)
 
-### Static Analysis - Android Source Tree-view
-
-![mobsf_android_static_analysis_tree_view](https://user-images.githubusercontent.com/6709304/101240296-1578ea80-36f7-11eb-810a-3827f238c231.gif)
-
 ### Static Analysis - iOS
 
 ![mobsf_ios_ipa_static_analysis](https://user-images.githubusercontent.com/4301109/95507865-16540100-0980-11eb-9e4d-887668d46969.gif)
 
 ### Dynamic Analysis - Android APK
 
-![mobsf_dynamic_analysis](https://user-images.githubusercontent.com/4301109/95514697-5e782100-098a-11eb-8390-47bb3822a2d7.gif)
+![mobsf_android_dynamic_analysis](https://user-images.githubusercontent.com/4301109/95514697-5e782100-098a-11eb-8390-47bb3822a2d7.gif)
 
 ### Web API Viewer
 
-![ mobsf_web_api_fuzzing_with_burp](https://user-images.githubusercontent.com/4301109/95516560-69808080-098d-11eb-9e0b-fb5a25e96585.gif)
+![mobsf_web_api_fuzzing_with_burp](https://user-images.githubusercontent.com/4301109/95516560-69808080-098d-11eb-9e0b-fb5a25e96585.gif)
+
+### Dynamic Analysis - iOS IPA
+
+![mobsf_ios_dynamic_analysis](https://github.com/MobSF/Mobile-Security-Framework-MobSF/assets/4301109/34014c4d-1535-48ad-9944-a4b1b728a030)
 
 ## Past Collaborators
 

mobsf/DynamicAnalyzer/forms.py

@@ -0,0 +1,6 @@
+"""File upload to iOS form."""
+from django import forms
+
+
+class UploadFileForm(forms.Form):
+    file = forms.FileField()

mobsf/DynamicAnalyzer/tools/apk_patcher.py

@@ -89,7 +89,10 @@ def download_frida_gadget(self, frida_arch, aarch, version):
             if not url:
                 return None
             logger.info('Downloading frida-gadget %s', fgadget)
-            with requests.get(url, stream=True) as r:
+            with requests.get(url,
+                              stream=True,
+                              proxies=proxies,
+                              verify=verify) as r:
                 with LZMAFile(r.raw) as f:
                     with open(gadget_bin, 'wb') as flip:
                         copyfileobj(f, flip)

mobsf/DynamicAnalyzer/tools/frida_scripts/android/auxiliary/string_compare.js

@@ -0,0 +1,37 @@
+//String comparison
+Java.perform(function () {
+    send('[AUXILIARY] [String Compare] capturing all string comparisons')
+    let Exception = Java.use('java.lang.Exception');
+    let javaString = Java.use('java.lang.String')
+    let objectClass = 'java.lang.Object';
+    var skiplist = ['android.app.SystemServiceRegistry.getSystemService']
+    javaString.equals.overload(objectClass).implementation = function (obj) {
+        var response = javaString.equals.overload(objectClass).call(this, obj);
+        if (obj && obj.toString().length > 5) {
+           var stack = [];
+           var calledFrom = Exception.$new().getStackTrace().toString().split(',');
+           // Otherwise capture string comparisons
+           let i = 0;
+           do {
+                i = i + 1;
+                stack.push(calledFrom[i]);
+            } while (i <= 5);
+            var skipClass, skipMethod = false;
+            skiplist.forEach(function (toSkip) {
+                if (calledFrom[4].includes(toSkip))
+                    skipClass = true;
+           });
+           if (!skipClass) {
+                var data = {
+                caller: stack,
+                string1: javaString.toString.call(this),
+                string2: obj.toString(),
+                return: response,
+                }
+                send('[AUXILIARY] [String Compare] ' + JSON.stringify(data, null, 2));
+           }
+        }
+        return response;
+    }
+ });
+

mobsf/DynamicAnalyzer/tools/frida_scripts/android/default/debugger_check_bypass.js

@@ -0,0 +1,198 @@
+Java.perform(function () {
+    try {
+        // Bypass isDebuggerConnected() check 
+        var Debug = Java.use('android.os.Debug');
+        Debug.isDebuggerConnected.implementation = function () {
+            send('[Debugger Check] isDebuggerConnected() check bypassed');
+            return false;
+        }
+    } catch(e){}
+});
+ // Following are based on: https://github.com/apkunpacker/FridaScripts
+try {
+    /* Bypass Frida Detection Based On Port Number */
+    Interceptor.attach(Module.findExportByName("libc.so", "connect"), {
+        onEnter: function(args) {
+            var memory = Memory.readByteArray(args[1], 64);
+            var b = new Uint8Array(memory);
+            if (b[2] == 0x69 && b[3] == 0xa2 && b[4] == 0x7f && b[5] == 0x00 && b[6] == 0x00 && b[7] == 0x01) {
+                this.frida_detection = true;
+            }
+        },
+        onLeave: function(retval) {
+            if (this.frida_detection) {
+                send("[Debugger Check] Frida Port detection bypassed");
+                retval.replace(-1);
+            }
+        }
+    });
+} catch(e){}
+try {
+    Interceptor.attach(Module.findExportByName(null, "connect"), {
+        onEnter: function(args) {
+            var family = Memory.readU16(args[1]);
+            if (family !== 2) {
+                return
+            }
+            var port = Memory.readU16(args[1].add(2));
+            port = ((port & 0xff) << 8) | (port >> 8);
+            if (port === 27042) {
+                send('[Debugger Check] Frida Port detection bypassed');
+                Memory.writeU16(args[1].add(2), 0x0101);
+            }
+        }
+    });
+} catch(e){}
+try {
+    /* Bypass TracerPid Detection Based On Pid Status */
+    var fgetsPtr = Module.findExportByName("libc.so", "fgets");
+    var fgets = new NativeFunction(fgetsPtr, 'pointer', ['pointer', 'int', 'pointer']);
+    Interceptor.replace(fgetsPtr, new NativeCallback(function(buffer, size, fp) {
+        var retval = fgets(buffer, size, fp);
+        var bufstr = Memory.readUtf8String(buffer);
+        if (bufstr.indexOf("TracerPid:") > -1) {
+            Memory.writeUtf8String(buffer, "TracerPid:\t0");
+            send("[Debugger Check] TracerPID check bypassed");
+        }
+        return retval;
+    }, 'pointer', ['pointer', 'int', 'pointer']))
+} catch(e){}
+
+try {
+    /* Bypass Ptrace Checks */
+    Interceptor.attach(Module.findExportByName(null, "ptrace"), {
+        onEnter: function(args) {},
+        onLeave: function(retval) {
+            send("[Debugger Check] Ptrace check bypassed");
+            retval.replace(0);
+        }
+    })
+} catch(e){}
+
+try {
+    /* Watch Child Process Forking */
+    var fork = Module.findExportByName(null, "fork")
+    Interceptor.attach(fork, {
+        onEnter: function(args) {},
+        onLeave: function(retval) {
+            var pid = parseInt(retval.toString(16), 16)
+            send("[Debugger Check] Hook fork child process PID: " + pid)
+        }
+    })
+} catch(e){}
+
+
+/* Xposed Detection Bypass */
+Java.perform(function() {
+    try {
+        var cont = Java.use("java.lang.String");
+        cont.contains.overload("java.lang.CharSequence").implementation = function(checks) {
+            var check = checks.toString();
+            if (check.indexOf("libdexposed") >= 0 || check.indexOf("libsubstrate.so") >= 0 || check.indexOf("libepic.so") >= 0 || check.indexOf("libxposed") >= 0) {
+                var BypassCheck = "libpkmkb.so";
+                send("[Debugger Check] Xposed library check bypassed");
+                return this.contains.call(this, BypassCheck);
+            }
+            return this.contains.call(this, checks);
+        }
+    } catch (erro) {
+        console.error(erro);
+    }
+    try {
+        var StacktraceEle = Java.use("java.lang.StackTraceElement");
+        StacktraceEle.getClassName.overload().implementation = function() {
+            var Flag = false;
+            var ClazzName = this.getClassName();
+            if (ClazzName.indexOf("com.saurik.substrate.MS$2") >= 0 || ClazzName.indexOf("de.robv.android.xposed.XposedBridge") >= 0) {
+                send("[Debugger Check] Debugger detection check bypassed for class: " + this.getClassName());
+                Flag = true;
+                if (Flag) {
+                    var StacktraceEle = Java.use("java.lang.StackTraceElement");
+                    StacktraceEle.getClassName.overload().implementation = function() {
+                        var gMN = this.getMethodName();
+                        if (gMN.indexOf("handleHookedMethod") >= 0 || gMN.indexOf("invoked") >= 0) {
+                            send("[Debugger Check] Debugger detection check bypassed for method: " + this.getMethodName());
+                            return "bye.pass";
+                        }
+                        return this.getMethodName();
+                    }
+                }
+                return "com.android.vending"
+            }
+            return this.getClassName();
+        }
+    } catch (errr) {
+        console.error(errr);
+    }
+})
+/* VPN Related Checks */
+Java.perform(function() {
+    var NInterface = Java.use("java.net.NetworkInterface");
+    try {
+        var NInterface = Java.use("java.net.NetworkInterface");
+        NInterface.getName.overload().implementation = function() {
+            var IName = this.getName();
+            if (IName == "tun0" || IName == "ppp0" || IName == "p2p0" || IName == "ccmni0" || IName == "tun") {
+                send("[Debugger Check] Bypassed Network Interface name check: " + JSON.stringify(this.getName()));
+                return "Bypass";
+            }
+            return this.getName();
+        }
+    } catch (err) {
+        console.error(err);
+    }
+    // HTTP(s) Proxy check
+    try {
+        var GetProperty = Java.use("java.lang.System");
+        GetProperty.getProperty.overload("java.lang.String").implementation = function(getprop) {
+            if (getprop.indexOf("http.proxyHost") >= 0 || getprop.indexOf("http.proxyPort") >= 0) {
+                var newprop = "CKMKB"
+                send("[Debugger Check] HTTP(s) proxy check bypassed")
+                return this.getProperty.call(this, newprop);
+            }
+            return this.getProperty(getprop);
+        }
+    } catch (err) {
+        console.error(err);
+    }
+    // NetworkCapabilities check
+    try {
+        var NCap = Java.use("android.net.NetworkCapabilities");
+        NCap.hasTransport.overload("int").implementation = function(values) {
+            if (values == 4){
+                send("[Debugger Check] HasTransportcheck bypassed")
+                return false;
+            } else
+                return this.hasTransport(values);
+        }
+    } catch (e) {
+        console.error(e);
+    }
+})
+/* Developer Mod Check Bypass */
+Java.perform(function() {
+    try{
+        var SSecure = Java.use("android.provider.Settings$Secure");
+        SSecure.getStringForUser.overload('android.content.ContentResolver', 'java.lang.String', 'int').implementation = function(Content, Name, Flag) {
+            if (Name.indexOf("development_settings_enabled") >= 0) {
+                send("[Debugger Check] Developer mode check bypassed for: " + Name)
+                return this.getStringForUser.call(this, Content, "bypassed", Flag);
+            }
+            return this.getStringForUser(Content, Name, Flag);
+        }
+    } catch(e){}
+})
+
+/* Playstore install source check */
+Java.perform(function() {
+    try{
+        var Installer = Java.use("android.app.ApplicationPackageManager");
+        Installer.getInstallerPackageName.overload('java.lang.String').implementation = function(Str) {
+            var playPkg = "com.android.vending";
+            if (Str.toString().indexOf(playPkg) < 0) {
+                send("[Debugger Check] Play Store install source check bypassed. Original value: "+ Str.toString());
+                return playPkg;
+            }
+        }
+    } catch(e){}
+})