search

MobSF / Mobile-Security-Framework-MobSF

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
https://opensecurity.in
GNU General Public License v3.0
17.18k stars 3.22k forks source link

Using multithreading to improve code efficiency #2319

Closed ohyeah521 closed 8 months ago

ohyeah521 commented 9 months ago

Using multithreading to improve code efficiency

Describe the Pull Request

DESCRIBE THE DETAILS OF PULL REQUEST HERE

Checklist for PR

Additional Comments (if any)

DESCRIBE HERE
ajinabraham commented 8 months ago

Good idea, I will test this out.

ajinabraham commented 8 months ago

Also not related to this PR. But a bug that needs to be fixed in assetlinks check

Schemes: airbnb://, http://, https://,
Hosts: *.airbnb.at, *.airbnb.be, *.airbnb.ca, *.airbnb.cat, *.airbnb.ch, *.airbnb.cl, *.airbnb.co.cr, *.airbnb.co.id, *.airbnb.co.in, *.airbnb.co.kr, *.airbnb.co.nz, *.airbnb.co.uk, *.airbnb.co.ve, *.airbnb.com, *.airbnb.com.ar, *.airbnb.com.au, *.airbnb.com.bo, *.airbnb.com.br, *.airbnb.com.bz, *.airbnb.com.co, *.airbnb.com.ec, *.airbnb.com.gt, *.airbnb.com.hk, *.airbnb.com.hn, *.airbnb.com.mt, *.airbnb.com.my, *.airbnb.com.ni, *.airbnb.com.pa, *.airbnb.com.pe, *.airbnb.com.py, *.airbnb.com.sg, *.airbnb.com.sv, *.airbnb.com.tr, *.airbnb.com.tw, *.airbnb.cz, *.airbnb.de, *.airbnb.dk, *.airbnb.es, *.airbnb.fi, *.airbnb.fr, *.airbnb.gr, *.airbnb.gy, *.airbnb.hu, *.airbnb.ie, *.airbnb.is, *.airbnb.it, *.airbnb.jp, *.airbnb.mx, *.airbnb.nl, *.airbnb.no, *.airbnb.pl, *.airbnb.pt, *.airbnb.ru, *.airbnb.se,
Paths: /gift-credit/accept, /, /s,
Path Prefixes: /reservations, /home/itinerary, /inbox/help, /content/articles, /content/stories, /listings, /experiences, /manage-listing, /earlyaccess, /payments/book, /invite, /reservation, /reviews, /rooms, /s/, /threads, /users, /verify, /review_your_account, /wishlists, /z/q, /confirm_email, /users/set_password,

Skip asterisk during assetlink check.

False positive

App Link asset verification URL (http://*.airbnb.at/.well-known/assetlinks.json) not found or configured incorrectly. (Status Code: 0). App Links allow users to redirect from a web URL/email to the mobile app. If this file is missing or incorrectly configured for the App Link host/domain, a malicious app can hijack such URLs. This may lead to phishing attacks, leak sensitive data in the URI, such as PII, OAuth tokens, magic link/password reset tokens and more. You must verify the App Link domain by hosting the assetlinks.json file and enabling verification via [android:autoVerify="true"] in the Activity intent-filter.

Should check https://airbnb.at/.well-known/assetlinks.json instead. Also add this to

ohyeah521 commented 8 months ago

Also not related to this PR. But a bug that needs to be fixed in assetlinks check

Schemes: airbnb://, http://, https://,
Hosts: *.airbnb.at, *.airbnb.be, *.airbnb.ca, *.airbnb.cat, *.airbnb.ch, *.airbnb.cl, *.airbnb.co.cr, *.airbnb.co.id, *.airbnb.co.in, *.airbnb.co.kr, *.airbnb.co.nz, *.airbnb.co.uk, *.airbnb.co.ve, *.airbnb.com, *.airbnb.com.ar, *.airbnb.com.au, *.airbnb.com.bo, *.airbnb.com.br, *.airbnb.com.bz, *.airbnb.com.co, *.airbnb.com.ec, *.airbnb.com.gt, *.airbnb.com.hk, *.airbnb.com.hn, *.airbnb.com.mt, *.airbnb.com.my, *.airbnb.com.ni, *.airbnb.com.pa, *.airbnb.com.pe, *.airbnb.com.py, *.airbnb.com.sg, *.airbnb.com.sv, *.airbnb.com.tr, *.airbnb.com.tw, *.airbnb.cz, *.airbnb.de, *.airbnb.dk, *.airbnb.es, *.airbnb.fi, *.airbnb.fr, *.airbnb.gr, *.airbnb.gy, *.airbnb.hu, *.airbnb.ie, *.airbnb.is, *.airbnb.it, *.airbnb.jp, *.airbnb.mx, *.airbnb.nl, *.airbnb.no, *.airbnb.pl, *.airbnb.pt, *.airbnb.ru, *.airbnb.se,
Paths: /gift-credit/accept, /, /s,
Path Prefixes: /reservations, /home/itinerary, /inbox/help, /content/articles, /content/stories, /listings, /experiences, /manage-listing, /earlyaccess, /payments/book, /invite, /reservation, /reviews, /rooms, /s/, /threads, /users, /verify, /review_your_account, /wishlists, /z/q, /confirm_email, /users/set_password,

Skip asterisk during assetlink check.

False positive

App Link asset verification URL (http://*.airbnb.at/.well-known/assetlinks.json) not found or configured incorrectly. (Status Code: 0). App Links allow users to redirect from a web URL/email to the mobile app. If this file is missing or incorrectly configured for the App Link host/domain, a malicious app can hijack such URLs. This may lead to phishing attacks, leak sensitive data in the URI, such as PII, OAuth tokens, magic link/password reset tokens and more. You must verify the App Link domain by hosting the assetlinks.json file and enabling verification via [android:autoVerify="true"] in the Activity intent-filter.

Should check https://airbnb.at/.well-known/assetlinks.json instead. Also add this to

  • [ ] mobsfscan

just tell chatgpt you idea than you will see the source code. haha.