search

MobSF / Mobile-Security-Framework-MobSF

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
https://opensecurity.in
GNU General Public License v3.0
17.18k stars 3.22k forks source link

False positive for compiled Dart code #2358

Closed Olaw2jr closed 6 months ago

Olaw2jr commented 6 months ago

EXPLANATION OF THE ISSUE Shared objects should use fortified functions warning for compiled Dart code (e.g., Flutter's libpp.so)

MobSF detects a missing fortified function call in a shared object, but this might be a false positive for compiled Dart code. Dart code doesn't directly interact with libc functions; it uses the Dart standard library.

WHY THIS MIGHT BE A FALSE POSITIVE MobSF checks for functions with a _chk suffix, fortified functions in glibc. Since Dart code doesn't use these functions, MobSF misinterprets it as non-fortified calls.

STEPS TO REPRODUCE (if applicable) This step might not be applicable as it's a potential false positive.

Compile Dart code into a shared object (e.g., Flutter app) Run MobSF analysis on the shared object

github-actions[bot] commented 6 months ago

👋 @Olaw2jr Issues is only for reporting a bug/feature request. For limited support, questions, and discussions, please join MobSF Slack channel Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.

ajinabraham commented 6 months ago

The newer MobSF versions already warns in the report for Fortify Checks. " This check is not applicable for Dart/Flutter libraries."

Screenshot 2024-03-18 at 10 58 47 AM