search

MobSF / Mobile-Security-Framework-MobSF

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
https://opensecurity.in
GNU General Public License v3.0
16.66k stars 3.16k forks source link

ANDROID STATIC ANALYSIS : Preference flagged as world-writable inspite of being package-private #2381

Closed diveshpincha closed 1 month ago

diveshpincha commented 2 months ago

ENVIRONMENT

OS and Version: Darwin (darwin 23.4.0) macOS-14.4.1-arm64-arm-64bit
Python Version: 3.10
MobSF Version: Mobile Security Framework v3.9.8 Beta

EXPLANATION OF THE ISSUE

The issue happens only when obfuscation ( code shrinking in particular ) is enabled. Even though the Context.private is used for Android shared preference initialisation , MOBsf flags it as world-writable. 
Using -dontshrink in proguard rules removed the warning. 

Even upon clickin viewFiles , the report takes us to the flagged line , where the visibility is set as 0 only. ( 0 being private, while 1 is world-writable )

STEPS TO REPRODUCE THE ISSUE

1. The preference is being flagged from a library we use , which also has C++ files in it. Nothing else is peculiar about it. 
2. When minify is enabled with shrinking the preferences are flagged as world writeable inspite of the value being 0 ( private )
github-actions[bot] commented 2 months ago

👋 @diveshpincha Issues is only for reporting a bug/feature request. For limited support, questions, and discussions, please join MobSF Slack channel Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.

ajinabraham commented 1 month ago

Please use slack for support.