search

MobSF / Mobile-Security-Framework-MobSF

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
https://opensecurity.in
GNU General Public License v3.0
17.09k stars 3.2k forks source link

Incorect regexp rule for SharedPreference being world writable #2414

Closed luskan closed 1 month ago

luskan commented 1 month ago

OS and Version: windows, running under docker, after running docker I see: OS Environment: Linux (ubuntu 22.04 Jammy Jellyfish) Linux-5.15.146.1-microsoft-standard-WSL2-x86_64-with-glibc2.35

Python Version: as in official docker image

MobSF Version: v4.0.3

In my apk I get red entry for:

The file or SharedPreference is World Writable. Any App can write to the file

then the explanation:

CWE: CWE-276: Incorrect Default Permissions OWASP Top 10: M2: Insecure Data Storage OWASP MASVS: MSTG-STORAGE-2

and code (its external huawei library)

com/huawei/agconnect/datastore/core/AndroidSharedPrefUtil.java

this is a relevant part of this file:

public static void remove(String str, String str2) {
      Context context2 = context;
      if (context2 == null) {
          Log.e(TAG, "context is `null`, please call ` AGConnectInstance.initialize()` first");
      } else {
          context2.getSharedPreferences(str, 0).edit().remove(str2).commit();    //<<highlited line>>
      }
  }

The comment above is added by me to explain where the highlite is located.

The problem is I dont see where it is that its world writable?

In this line context2.getSharedPreferences(str, 0) usage mode is 0, and 0 is actually private

It looks like https://developer.android.com/reference/android/content/Context#MODE_PRIVATE is used.

the two which might indicate insecure usage would be 1 and 2:

https://developer.android.com/reference/android/content/Context#MODE_WORLD_READABLE https://developer.android.com/reference/android/content/Context#MODE_WORLD_WRITEABLE

I am not sure if huawei is using this AndroidSharedPrefUtil anywhere - but it probably does use is as proguard had not removed it. According to documentation, such insecure use would cause SecurityException to be thrown on android >= 24, which I dont see.

I checked the rules in:

/mobsf/StaticAnalyzer/views/android/rules/android_rules.yaml

and for:

regexp is:

and if I paste to https://regex101.com/, this line:

        context2.getSharedPreferences(str, 0).edit().remove(str2).commit();

(with whitespaces) then above regexp matches this part:

.getSharedPreferences(str, 0).edit().remove(str2)

the 2 is taken from str2, so the regexp is wrong. A solution would be to use:

.getSharedPreferences(.{0,50}?, 2)

github-actions[bot] commented 1 month ago

👋 @luskan Issues is only for reporting a bug/feature request. For limited support, questions, and discussions, please join MobSF Slack channel Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.

ajinabraham commented 1 month ago

Thanks for the detailed bug report. I appreciate the time you put forward to debug this issue. This is due to the broken regex as you pointed out and will be fixed in the next minor version of MobSF.