Closed luskan closed 1 month ago
👋 @luskan Issues is only for reporting a bug/feature request. For limited support, questions, and discussions, please join MobSF Slack channel Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.
Thanks for the detailed bug report. I appreciate the time you put forward to debug this issue. This is due to the broken regex as you pointed out and will be fixed in the next minor version of MobSF.
OS and Version: windows, running under docker, after running docker I see: OS Environment: Linux (ubuntu 22.04 Jammy Jellyfish) Linux-5.15.146.1-microsoft-standard-WSL2-x86_64-with-glibc2.35
Python Version: as in official docker image
MobSF Version: v4.0.3
In my apk I get red entry for:
The file or SharedPreference is World Writable. Any App can write to the file
then the explanation:
CWE: CWE-276: Incorrect Default Permissions OWASP Top 10: M2: Insecure Data Storage OWASP MASVS: MSTG-STORAGE-2
and code (its external huawei library)
com/huawei/agconnect/datastore/core/AndroidSharedPrefUtil.java
this is a relevant part of this file:
The comment above is added by me to explain where the highlite is located.
The problem is I dont see where it is that its world writable?
In this line context2.getSharedPreferences(str, 0) usage mode is 0, and 0 is actually private
It looks like https://developer.android.com/reference/android/content/Context#MODE_PRIVATE is used.
the two which might indicate insecure usage would be 1 and 2:
https://developer.android.com/reference/android/content/Context#MODE_WORLD_READABLE https://developer.android.com/reference/android/content/Context#MODE_WORLD_WRITEABLE
I am not sure if huawei is using this AndroidSharedPrefUtil anywhere - but it probably does use is as proguard had not removed it. According to documentation, such insecure use would cause SecurityException to be thrown on android >= 24, which I dont see.
I checked the rules in:
/mobsf/StaticAnalyzer/views/android/rules/android_rules.yaml
and for:
regexp is:
and if I paste to https://regex101.com/, this line:
(with whitespaces) then above regexp matches this part:
.getSharedPreferences(str, 0).edit().remove(str2)
the 2 is taken from str2, so the regexp is wrong. A solution would be to use:
.getSharedPreferences(.{0,50}?, 2)