search

MobSF / Mobile-Security-Framework-MobSF

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
https://opensecurity.in
GNU General Public License v3.0
17.12k stars 3.21k forks source link

Allow numeric bundleIds for iOS #2424

Open hdruse opened 3 days ago

hdruse commented 3 days ago

ENVIRONMENT

OS and Version: MacOS Sonoma, but running in docker
Python Version: 3.10
MobSF Version: 4.0.5

EXPLANATION OF THE ISSUE

Uploading an iOS build with a numeric bundleId will result in issues opening "/recent_scans" .
The error message is already stating, that the used regex is not capable of finding numeric bundleIds.

STEPS TO REPRODUCE THE ISSUE

1. upload ipa with numeric bundleId
2. open mobsf interface
3. click on "Recent Scans"
4. observe "Server Error (500)".

LOG FILE

[INFO] 17/Sep/2024 10:18:06 - 
  __  __       _    ____  _____       _  _    ___  
 |  \/  | ___ | |__/ ___||  ___|_   _| || |  / _ \ 
 | |\/| |/ _ \| '_ \___ \| |_  \ \ / / || |_| | | |
 | |  | | (_) | |_) |__) |  _|  \ V /|__   _| |_| |
 |_|  |_|\___/|_.__/____/|_|     \_/    |_|(_)___/ 
[INFO] 17/Sep/2024 10:18:06 - Author: Ajin Abraham | opensecurity.in
[INFO] 17/Sep/2024 10:18:06 - Mobile Security Framework v4.0.5
[INFO] 17/Sep/2024 10:18:06 - 
API Key read from environment variable
REST API Key: #####
Default Credentials: mobsf/mobsf
[INFO] 17/Sep/2024 10:18:06 - OS Environment: Linux (ubuntu 22.04 Jammy Jellyfish) Linux-6.6.26-linuxkit-aarch64-with-glibc2.35
[INFO] 17/Sep/2024 10:18:06 - MobSF Basic Environment Check
[INFO] 17/Sep/2024 10:18:06 - Checking for Update.
[INFO] 17/Sep/2024 10:18:06 - No updates available.
[INFO] 17/Sep/2024 10:18:10 - 
API Key read from environment variable
[ERROR] 17/Sep/2024 10:18:12 - Internal Server Error: /recent_scans/
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.10/dist-packages/django/core/handlers/base.py", line 197, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/home/mobsf/Mobile-Security-Framework-MobSF/mobsf/MobSF/views/authentication.py", line 41, in wrapper
    return lg(func)(request, *args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/django/contrib/auth/decorators.py", line 23, in _wrapper_view
    return view_func(request, *args, **kwargs)
  File "/home/mobsf/Mobile-Security-Framework-MobSF/mobsf/MobSF/views/home.py", line 309, in recent_scans
    return render(request, template, context)
  File "/usr/local/lib/python3.10/dist-packages/django/shortcuts.py", line 25, in render
    content = loader.render_to_string(template_name, context, request, using=using)
  File "/usr/local/lib/python3.10/dist-packages/django/template/loader.py", line 62, in render_to_string
    return template.render(context, request)
  File "/usr/local/lib/python3.10/dist-packages/django/template/backends/django.py", line 61, in render
    return self.template.render(context)
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 171, in render
    return self._render(context)
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 163, in _render
    return self.nodelist.render(context)
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 1000, in render
    return SafeString("".join([node.render_annotated(context) for node in self]))
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 1000, in <listcomp>
    return SafeString("".join([node.render_annotated(context) for node in self]))
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 961, in render_annotated
    return self.render(context)
  File "/usr/local/lib/python3.10/dist-packages/django/template/loader_tags.py", line 159, in render
    return compiled_parent._render(context)
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 163, in _render
    return self.nodelist.render(context)
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 1000, in render
    return SafeString("".join([node.render_annotated(context) for node in self]))
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 1000, in <listcomp>
    return SafeString("".join([node.render_annotated(context) for node in self]))
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 961, in render_annotated
    return self.render(context)
  File "/usr/local/lib/python3.10/dist-packages/django/template/loader_tags.py", line 65, in render
    result = block.nodelist.render(context)
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 1000, in render
    return SafeString("".join([node.render_annotated(context) for node in self]))
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 1000, in <listcomp>
    return SafeString("".join([node.render_annotated(context) for node in self]))
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 961, in render_annotated
    return self.render(context)
  File "/usr/local/lib/python3.10/dist-packages/django/template/defaulttags.py", line 242, in render
    nodelist.append(node.render_annotated(context))
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 961, in render_annotated
    return self.render(context)
  File "/usr/local/lib/python3.10/dist-packages/django/template/defaulttags.py", line 326, in render
    return nodelist.render(context)
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 1000, in render
    return SafeString("".join([node.render_annotated(context) for node in self]))
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 1000, in <listcomp>
    return SafeString("".join([node.render_annotated(context) for node in self]))
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 961, in render_annotated
    return self.render(context)
  File "/usr/local/lib/python3.10/dist-packages/django/template/defaulttags.py", line 326, in render
    return nodelist.render(context)
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 1000, in render
    return SafeString("".join([node.render_annotated(context) for node in self]))
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 1000, in <listcomp>
    return SafeString("".join([node.render_annotated(context) for node in self]))
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 961, in render_annotated
    return self.render(context)
  File "/usr/local/lib/python3.10/dist-packages/django/template/defaulttags.py", line 326, in render
    return nodelist.render(context)
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 1000, in render
    return SafeString("".join([node.render_annotated(context) for node in self]))
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 1000, in <listcomp>
    return SafeString("".join([node.render_annotated(context) for node in self]))
  File "/usr/local/lib/python3.10/dist-packages/django/template/base.py", line 961, in render_annotated
    return self.render(context)
  File "/usr/local/lib/python3.10/dist-packages/django/template/defaulttags.py", line 479, in render
    url = reverse(view_name, args=args, kwargs=kwargs, current_app=current_app)
  File "/usr/local/lib/python3.10/dist-packages/django/urls/base.py", line 88, in reverse
    return resolver._reverse_with_prefix(view, prefix, *args, **kwargs)
  File "/usr/local/lib/python3.10/dist-packages/django/urls/resolvers.py", line 851, in _reverse_with_prefix
    raise NoReverseMatch(msg)
django.urls.exceptions.NoReverseMatch: Reverse for 'ios_view_report' with keyword arguments '{'bundle_id': '12345678'}' not found. 1 pattern(s) tried: ['ios/view_report/(?P<bundle_id>([a-zA-Z]{1}[\\w.-]{1,255}))$']
github-actions[bot] commented 3 days ago

👋 @hdruse Issues is only for reporting a bug/feature request. For limited support, questions, and discussions, please join MobSF Slack channel Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.

ajinabraham commented 3 days ago

Thanks for reporting this. Does iOS even support numeric only bundle ids? https://developer.apple.com/documentation/bundleresources/information_property_list/cfbundleidentifier

Can you share the app that has a numeric bundle id?

hdruse commented 2 days ago

As the documentation you send says:

The bundle ID string must contain only alphanumeric characters (A–Z, a–z, and 0–9),

it can indeed only have numbers in it. Apple encourages developers to use reverse domain notation but it is not forced.

The app I was checking was transferred from one business account to another. I guess apple switches the bundleId in this case automatically. However the app with numeric bundleId is

"Betaseed Mobil" available in the German/French/UK/.. store but not US

hdruse commented 8 hours ago

I don't know if it has any side effects that I am not aware of but I simply changed the bundle regex and build a docker image to get my server back running.

https://github.com/hdruse/Mobile-Security-Framework-MobSF/commit/5a8117af93af1ae47aeeccb16c80c31b63668a1c

Would love to contribute and also test my changes properly but was not able to build the project as some dependencies were failing and I had not too much time investigating what's wrong on my side.