MobSF / mobsfscan

mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. mobsfscan uses MobSF static analysis rules and is powered by semgrep and libsast pattern matcher.
GNU Lesser General Public License v3.0
604 stars 96 forks source link

False positives of android_kotlin_webview_debug #97

Open madlymad opened 19 hours ago

madlymad commented 19 hours ago

First of all congrats on your work ❤️ we are using it for a while now and helped us quite a lot!

I would like to report a false positive that I am getting all over my codebase for the android_kotlin_webview_debug rule. I believe that the problem is that RegexAnd is not really doing an and but an or because every place I have the text "WebView" this is reported as a violation 😕 and with the latest changes this report now at least 155 violations.

Violations are reported in imports or in any place the WebView* is identified.

Since this a private repository I cannot share a code link, but I attach some screenshots in case this make more clear the problem

False positive example of import:

Screenshot 2024-11-05 at 12 54 56 PM

False positive example of calling the WebViewFragment:

Screenshot 2024-11-05 at 12 13 14 PM

Only reference of setWebContentsDebuggingEnabled

In case it helps this is the only relevant reference of setWebContentsDebuggingEnabled in my code that is also flagged with ignore. (Note that tool correctly ignore this specific line!)

Screenshot 2024-11-05 at 12 21 23 PM

Posting here the rule that is triggered:

- id: android_kotlin_webview_debug
  message: Remote WebView debugging is enabled.
  type: RegexAnd
  pattern:
    - \.setWebContentsDebuggingEnabled\(true\)
    - WebView
  severity: ERROR
  input_case: exact

src: https://github.com/MobSF/mobsfscan/blob/7d67c719fffc8a48accfa3dc33f5dae37c451a02/mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml#L100

I remain at your disposal for any further clarification, please let me know if I can do anything else to help in the investigation of this issue, or if there is an explanation why this is triggered and I just have to completely disable this rule.

ajinabraham commented 10 hours ago

The latest version is working as expected in my end. See the sample:

package com.myapp

import com.facebook.react.ReactActivity
import android.os.Bundle
import android.webkit.WebView

class MainActivity : ReactActivity() {

    override fun getMainComponentName(): String {
        return "myapp"
    }

    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        // Enabling WebView debugging
        WebView.setWebContentsDebuggingEnabled(true)
    }
}
mobsfscan -v                                   

mobsfscan: v0.4.1 | Ajin Abraham | opensecurity.in
mobsfscan test.kt --json | jq '.results | keys'
[
  "android_certificate_transparency",
  "android_kotlin_webview_debug",
  "android_prevent_screenshot",
  "android_root_detection",
  "android_safetynet",
  "android_ssl_pinning",
  "android_tapjacking"
]

Now with the line WebView.setWebContentsDebuggingEnabled(true) removed.

mobsfscan test.kt --json | jq '.results | keys'
[
  "android_certificate_transparency",
  "android_prevent_screenshot",
  "android_root_detection",
  "android_safetynet",
  "android_ssl_pinning",
  "android_tapjacking"
]