Closed madlymad closed 2 weeks ago
The latest version is working as expected in my end. See the sample:
package com.myapp
import com.facebook.react.ReactActivity
import android.os.Bundle
import android.webkit.WebView
class MainActivity : ReactActivity() {
override fun getMainComponentName(): String {
return "myapp"
}
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
// Enabling WebView debugging
WebView.setWebContentsDebuggingEnabled(true)
}
}
mobsfscan -v
mobsfscan: v0.4.1 | Ajin Abraham | opensecurity.in
mobsfscan test.kt --json | jq '.results | keys'
[
"android_certificate_transparency",
"android_kotlin_webview_debug",
"android_prevent_screenshot",
"android_root_detection",
"android_safetynet",
"android_ssl_pinning",
"android_tapjacking"
]
Now with the line WebView.setWebContentsDebuggingEnabled(true)
removed.
mobsfscan test.kt --json | jq '.results | keys'
[
"android_certificate_transparency",
"android_prevent_screenshot",
"android_root_detection",
"android_safetynet",
"android_ssl_pinning",
"android_tapjacking"
]
Hi @ajinabraham,
Thanks for sharing these examples with me they really helped me to understand the real problem and also properly test and reproduce it!
My expectation is that when I have inline ignore of a line then the issue will not reported as a problem, but using this simple example, the android_kotlin_webview_debug
issue is reported:
package com.myapp
import com.facebook.react.ReactActivity
import android.os.Bundle
import android.webkit.WebView
class MainActivity : ReactActivity() {
override fun getMainComponentName(): String {
return "myapp"
}
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
// Enabling WebView debugging
WebView.setWebContentsDebuggingEnabled(true) // mobsf-ignore: android_kotlin_webview_debug
}
}
mobsfscan test_ignore.kt --json | jq '.results | keys'
[
"android_certificate_transparency",
"android_kotlin_webview_debug",
"android_prevent_screenshot",
"android_root_detection",
"android_safetynet",
"android_ssl_pinning",
"android_tapjacking"
]
To make matters worst any finding of the word "WebView" within this file are reported in the results.
As a demonstration I create a file that represents the seriousness of that issue: Where due to lines 222-224:
if (BuildConfig.DEBUG) {
WebView.setWebContentsDebuggingEnabled(true) // mobsf-ignore: android_kotlin_webview_debug
}
mobsfscan WebViewFragment_Demo.kt --json | jq '.results | .android_kotlin_webview_debug.files | length '
54
File: WebViewFragment_Demo.kt.txt _(requires rename to WebViewFragmentDemo.kt as github prevent the upload of kt files)
Thanks, I was able to reproduce this. I will take a look at this.
This should be addressed in 0.4.2
First of all congrats on your work ❤️ we are using it for a while now and helped us quite a lot!
I would like to report a false positive that I am getting all over my codebase for the
android_kotlin_webview_debug
rule. I believe that the problem is thatRegexAnd
is not really doing anand
but anor
because every place I have the text "WebView" this is reported as a violation 😕 and with the latest changes this report now at least 155 violations.Violations are reported in imports or in any place the WebView* is identified.
Since this a private repository I cannot share a code link, but I attach some screenshots in case this make more clear the problem
False positive example of
import
:False positive example of calling the
WebView
Fragment:Only reference of
setWebContentsDebuggingEnabled
In case it helps this is the only relevant reference of
setWebContentsDebuggingEnabled
in my code that is also flagged with ignore. (Note that tool correctly ignore this specific line!)Posting here the rule that is triggered:
src: https://github.com/MobSF/mobsfscan/blob/7d67c719fffc8a48accfa3dc33f5dae37c451a02/mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml#L100
I remain at your disposal for any further clarification, please let me know if I can do anything else to help in the investigation of this issue, or if there is an explanation why this is triggered and I just have to completely disable this rule.