MobSF / mobsfscan

mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. mobsfscan uses MobSF static analysis rules and is powered by semgrep and libsast pattern matcher.
GNU Lesser General Public License v3.0
607 stars 97 forks source link

False positives of android_kotlin_webview_debug #97

Closed madlymad closed 2 weeks ago

madlymad commented 3 weeks ago

First of all congrats on your work ❤️ we are using it for a while now and helped us quite a lot!

I would like to report a false positive that I am getting all over my codebase for the android_kotlin_webview_debug rule. I believe that the problem is that RegexAnd is not really doing an and but an or because every place I have the text "WebView" this is reported as a violation 😕 and with the latest changes this report now at least 155 violations.

Violations are reported in imports or in any place the WebView* is identified.

Since this a private repository I cannot share a code link, but I attach some screenshots in case this make more clear the problem

False positive example of import:

Screenshot 2024-11-05 at 12 54 56 PM

False positive example of calling the WebViewFragment:

Screenshot 2024-11-05 at 12 13 14 PM

Only reference of setWebContentsDebuggingEnabled

In case it helps this is the only relevant reference of setWebContentsDebuggingEnabled in my code that is also flagged with ignore. (Note that tool correctly ignore this specific line!)

Screenshot 2024-11-05 at 12 21 23 PM

Posting here the rule that is triggered:

- id: android_kotlin_webview_debug
  message: Remote WebView debugging is enabled.
  type: RegexAnd
  pattern:
    - \.setWebContentsDebuggingEnabled\(true\)
    - WebView
  severity: ERROR
  input_case: exact

src: https://github.com/MobSF/mobsfscan/blob/7d67c719fffc8a48accfa3dc33f5dae37c451a02/mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml#L100

I remain at your disposal for any further clarification, please let me know if I can do anything else to help in the investigation of this issue, or if there is an explanation why this is triggered and I just have to completely disable this rule.

ajinabraham commented 3 weeks ago

The latest version is working as expected in my end. See the sample:

package com.myapp

import com.facebook.react.ReactActivity
import android.os.Bundle
import android.webkit.WebView

class MainActivity : ReactActivity() {

    override fun getMainComponentName(): String {
        return "myapp"
    }

    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        // Enabling WebView debugging
        WebView.setWebContentsDebuggingEnabled(true)
    }
}
mobsfscan -v                                   

mobsfscan: v0.4.1 | Ajin Abraham | opensecurity.in
mobsfscan test.kt --json | jq '.results | keys'
[
  "android_certificate_transparency",
  "android_kotlin_webview_debug",
  "android_prevent_screenshot",
  "android_root_detection",
  "android_safetynet",
  "android_ssl_pinning",
  "android_tapjacking"
]

Now with the line WebView.setWebContentsDebuggingEnabled(true) removed.

mobsfscan test.kt --json | jq '.results | keys'
[
  "android_certificate_transparency",
  "android_prevent_screenshot",
  "android_root_detection",
  "android_safetynet",
  "android_ssl_pinning",
  "android_tapjacking"
]
madlymad commented 2 weeks ago

Hi @ajinabraham,

Thanks for sharing these examples with me they really helped me to understand the real problem and also properly test and reproduce it!

My expectation is that when I have inline ignore of a line then the issue will not reported as a problem, but using this simple example, the android_kotlin_webview_debug issue is reported:

package com.myapp

import com.facebook.react.ReactActivity
import android.os.Bundle
import android.webkit.WebView

class MainActivity : ReactActivity() {

    override fun getMainComponentName(): String {
        return "myapp"
    }

    override fun onCreate(savedInstanceState: Bundle?) {
        super.onCreate(savedInstanceState)
        // Enabling WebView debugging
        WebView.setWebContentsDebuggingEnabled(true) // mobsf-ignore: android_kotlin_webview_debug
    }
}
mobsfscan test_ignore.kt --json | jq '.results | keys'
[
  "android_certificate_transparency",
  "android_kotlin_webview_debug",
  "android_prevent_screenshot",
  "android_root_detection",
  "android_safetynet",
  "android_ssl_pinning",
  "android_tapjacking"
]

To make matters worst any finding of the word "WebView" within this file are reported in the results.

As a demonstration I create a file that represents the seriousness of that issue: Where due to lines 222-224:

if (BuildConfig.DEBUG) {
    WebView.setWebContentsDebuggingEnabled(true) // mobsf-ignore: android_kotlin_webview_debug
}
mobsfscan WebViewFragment_Demo.kt --json | jq '.results | .android_kotlin_webview_debug.files | length '
54

File: WebViewFragment_Demo.kt.txt _(requires rename to WebViewFragmentDemo.kt as github prevent the upload of kt files)

ajinabraham commented 2 weeks ago

Thanks, I was able to reproduce this. I will take a look at this.

ajinabraham commented 2 weeks ago

This should be addressed in 0.4.2