Open madlymad opened 19 hours ago
The latest version is working as expected in my end. See the sample:
package com.myapp
import com.facebook.react.ReactActivity
import android.os.Bundle
import android.webkit.WebView
class MainActivity : ReactActivity() {
override fun getMainComponentName(): String {
return "myapp"
}
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
// Enabling WebView debugging
WebView.setWebContentsDebuggingEnabled(true)
}
}
mobsfscan -v
mobsfscan: v0.4.1 | Ajin Abraham | opensecurity.in
mobsfscan test.kt --json | jq '.results | keys'
[
"android_certificate_transparency",
"android_kotlin_webview_debug",
"android_prevent_screenshot",
"android_root_detection",
"android_safetynet",
"android_ssl_pinning",
"android_tapjacking"
]
Now with the line WebView.setWebContentsDebuggingEnabled(true)
removed.
mobsfscan test.kt --json | jq '.results | keys'
[
"android_certificate_transparency",
"android_prevent_screenshot",
"android_root_detection",
"android_safetynet",
"android_ssl_pinning",
"android_tapjacking"
]
First of all congrats on your work ❤️ we are using it for a while now and helped us quite a lot!
I would like to report a false positive that I am getting all over my codebase for the
android_kotlin_webview_debug
rule. I believe that the problem is thatRegexAnd
is not really doing anand
but anor
because every place I have the text "WebView" this is reported as a violation 😕 and with the latest changes this report now at least 155 violations.Violations are reported in imports or in any place the WebView* is identified.
Since this a private repository I cannot share a code link, but I attach some screenshots in case this make more clear the problem
False positive example of
import
:False positive example of calling the
WebView
Fragment:Only reference of
setWebContentsDebuggingEnabled
In case it helps this is the only relevant reference of
setWebContentsDebuggingEnabled
in my code that is also flagged with ignore. (Note that tool correctly ignore this specific line!)Posting here the rule that is triggered:
src: https://github.com/MobSF/mobsfscan/blob/7d67c719fffc8a48accfa3dc33f5dae37c451a02/mobsfscan/rules/patterns/android/kotlin/kotlin_rules.yaml#L100
I remain at your disposal for any further clarification, please let me know if I can do anything else to help in the investigation of this issue, or if there is an explanation why this is triggered and I just have to completely disable this rule.