ohyeah521
commented
1 year ago When debugging, I found that when there is Java code in an apk that fails to decompile, the scan function will not exit, but I don't know how to fix it.
test code:
# -*- coding: utf_8 -*-
from pathlib import Path
from sast_engine import scan
api_rules =Path( r'./mobsf/StaticAnalyzer/views/android/rules/android_rules.yaml')
src=r'./mobsf/StaticAnalyzer/views/tests/' # unzip the test file here.
skp = {
'com/google/', 'androidx', 'okhttp2/', 'okhttp3/',
'com/android/', 'com/squareup', 'okhttp/'
'android/content/', 'com/twitter/', 'twitter4j/',
'android/support/', 'org/apache/', 'oauth/signpost',
'android/arch', 'org/chromium/', 'com/facebook',
'org/spongycastle', 'org/bouncycastle',
'com/amazon/identity/', 'io/fabric/sdk',
'com/instabug', 'com/crashlytics/android',
'kotlinx/', 'kotlin/',
'cz/msebera/android/httpclient/',
'com/loopj/android/http',
'com/tencent/bugly/',
'com/j256/',
}
api_findings = scan(
api_rules.as_posix(),
{'.java', '.kt'},
[src],
skp)
print(api_rules)test file: C0067.zip
Thank you very much for your open source. When I used this project, I found a problem. It's too slow. Can we use multithreading or multiprocessing to improve efficiency? It takes 30 minutes or more to scan a 20m apk file when it is used in mobfs.
This is the java source code. You can test it, java_source.zip
This is the matching rule I use: https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/master/mobsf/StaticAnalyzer/views/android/rules/android_rules.yaml