New Android Manifest Rule: App support vulnerable android versions (#…

…2114) * add a new rule: dangerous os version * qa * lint checks * run lint test on one os
MobSF · Jan 11, 2023 · aeaa9b1 · aeaa9b1
1 parent 5ccb028
commit aeaa9b1
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 3 deletions.
diff --git a/.github/workflows/mobsf-test.yml b/.github/workflows/mobsf-test.yml
@@ -12,7 +12,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-20.04, macos-latest, windows-latest]
-        python-version: [3.8, 3.9, '3.10']
+        python-version: [3.9, '3.10']
         # exclude:
           # excludes py38, py39 on Windows
           # - os: windows-latest
@@ -26,6 +26,7 @@ jobs:
       with:
         python-version: ${{ matrix.python-version }}
     - name: Lint
+      if: startsWith(matrix.os, 'ubuntu')
       run: |
         python -m pip install --upgrade pip tox
         tox -e lint

diff --git a/mobsf/StaticAnalyzer/views/android/android_manifest_desc.py b/mobsf/StaticAnalyzer/views/android/android_manifest_desc.py
@@ -41,6 +41,17 @@
         'name': ('App has a Network Security Configuration '
                  '[android:networkSecurityConfig=%s]'),
     },
+    'vulnerable_os_version': {
+        'title': ('App can be installed on a vulnerable Android version'
+                  '<br>[minSdk=%s]'),
+        'level': 'warning',
+        'description': ('This application can be installed on an older version'
+                        ' of android that has multiple unfixed '
+                        'vulnerabilities. Support an Android version > 8, '
+                        'API 26 to receive reasonable security updates.'),
+        'name': ('App can be installed on a vulnerable Android version'
+                 '[minSdk=%s]'),
+    },
     'app_is_debuggable': {
         'title': 'Debug Enabled For App<br>[android:debuggable=true]',
         'level': 'high',

diff --git a/mobsf/StaticAnalyzer/views/android/manifest_analysis.py b/mobsf/StaticAnalyzer/views/android/manifest_analysis.py
@@ -27,6 +27,7 @@
 
 ANDROID_4_2_LEVEL = 17
 ANDROID_5_0_LEVEL = 21
+ANDROID_8_0_LEVEL = 26
 
 
 def get_manifest(app_path, app_dir, tools_dir, typ, binary):
@@ -294,7 +295,10 @@ def manifest_analysis(mfxml, man_data_dic, src_type, app_dir):
             elif permission.getAttribute('android:name'):
                 permission_dict[permission.getAttribute(
                     'android:name')] = 'normal'
-
+        # GENERAL
+        if man_data_dic['min_sdk'] and int(man_data_dic['min_sdk']) < ANDROID_8_0_LEVEL:
+            minsdk = man_data_dic.get('min_sdk')
+            ret_list.append(('vulnerable_os_version', (minsdk,), ()))
         # APPLICATIONS
         for application in applications:
             # Esteve 23.07.2016 - begin - identify permission at the

diff --git a/tox.ini b/tox.ini
@@ -38,7 +38,7 @@ deps =
     codespell
 commands =
     flake8 {posargs}
-    codespell --ignore-words-list="doubleclick,dout,ne,upto" --skip="./mobsf/signatures/*,*.map,*.js,*.svg,./.tox/*,./venv/*,./.git/*"
+    codespell --ignore-words-list="doubleclick,dout,ne,upto" --skip="./mobsf/StaticAnalyzer/tools/*,./mobsf/signatures/*,*.map,*.js,*.svg,./.tox/*,./venv/*,./.git/*"
 
 [testenv:clean]
 deps =