### Travis CI Integration for mobsfscan
Source: https://github.com/mobsf/mobsfscan/blob/main/README.md
This Travis CI configuration specifies Python as the language and installs mobsfscan using pip during the setup phase. The script section then executes mobsfscan on the project. This allows for continuous security scanning in projects hosted on platforms that use Travis CI.
```yaml
language: python
install:
- pip3 install --upgrade mobsfscan
script:
- mobsfscan .
```
--------------------------------
### GitLab CI Integration for mobsfscan
Source: https://context7.com/mobsf/mobsfscan/llms.txt
These GitLab CI configurations show how to integrate mobsfscan into your pipeline. The first example runs mobsfscan and saves the results as a JSON artifact. The second example specifically configures the JSON output to be recognized as a code quality report by GitLab.
```yaml
# .gitlab-ci.yml
stages:
- test
mobsfscan:
stage: test
image: python
before_script:
- pip3 install --upgrade mobsfscan
script:
- mobsfscan .
allow_failure: false
artifacts:
when: always
paths:
- mobsfscan-results.json
expire_in: 1 week
# With JSON output artifact
mobsfscan-json:
stage: test
image: python
before_script:
- pip3 install --upgrade mobsfscan
script:
- mobsfscan --json -o mobsfscan-results.json . || true
artifacts:
when: always
paths:
- mobsfscan-results.json
reports:
codequality: mobsfscan-results.json
```
--------------------------------
### Gitlab CI/CD Integration for mobsfscan
Source: https://github.com/mobsf/mobsfscan/blob/main/README.md
This Gitlab CI/CD configuration sets up a pipeline to run mobsfscan. It uses a Python Docker image, installs mobsfscan via pip, and executes the scan on the project directory. This enables automated security scanning within the Gitlab CI environment.
```yaml
stages:
- test
mobsfscan:
image: python
before_script:
- pip3 install --upgrade mobsfscan
script:
- mobsfscan .
```
--------------------------------
### Circle CI Integration for mobsfscan
Source: https://github.com/mobsf/mobsfscan/blob/main/README.md
This Circle CI configuration defines a job that uses a Python Docker image. It checks out the code, installs mobsfscan using pip, and then runs the scan. This setup facilitates automated security analysis within the Circle CI continuous integration environment.
```yaml
version: 2.1
jobs:
mobsfscan:
docker:
- image: cimg/python:3.9.6
steps:
- checkout
- run:
name: Install mobsfscan
command: pip install --upgrade mobsfscan
- run:
name: mobsfscan check
command: mobsfscan .
```
--------------------------------
### Java Security Rules - Cryptography Detection
Source: https://context7.com/mobsf/mobsfscan/llms.txt
This Java code snippet illustrates how mobsfscan detects various cryptographic vulnerabilities. It includes examples of weak cipher algorithms (DES, RC4), insecure modes (AES ECB), padding oracle vulnerabilities (CBC PKCS5Padding), RSA without OAEP, insecure random number generation, weak hash algorithms (MD5, SHA-1), and weak Initialization Vectors (IVs).
```java
// DETECTED: Weak cipher algorithms (DES, RC2, RC4, Blowfish)
// Rule: weak_cipher - Severity: ERROR
Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding");
Cipher rc4 = Cipher.getInstance("RC4");
// DETECTED: AES ECB mode (weak block cipher mode)
// Rule: android_kotlin_aes_ecb - Severity: ERROR
Cipher aesEcb = Cipher.getInstance("AES/ECB/PKCS5Padding");
Cipher aesDefault = Cipher.getInstance("AES"); // Defaults to ECB
// DETECTED: CBC with PKCS padding (padding oracle vulnerable)
// Rule: cbc_kotlin_padding_oracle - Severity: ERROR
Cipher cbcPkcs = Cipher.getInstance("AES/CBC/PKCS5Padding");
// DETECTED: RSA without OAEP padding
// Rule: android_kotlin_rsa_no_oaep - Severity: ERROR
Cipher rsa = Cipher.getInstance("RSA/ECB/NoPadding");
// DETECTED: Insecure random number generator
// Rule: android_kotlin_insecure_random - Severity: WARNING
Random random = new java.util.Random();
// DETECTED: Weak hash algorithms (MD4, MD5, SHA-1)
// Rule: android_kotlin_md5, android_kotlin_sha1 - Severity: WARNING
MessageDigest md5 = MessageDigest.getInstance("MD5");
MessageDigest sha1 = MessageDigest.getInstance("SHA-1");
// DETECTED: Weak/predictable IV
// Rule: android_kotlin_weak_iv - Severity: WARNING
byte[] iv = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00};
```
--------------------------------
### Build and Run mobsfscan Locally with Docker
Source: https://github.com/mobsf/mobsfscan/blob/main/README.md
This demonstrates building a mobsfscan Docker image locally from the project's Dockerfile and then running it. Similar to the prebuilt image, it mounts a local source directory to `/src` for scanning, allowing for custom builds or offline usage.
```bash
docker build -t mobsfscan .
docker run -v /path-to-source-dir:/src mobsfscan /src
```
--------------------------------
### Executing MobSFScan via Command Line Interface
Source: https://context7.com/mobsf/mobsfscan/llms.txt
Demonstrates how to run security scans from the terminal, including options for output formats like JSON, SARIF, and HTML, as well as CI/CD integration flags.
```bash
mobsfscan /path/to/android/src
mobsfscan --json -o results.json /path/to/ios/src
mobsfscan --sarif -o results.sarif /path/to/source
mobsfscan --sonarqube -o sonarqube.json /path/to/source
mobsfscan --html -o report.html /path/to/source
mobsfscan --type android /path/to/source
mobsfscan -mp billiard /path/to/source
mobsfscan -w /path/to/source
mobsfscan --no-fail /path/to/source
mobsfscan -c /path/to/.mobsf /path/to/source
mobsfscan -v
```
--------------------------------
### Perform Static Analysis with MobSFScan
Source: https://github.com/mobsf/mobsfscan/blob/main/README.md
Initializes the MobSFScan scanner with a list of source files and executes the scan. The output is returned as a structured dictionary containing detected vulnerabilities, metadata, and severity levels.
```python
from mobsfscan.mobsfscan import MobSFScan
src = 'tests/assets/src/java/java_vuln.java'
scanner = MobSFScan([src], json=True)
results = scanner.scan()
```
--------------------------------
### MobSFScan Initialization and Scan
Source: https://github.com/mobsf/mobsfscan/blob/main/README.md
This snippet demonstrates how to initialize the MobSFScan object with source file paths and execute a scan. It also shows the expected JSON output structure for scan results.
```APIDOC
## MobSFScan Initialization and Scan
### Description
This section details how to use the MobSFScan Python library to perform static code analysis on specified source files. It covers initializing the scanner and executing the scan, along with an example of the JSON output.
### Method
Python Class Method
### Endpoint
N/A (Python Library)
### Parameters
#### Path Parameters
N/A
#### Query Parameters
N/A
#### Request Body
N/A
### Request Example
```python
from mobsfscan.mobsfscan import MobSFScan
# Specify the path to the source file(s)
src = 'tests/assets/src/java/java_vuln.java'
# Initialize MobSFScan with the source file and enable JSON output
scanner = MobSFScan([src], json=True)
# Execute the scan
scan_results = scanner.scan()
# Print the results (which will be a JSON string if json=True)
print(scan_results)
```
### Response
#### Success Response (200)
Returns a JSON object containing the scan results, categorized by vulnerability type. Each category includes metadata such as CWE, OWASP Mobile Top 10 mapping, MASVS, references, description, and severity.
#### Response Example
```json
{
"results": {
"android_logging": {
"files": [
{
"file_path": "tests/assets/src/java/java_vuln.java",
"match_position": [13, 73],
"match_lines": [19, 19],
"match_string": " Log.d(\"htbridge\", \"getAllRecords(): \" + records.toString());"
}
],
"metadata": {
"cwe": "CWE-532 Insertion of Sensitive Information into Log File",
"owasp-mobile": "M1: Improper Platform Usage",
"masvs": "MSTG-STORAGE-3",
"reference": "https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs",
"description": "The App logs information. Please ensure that sensitive information is never logged.",
"severity": "INFO"
}
},
"android_certificate_pinning": {
"metadata": {
"cwe": "CWE-295 Improper Certificate Validation",
"owasp-mobile": "M3: Insecure Communication",
"masvs": "MSTG-NETWORK-4",
"reference": "https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4",
"description": "This App does not use TLS/SSL certificate or public key pinning to detect or prevent MITM attacks in secure communication channel.",
"severity": "INFO"
}
},
"android_root_detection": {
"metadata": {
"cwe": "CWE-919 - Weaknesses in Mobile Applications",
"owasp-mobile": "M8: Code Tampering",
"masvs": "MSTG-RESILIENCE-1",
"reference": "https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1",
"description": "This App does not have root detection capabilities. Running a sensitive application on a rooted device questions the device integrity and affects users data.",
"severity": "INFO"
}
},
"android_prevent_screenshot": {
"metadata": {
"cwe": "CWE-200 Information Exposure",
"owasp-mobile": "M2: Insecure Data Storage",
"masvs": "MSTG-STORAGE-9",
"reference": "https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#finding-sensitive-information-in-auto-generated-screenshots-mstg-storage-9",
"description": "This App does not have capabilities to prevent against Screenshots from Recent Task History/ Now On Tap etc.",
"severity": "INFO"
}
},
"android_safetynet_api": {
"metadata": {
"cwe": "CWE-353 Missing Support for Integrity Check",
"owasp-mobile": "M8: Code Tampering",
"masvs": "MSTG-RESILIENCE-1",
"reference": "https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1",
"description": "This App does not uses SafetyNet Attestation API that provides cryptographically-signed attestation, assessing the device's integrity. This check helps to ensure that the servers are interacting with the genuine app running on a genuine Android device. ",
"severity": "INFO"
}
},
"android_detect_tapjacking": {
"metadata": {
"cwe": "CWE-200 Information Exposure",
"owasp-mobile": "M1: Improper Platform Usage",
"masvs": "MSTG-PLATFORM-9",
"reference": "https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-for-overlay-attacks-mstg-platform-9",
"description": "This app does not has capabilities to prevent tapjacking attacks. An attacker can hijack the user's taps and tricks him into performing some critical operations that he did not intend to.",
"severity": "INFO"
}
}
},
"errors": []
}
```
```
--------------------------------
### Docker Pull and Run mobsfscan
Source: https://github.com/mobsf/mobsfscan/blob/main/README.md
These bash commands demonstrate how to use the prebuilt mobsfscan Docker image from DockerHub. First, pull the image, then run a container, mounting a local source directory to `/src` within the container for scanning. This provides an isolated environment for running mobsfscan.
```bash
docker pull opensecurity/mobsfscan
docker run -v /path-to-source-dir:/src opensecurity/mobsfscan /src
```
--------------------------------
### Run MobSFScan on Source Code
Source: https://github.com/mobsf/mobsfscan/blob/main/README.md
This command initiates a scan of the provided source code directory using MobSFScan. It analyzes for pattern matches and semantic grep findings, outputting a summary of detected issues and detailed rule information.
```bash
$ mobsfscan tests/assets/src/
- Pattern Match ████████████████████████████████████████████████████████████ 3
- Semantic Grep ██████ 37
mobsfscan: v0.3.0 | Ajin Abraham | opensecurity.in
╒══════════════╤════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╕
│ RULE ID │ android_webview_ignore_ssl │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ DESCRIPTION │ Insecure WebView Implementation. WebView ignores SSL Certificate errors and accept any SSL Certificate. This application is vulnerable to MITM attacks │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ TYPE │ RegexAnd │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ PATTERN │ ['onReceivedSslError\(WebView', '\.proceed\(\);'] │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ SEVERITY │ ERROR │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ INPUTCASE │ exact │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ CVSS │ 7.4 │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ CWE │ CWE-295 Improper Certificate Validation │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ OWASP-MOBILE │ M3: Insecure Communication │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ MASVS │ MSTG-NETWORK-3 │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ REF │ https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ FILES │ ╒════════════════╤═════════════════════════════════════════════════════════════════════════════════════════════╕ │
│ │ │ File │ ../test_files/android_src/app/src/main/java/opensecurity/webviewignoressl/MainActivity.java │ │
│ │ ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤ │
│ │ │ Match Position │ 1480 - 1491 │ │
│ │ ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤ │
```
--------------------------------
### Implementing Android Security Best Practices
Source: https://context7.com/mobsf/mobsfscan/llms.txt
This snippet highlights the implementation of security controls such as FLAG_SECURE to prevent screenshots, which is a key best practice identified by mobsfscan.
```java
getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE);
```
--------------------------------
### GitHub Actions CI Integration for mobsfscan
Source: https://context7.com/mobsf/mobsfscan/llms.txt
This GitHub Actions workflow demonstrates how to integrate mobsfscan for code scanning. It checks out the code, sets up Python, runs mobsfscan to generate a SARIF report, and uploads the report for code scanning integration. It uses the MobSF/mobsfscan@main action and github/codeql-action/upload-sarif@v2.
```yaml
name: mobsfscan sarif
on:
push:
branches: [master, main]
pull_request:
branches: [master, main]
jobs:
mobsfscan:
runs-on: ubuntu-latest
name: mobsfscan code scanning
steps:
- name: Checkout the code
uses: actions/checkout@v4.2.2
- uses: actions/setup-python@v5.3.0
with:
python-version: '3.12'
- name: mobsfscan
uses: MobSF/mobsfscan@main
with:
args: '. --sarif --output results.sarif || true'
- name: Upload mobsfscan report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
```
--------------------------------
### Generate SARIF and SonarQube Reports
Source: https://context7.com/mobsf/mobsfscan/llms.txt
Demonstrates how to programmatically generate security reports in SARIF and SonarQube formats using the MobSFScan Python API.
```python
from mobsfscan.mobsfscan import MobSFScan
from mobsfscan.formatters import sarif, sonarqube
scanner = MobSFScan(paths=['/path/to/source'], json=True)
scan_results = scanner.scan()
# Generate SARIF
sarif.sarif_output(outfile='results.sarif', scan_results=scan_results, mobsfscan_version='0.4.5', path=['/path/to/source'])
# Generate SonarQube
sonarqube.sonarqube_output(outfile='sonarqube-report.json', scan_results=scan_results, version='0.4.5')
```
--------------------------------
### Docker Usage for mobsfscan
Source: https://context7.com/mobsf/mobsfscan/llms.txt
This section details how to use the mobsfscan Docker image. It covers pulling the image, scanning local directories with different output formats (JSON), using custom configuration files, building the image locally, and scanning specific file types like Android or iOS applications.
```bash
# Pull from DockerHub
docker pull opensecurity/mobsfscan
# Scan a local directory
docker run -v /path/to/source:/src opensecurity/mobsfscan /src
# Scan with JSON output
docker run -v /path/to/source:/src -v /path/to/output:/out \
opensecurity/mobsfscan /src --json -o /out/results.json
# Scan with custom config
docker run -v /path/to/source:/src -v /path/to/config:/config \
opensecurity/mobsfscan /src -c /config/.mobsf
# Build locally
docker build -t mobsfscan .
docker run -v /path/to/source:/src mobsfscan /src
# Scan specific file types
docker run -v /path/to/source:/src opensecurity/mobsfscan /src --type android
docker run -v /path/to/source:/src opensecurity/mobsfscan /src --type ios
```
--------------------------------
### Bitrise Integration for mobsfscan
Source: https://github.com/mobsf/mobsfscan/blob/main/README.md
This Bitrise configuration outlines the steps for a security audit workflow. It includes activating SSH keys, cloning the repository, running the mobsfscan tool as a dedicated step, and deploying the results. This integrates mobsfscan into the Bitrise mobile CI/CD platform.
```yaml
security_audit:
steps:
- activate-ssh-key@4:
run_if: '{{getenv "SSH_RSA_PRIVATE_KEY" | ne ""}}'
- git-clone@8.4: {}
- mobsfscan@1: {}
- deploy-to-bitrise-io@2: {}
```
--------------------------------
### Integrating MobSFScan using Python API
Source: https://context7.com/mobsf/mobsfscan/llms.txt
Shows how to programmatically invoke the MobSFScan class to scan directories and process vulnerability findings within Python scripts.
```python
from mobsfscan.mobsfscan import MobSFScan
scanner = MobSFScan(paths=['tests/assets/src/java/java_vuln.java'], json=True)
results = scanner.scan()
scanner = MobSFScan(paths=['/app/src/main/java', '/app/src/main/kotlin'], json=True, scan_type='android', config='/path/to/.mobsf', mp='default')
results = scanner.scan()
for rule_id, details in results['results'].items():
severity = details['metadata']['severity']
description = details['metadata']['description']
cwe = details['metadata']['cwe']
print(f"[{severity}] {rule_id}")
```
--------------------------------
### Configure MobSFScan with .mobsf
Source: https://context7.com/mobsf/mobsfscan/llms.txt
Defines the YAML structure for the .mobsf configuration file to ignore specific files, directories, and rules, or filter by severity.
```yaml
ignore-filenames:
- skip.java
- test_helper.kt
ignore-paths:
- build
- node_modules
ignore-rules:
- android_kotlin_logging
severity-filter:
- WARNING
- ERROR
```
--------------------------------
### Github Action for mobsfscan
Source: https://github.com/mobsf/mobsfscan/blob/main/README.md
This Github Action workflow automates the execution of mobsfscan on push or pull requests to the master or main branches. It checks out the code, sets up Python, and runs mobsfscan with JSON output. The action is designed for integration into CI/CD pipelines.
```yaml
name: mobsfscan
on:
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.2.2
- uses: actions/setup-python@v5.3.0
with:
python-version: '3.12'
- name: mobsfscan
uses: MobSF/mobsfscan@main
with:
args: '. --json'
```
--------------------------------
### Github Code Scanning Integration with mobsfscan
Source: https://github.com/mobsf/mobsfscan/blob/main/README.md
This Github Action workflow configures mobsfscan for code scanning, generating SARIF reports for integration with Github's security features. It checks out code, sets up Python, runs mobsfscan with SARIF output, and uploads the report. The `|| true` ensures the workflow continues even if mobsfscan finds issues.
```yaml
name: mobsfscan sarif
on:
push:
branches: [ master, main ]
pull_request:
branches: [ master, main ]
jobs:
mobsfscan:
runs-on: ubuntu-latest
name: mobsfscan code scanning
steps:
- name: Checkout the code
uses: actions/checkout@v4.2.2
- uses: actions/setup-python@v5.3.0
with:
python-version: '3.12'
- name: mobsfscan
uses: MobSF/mobsfscan@main
with:
args: '. --sarif --output results.sarif || true'
- name: Upload mobsfscan report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif
```
--------------------------------
### Configure mobsfscan with YAML
Source: https://github.com/mobsf/mobsfscan/blob/main/README.md
This YAML configuration file allows users to customize mobsfscan's behavior by specifying files and paths to ignore, rules to exclude, and severity levels for findings. It can be placed in the root of the source code directory or specified via a --config argument.
```yaml
---
- ignore-filenames:
- skip.java
ignore-paths:
- __MACOSX
- skip_dir
ignore-rules:
- android_kotlin_logging
- android_safetynet_api
- android_prevent_screenshot
- android_detect_tapjacking
- android_certificate_pinning
- android_root_detection
- android_certificate_transparency
severity-filter:
- WARNING
- ERROR
```
--------------------------------
### Automate Scans with GitHub Actions
Source: https://context7.com/mobsf/mobsfscan/llms.txt
Provides a workflow configuration for running MobSFScan automatically on push or pull request events in GitHub.
```yaml
name: mobsfscan
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.2.2
- uses: MobSF/mobsfscan@main
with:
args: '. --json'
```
--------------------------------
### Update Pipfile and Requirements
Source: https://github.com/mobsf/mobsfscan/blob/main/action.md
This command sequence updates the Pipfile.lock based on the current Pipfile, synchronizes the environment, and generates a requirements.txt file. It uses PIPENV_IGNORE_VIRTUALENVS to ensure the commands run outside of any existing virtual environment.
```bash
PIPENV_IGNORE_VIRTUALENVS=1 pipenv lock
PIPENV_IGNORE_VIRTUALENVS=1 pipenv sync
PIPENV_IGNORE_VIRTUALENVS=1 pipenv run pip freeze > requirements.txt
```
--------------------------------
### Insecure Data Storage Patterns in Kotlin/Java
Source: https://context7.com/mobsf/mobsfscan/llms.txt
Identifies insecure data storage practices in Android applications. This covers world-writable/readable files, logging sensitive information, and the presence of hardcoded credentials, all of which can lead to data breaches.
```java
FileOutputStream fos = openFileOutput("data.txt", MODE_WORLD_WRITABLE);
FileOutputStream fos2 = openFileOutput("data.txt", 2);
```
```java
FileOutputStream fos = openFileOutput("data.txt", MODE_WORLD_READABLE);
FileOutputStream fos2 = openFileOutput("data.txt", 1);
```
```java
Log.d("Auth", "User password: " + password);
System.out.println("Secret key: " + apiKey);
```
```java
String password = "secretPassword123";
String apiKey = "sk_live_abc123";
String username = "admin";
```
--------------------------------
### Network Security Configuration Vulnerabilities
Source: https://context7.com/mobsf/mobsfscan/llms.txt
Examines Android Network Security Configuration files for insecure settings. This includes configurations that permit cleartext traffic, improperly trust user-installed certificates, or allow certificate pinning bypass, potentially leading to man-in-the-middle attacks.
```xml
```
```xml
example.com
```
```xml
```
```xml
```
--------------------------------
### Android Manifest Security Misconfigurations
Source: https://context7.com/mobsf/mobsfscan/llms.txt
Analyzes the AndroidManifest.xml file for critical security misconfigurations. This includes settings related to backup, debugging, cleartext traffic, and minimum SDK versions, which can expose the application and user data to risks.
```xml
```
```xml
```
```xml
```
```xml
```
```xml
```
--------------------------------
### Detecting Injection and Deserialization Vulnerabilities in Android
Source: https://context7.com/mobsf/mobsfscan/llms.txt
This snippet demonstrates common insecure coding patterns detected by mobsfscan, including raw SQL queries, command injection via Runtime/ProcessBuilder, and insecure Jackson or ObjectInputStream deserialization.
```java
String query = "SELECT * FROM users WHERE id = " + userId;
db.rawQuery(query, null);
db.execSQL("DELETE FROM logs WHERE date < '" + cutoffDate + "'");
Runtime.getRuntime().exec("ping " + userInput);
ProcessBuilder pb = new ProcessBuilder("sh", "-c", userCommand);
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
ObjectInputStream ois = new ObjectInputStream(untrustedInput);
Object obj = ois.readObject();
```
--------------------------------
### Android WebView SSL Error Handling in MainActivity.java
Source: https://github.com/mobsf/mobsfscan/blob/main/README.md
This snippet from MainActivity.java demonstrates the handling of SSL errors in a WebView. The `onReceivedSslError` method is overridden to potentially ignore SSL certificate errors, which could lead to security vulnerabilities if not handled carefully. The `.proceed()` call indicates that the WebView is instructed to continue loading the page despite the SSL error.
```java
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
// Ignoring SSL certificate errors for demonstration purposes.
// In a production environment, this should be handled with extreme caution.
handler.proceed();
}
```
--------------------------------
### WebView Security Misconfigurations in Kotlin/Java
Source: https://context7.com/mobsf/mobsfscan/llms.txt
Detects common WebView security vulnerabilities in Android applications written in Kotlin or Java. This includes issues like enabling JavaScript interfaces with JavaScript enabled, allowing file access from URLs, enabling WebView debugging, and loading content from external storage.
```java
WebView webView = new WebView(context);
webView.getSettings().setJavaScriptEnabled(true);
webView.addJavascriptInterface(new WebAppInterface(), "Android");
```
```java
webView.getSettings().setJavaScriptEnabled(true);
webView.getSettings().setAllowFileAccessFromFileURLs(true);
webView.getSettings().setAllowUniversalAccessFromFileURLs(true);
```
```java
WebView.setWebContentsDebuggingEnabled(true);
```
```java
webView.loadUrl(Environment.getExternalStorageDirectory().toString() + "/page.html");
```
--------------------------------
### Suppress Findings with Inline Comments
Source: https://context7.com/mobsf/mobsfscan/llms.txt
Shows how to ignore specific security rules directly within source code files using the mobsf-ignore comment syntax.
```java
String password = "intended_default"; // mobsf-ignore: android_kotlin_hardcoded
Log.d("DEBUG", sensitiveData); // mobsf-ignore: android_kotlin_logging, android_kotlin_hardcoded
```
```kotlin
val apiKey = "test_key" // mobsf-ignore: android_kotlin_hardcoded
```
```swift
let password = "test123" // mobsf-ignore: ios_hardcoded_password
```
--------------------------------
### Java Security Rules - Network Security Detection
Source: https://context7.com/mobsf/mobsfscan/llms.txt
This Java code snippet demonstrates how mobsfscan identifies network security issues. It includes detections for trusting all SSL certificates, WebViews ignoring SSL errors, the use of deprecated SSLv3, and default HTTP clients not enforcing TLS, highlighting potential vulnerabilities in network communication.
```java
// DETECTED: Trusting all SSL certificates
// Rule: android_kotlin_insecure_ssl - Severity: ERROR
import javax.net.ssl.*;
TrustAllSSLSocketFactory factory = new TrustAllSSLSocketFactory();
HostnameVerifier verifier = SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER;
// DETECTED: WebView ignoring SSL errors
// Rule: android_kotlin_webview_ignore_ssl - Severity: ERROR
@Override
public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
handler.proceed(); // Ignores SSL certificate errors
}
// DETECTED: SSL v3 usage (deprecated/insecure)
// Rule: insecure_ssl_v3 - Severity: ERROR
SSLContext sslContext = SSLContext.getInstance("SSLv3");
// DETECTED: Default HTTP client without TLS
// Rule: default_http_client_tls - Severity: WARNING
DefaultHttpClient client = new DefaultHttpClient();
```
--------------------------------
### Formatting Scan Results as JSON
Source: https://context7.com/mobsf/mobsfscan/llms.txt
Utilizes the built-in JSON formatter to save scan results to a file or retrieve them as a string for further processing.
```python
from mobsfscan.mobsfscan import MobSFScan
from mobsfscan.formatters import json_fmt
scanner = MobSFScan(paths=['/path/to/source'], json=True)
scan_results = scanner.scan()
json_fmt.json_output(outfile='results.json', scan_results=scan_results, version='0.4.5')
json_output = json_fmt.json_output(outfile=None, scan_results=scan_results, version='0.4.5')
```
--------------------------------
### Suppress mobsfscan Findings in Java
Source: https://github.com/mobsf/mobsfscan/blob/main/README.md
This Java code snippet demonstrates how to suppress specific mobsfscan findings by adding an inline comment `// mobsf-ignore: rule_id1, rule_id2` to the line that triggers the finding. This helps in managing and filtering out known or acceptable vulnerabilities.
```java
String password = "strong password"; // mobsf-ignore: hardcoded_password
```
=== COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.