### Travis CI Integration for mobsfscan Source: https://github.com/mobsf/mobsfscan/blob/main/README.md This Travis CI configuration specifies Python as the language and installs mobsfscan using pip during the setup phase. The script section then executes mobsfscan on the project. This allows for continuous security scanning in projects hosted on platforms that use Travis CI. ```yaml language: python install: - pip3 install --upgrade mobsfscan script: - mobsfscan . ``` -------------------------------- ### GitLab CI Integration for mobsfscan Source: https://context7.com/mobsf/mobsfscan/llms.txt These GitLab CI configurations show how to integrate mobsfscan into your pipeline. The first example runs mobsfscan and saves the results as a JSON artifact. The second example specifically configures the JSON output to be recognized as a code quality report by GitLab. ```yaml # .gitlab-ci.yml stages: - test mobsfscan: stage: test image: python before_script: - pip3 install --upgrade mobsfscan script: - mobsfscan . allow_failure: false artifacts: when: always paths: - mobsfscan-results.json expire_in: 1 week # With JSON output artifact mobsfscan-json: stage: test image: python before_script: - pip3 install --upgrade mobsfscan script: - mobsfscan --json -o mobsfscan-results.json . || true artifacts: when: always paths: - mobsfscan-results.json reports: codequality: mobsfscan-results.json ``` -------------------------------- ### Gitlab CI/CD Integration for mobsfscan Source: https://github.com/mobsf/mobsfscan/blob/main/README.md This Gitlab CI/CD configuration sets up a pipeline to run mobsfscan. It uses a Python Docker image, installs mobsfscan via pip, and executes the scan on the project directory. This enables automated security scanning within the Gitlab CI environment. ```yaml stages: - test mobsfscan: image: python before_script: - pip3 install --upgrade mobsfscan script: - mobsfscan . ``` -------------------------------- ### Circle CI Integration for mobsfscan Source: https://github.com/mobsf/mobsfscan/blob/main/README.md This Circle CI configuration defines a job that uses a Python Docker image. It checks out the code, installs mobsfscan using pip, and then runs the scan. This setup facilitates automated security analysis within the Circle CI continuous integration environment. ```yaml version: 2.1 jobs: mobsfscan: docker: - image: cimg/python:3.9.6 steps: - checkout - run: name: Install mobsfscan command: pip install --upgrade mobsfscan - run: name: mobsfscan check command: mobsfscan . ``` -------------------------------- ### Java Security Rules - Cryptography Detection Source: https://context7.com/mobsf/mobsfscan/llms.txt This Java code snippet illustrates how mobsfscan detects various cryptographic vulnerabilities. It includes examples of weak cipher algorithms (DES, RC4), insecure modes (AES ECB), padding oracle vulnerabilities (CBC PKCS5Padding), RSA without OAEP, insecure random number generation, weak hash algorithms (MD5, SHA-1), and weak Initialization Vectors (IVs). ```java // DETECTED: Weak cipher algorithms (DES, RC2, RC4, Blowfish) // Rule: weak_cipher - Severity: ERROR Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding"); Cipher rc4 = Cipher.getInstance("RC4"); // DETECTED: AES ECB mode (weak block cipher mode) // Rule: android_kotlin_aes_ecb - Severity: ERROR Cipher aesEcb = Cipher.getInstance("AES/ECB/PKCS5Padding"); Cipher aesDefault = Cipher.getInstance("AES"); // Defaults to ECB // DETECTED: CBC with PKCS padding (padding oracle vulnerable) // Rule: cbc_kotlin_padding_oracle - Severity: ERROR Cipher cbcPkcs = Cipher.getInstance("AES/CBC/PKCS5Padding"); // DETECTED: RSA without OAEP padding // Rule: android_kotlin_rsa_no_oaep - Severity: ERROR Cipher rsa = Cipher.getInstance("RSA/ECB/NoPadding"); // DETECTED: Insecure random number generator // Rule: android_kotlin_insecure_random - Severity: WARNING Random random = new java.util.Random(); // DETECTED: Weak hash algorithms (MD4, MD5, SHA-1) // Rule: android_kotlin_md5, android_kotlin_sha1 - Severity: WARNING MessageDigest md5 = MessageDigest.getInstance("MD5"); MessageDigest sha1 = MessageDigest.getInstance("SHA-1"); // DETECTED: Weak/predictable IV // Rule: android_kotlin_weak_iv - Severity: WARNING byte[] iv = {0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}; ``` -------------------------------- ### Build and Run mobsfscan Locally with Docker Source: https://github.com/mobsf/mobsfscan/blob/main/README.md This demonstrates building a mobsfscan Docker image locally from the project's Dockerfile and then running it. Similar to the prebuilt image, it mounts a local source directory to `/src` for scanning, allowing for custom builds or offline usage. ```bash docker build -t mobsfscan . docker run -v /path-to-source-dir:/src mobsfscan /src ``` -------------------------------- ### Executing MobSFScan via Command Line Interface Source: https://context7.com/mobsf/mobsfscan/llms.txt Demonstrates how to run security scans from the terminal, including options for output formats like JSON, SARIF, and HTML, as well as CI/CD integration flags. ```bash mobsfscan /path/to/android/src mobsfscan --json -o results.json /path/to/ios/src mobsfscan --sarif -o results.sarif /path/to/source mobsfscan --sonarqube -o sonarqube.json /path/to/source mobsfscan --html -o report.html /path/to/source mobsfscan --type android /path/to/source mobsfscan -mp billiard /path/to/source mobsfscan -w /path/to/source mobsfscan --no-fail /path/to/source mobsfscan -c /path/to/.mobsf /path/to/source mobsfscan -v ``` -------------------------------- ### Perform Static Analysis with MobSFScan Source: https://github.com/mobsf/mobsfscan/blob/main/README.md Initializes the MobSFScan scanner with a list of source files and executes the scan. The output is returned as a structured dictionary containing detected vulnerabilities, metadata, and severity levels. ```python from mobsfscan.mobsfscan import MobSFScan src = 'tests/assets/src/java/java_vuln.java' scanner = MobSFScan([src], json=True) results = scanner.scan() ``` -------------------------------- ### MobSFScan Initialization and Scan Source: https://github.com/mobsf/mobsfscan/blob/main/README.md This snippet demonstrates how to initialize the MobSFScan object with source file paths and execute a scan. It also shows the expected JSON output structure for scan results. ```APIDOC ## MobSFScan Initialization and Scan ### Description This section details how to use the MobSFScan Python library to perform static code analysis on specified source files. It covers initializing the scanner and executing the scan, along with an example of the JSON output. ### Method Python Class Method ### Endpoint N/A (Python Library) ### Parameters #### Path Parameters N/A #### Query Parameters N/A #### Request Body N/A ### Request Example ```python from mobsfscan.mobsfscan import MobSFScan # Specify the path to the source file(s) src = 'tests/assets/src/java/java_vuln.java' # Initialize MobSFScan with the source file and enable JSON output scanner = MobSFScan([src], json=True) # Execute the scan scan_results = scanner.scan() # Print the results (which will be a JSON string if json=True) print(scan_results) ``` ### Response #### Success Response (200) Returns a JSON object containing the scan results, categorized by vulnerability type. Each category includes metadata such as CWE, OWASP Mobile Top 10 mapping, MASVS, references, description, and severity. #### Response Example ```json { "results": { "android_logging": { "files": [ { "file_path": "tests/assets/src/java/java_vuln.java", "match_position": [13, 73], "match_lines": [19, 19], "match_string": " Log.d(\"htbridge\", \"getAllRecords(): \" + records.toString());" } ], "metadata": { "cwe": "CWE-532 Insertion of Sensitive Information into Log File", "owasp-mobile": "M1: Improper Platform Usage", "masvs": "MSTG-STORAGE-3", "reference": "https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs", "description": "The App logs information. Please ensure that sensitive information is never logged.", "severity": "INFO" } }, "android_certificate_pinning": { "metadata": { "cwe": "CWE-295 Improper Certificate Validation", "owasp-mobile": "M3: Insecure Communication", "masvs": "MSTG-NETWORK-4", "reference": "https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4", "description": "This App does not use TLS/SSL certificate or public key pinning to detect or prevent MITM attacks in secure communication channel.", "severity": "INFO" } }, "android_root_detection": { "metadata": { "cwe": "CWE-919 - Weaknesses in Mobile Applications", "owasp-mobile": "M8: Code Tampering", "masvs": "MSTG-RESILIENCE-1", "reference": "https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1", "description": "This App does not have root detection capabilities. Running a sensitive application on a rooted device questions the device integrity and affects users data.", "severity": "INFO" } }, "android_prevent_screenshot": { "metadata": { "cwe": "CWE-200 Information Exposure", "owasp-mobile": "M2: Insecure Data Storage", "masvs": "MSTG-STORAGE-9", "reference": "https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#finding-sensitive-information-in-auto-generated-screenshots-mstg-storage-9", "description": "This App does not have capabilities to prevent against Screenshots from Recent Task History/ Now On Tap etc.", "severity": "INFO" } }, "android_safetynet_api": { "metadata": { "cwe": "CWE-353 Missing Support for Integrity Check", "owasp-mobile": "M8: Code Tampering", "masvs": "MSTG-RESILIENCE-1", "reference": "https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1", "description": "This App does not uses SafetyNet Attestation API that provides cryptographically-signed attestation, assessing the device's integrity. This check helps to ensure that the servers are interacting with the genuine app running on a genuine Android device. ", "severity": "INFO" } }, "android_detect_tapjacking": { "metadata": { "cwe": "CWE-200 Information Exposure", "owasp-mobile": "M1: Improper Platform Usage", "masvs": "MSTG-PLATFORM-9", "reference": "https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-for-overlay-attacks-mstg-platform-9", "description": "This app does not has capabilities to prevent tapjacking attacks. An attacker can hijack the user's taps and tricks him into performing some critical operations that he did not intend to.", "severity": "INFO" } } }, "errors": [] } ``` ``` -------------------------------- ### Docker Pull and Run mobsfscan Source: https://github.com/mobsf/mobsfscan/blob/main/README.md These bash commands demonstrate how to use the prebuilt mobsfscan Docker image from DockerHub. First, pull the image, then run a container, mounting a local source directory to `/src` within the container for scanning. This provides an isolated environment for running mobsfscan. ```bash docker pull opensecurity/mobsfscan docker run -v /path-to-source-dir:/src opensecurity/mobsfscan /src ``` -------------------------------- ### Run MobSFScan on Source Code Source: https://github.com/mobsf/mobsfscan/blob/main/README.md This command initiates a scan of the provided source code directory using MobSFScan. It analyzes for pattern matches and semantic grep findings, outputting a summary of detected issues and detailed rule information. ```bash $ mobsfscan tests/assets/src/ - Pattern Match ████████████████████████████████████████████████████████████ 3 - Semantic Grep ██████ 37 mobsfscan: v0.3.0 | Ajin Abraham | opensecurity.in ╒══════════════╤════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╕ │ RULE ID │ android_webview_ignore_ssl │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ DESCRIPTION │ Insecure WebView Implementation. WebView ignores SSL Certificate errors and accept any SSL Certificate. This application is vulnerable to MITM attacks │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ TYPE │ RegexAnd │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ PATTERN │ ['onReceivedSslError\(WebView', '\.proceed\(\);'] │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ SEVERITY │ ERROR │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ INPUTCASE │ exact │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ CVSS │ 7.4 │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ CWE │ CWE-295 Improper Certificate Validation │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ OWASP-MOBILE │ M3: Insecure Communication │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ MASVS │ MSTG-NETWORK-3 │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ REF │ https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification │ ├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ │ FILES │ ╒════════════════╤═════════════════════════════════════════════════════════════════════════════════════════════╕ │ │ │ │ File │ ../test_files/android_src/app/src/main/java/opensecurity/webviewignoressl/MainActivity.java │ │ │ │ ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤ │ │ │ │ Match Position │ 1480 - 1491 │ │ │ │ ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤ │ ``` -------------------------------- ### Implementing Android Security Best Practices Source: https://context7.com/mobsf/mobsfscan/llms.txt This snippet highlights the implementation of security controls such as FLAG_SECURE to prevent screenshots, which is a key best practice identified by mobsfscan. ```java getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE); ``` -------------------------------- ### GitHub Actions CI Integration for mobsfscan Source: https://context7.com/mobsf/mobsfscan/llms.txt This GitHub Actions workflow demonstrates how to integrate mobsfscan for code scanning. It checks out the code, sets up Python, runs mobsfscan to generate a SARIF report, and uploads the report for code scanning integration. It uses the MobSF/mobsfscan@main action and github/codeql-action/upload-sarif@v2. ```yaml name: mobsfscan sarif on: push: branches: [master, main] pull_request: branches: [master, main] jobs: mobsfscan: runs-on: ubuntu-latest name: mobsfscan code scanning steps: - name: Checkout the code uses: actions/checkout@v4.2.2 - uses: actions/setup-python@v5.3.0 with: python-version: '3.12' - name: mobsfscan uses: MobSF/mobsfscan@main with: args: '. --sarif --output results.sarif || true' - name: Upload mobsfscan report uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif ``` -------------------------------- ### Generate SARIF and SonarQube Reports Source: https://context7.com/mobsf/mobsfscan/llms.txt Demonstrates how to programmatically generate security reports in SARIF and SonarQube formats using the MobSFScan Python API. ```python from mobsfscan.mobsfscan import MobSFScan from mobsfscan.formatters import sarif, sonarqube scanner = MobSFScan(paths=['/path/to/source'], json=True) scan_results = scanner.scan() # Generate SARIF sarif.sarif_output(outfile='results.sarif', scan_results=scan_results, mobsfscan_version='0.4.5', path=['/path/to/source']) # Generate SonarQube sonarqube.sonarqube_output(outfile='sonarqube-report.json', scan_results=scan_results, version='0.4.5') ``` -------------------------------- ### Docker Usage for mobsfscan Source: https://context7.com/mobsf/mobsfscan/llms.txt This section details how to use the mobsfscan Docker image. It covers pulling the image, scanning local directories with different output formats (JSON), using custom configuration files, building the image locally, and scanning specific file types like Android or iOS applications. ```bash # Pull from DockerHub docker pull opensecurity/mobsfscan # Scan a local directory docker run -v /path/to/source:/src opensecurity/mobsfscan /src # Scan with JSON output docker run -v /path/to/source:/src -v /path/to/output:/out \ opensecurity/mobsfscan /src --json -o /out/results.json # Scan with custom config docker run -v /path/to/source:/src -v /path/to/config:/config \ opensecurity/mobsfscan /src -c /config/.mobsf # Build locally docker build -t mobsfscan . docker run -v /path/to/source:/src mobsfscan /src # Scan specific file types docker run -v /path/to/source:/src opensecurity/mobsfscan /src --type android docker run -v /path/to/source:/src opensecurity/mobsfscan /src --type ios ``` -------------------------------- ### Bitrise Integration for mobsfscan Source: https://github.com/mobsf/mobsfscan/blob/main/README.md This Bitrise configuration outlines the steps for a security audit workflow. It includes activating SSH keys, cloning the repository, running the mobsfscan tool as a dedicated step, and deploying the results. This integrates mobsfscan into the Bitrise mobile CI/CD platform. ```yaml security_audit: steps: - activate-ssh-key@4: run_if: '{{getenv "SSH_RSA_PRIVATE_KEY" | ne ""}}' - git-clone@8.4: {} - mobsfscan@1: {} - deploy-to-bitrise-io@2: {} ``` -------------------------------- ### Integrating MobSFScan using Python API Source: https://context7.com/mobsf/mobsfscan/llms.txt Shows how to programmatically invoke the MobSFScan class to scan directories and process vulnerability findings within Python scripts. ```python from mobsfscan.mobsfscan import MobSFScan scanner = MobSFScan(paths=['tests/assets/src/java/java_vuln.java'], json=True) results = scanner.scan() scanner = MobSFScan(paths=['/app/src/main/java', '/app/src/main/kotlin'], json=True, scan_type='android', config='/path/to/.mobsf', mp='default') results = scanner.scan() for rule_id, details in results['results'].items(): severity = details['metadata']['severity'] description = details['metadata']['description'] cwe = details['metadata']['cwe'] print(f"[{severity}] {rule_id}") ``` -------------------------------- ### Configure MobSFScan with .mobsf Source: https://context7.com/mobsf/mobsfscan/llms.txt Defines the YAML structure for the .mobsf configuration file to ignore specific files, directories, and rules, or filter by severity. ```yaml ignore-filenames: - skip.java - test_helper.kt ignore-paths: - build - node_modules ignore-rules: - android_kotlin_logging severity-filter: - WARNING - ERROR ``` -------------------------------- ### Github Action for mobsfscan Source: https://github.com/mobsf/mobsfscan/blob/main/README.md This Github Action workflow automates the execution of mobsfscan on push or pull requests to the master or main branches. It checks out the code, sets up Python, and runs mobsfscan with JSON output. The action is designed for integration into CI/CD pipelines. ```yaml name: mobsfscan on: push: branches: [ master, main ] pull_request: branches: [ master, main ] jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4.2.2 - uses: actions/setup-python@v5.3.0 with: python-version: '3.12' - name: mobsfscan uses: MobSF/mobsfscan@main with: args: '. --json' ``` -------------------------------- ### Github Code Scanning Integration with mobsfscan Source: https://github.com/mobsf/mobsfscan/blob/main/README.md This Github Action workflow configures mobsfscan for code scanning, generating SARIF reports for integration with Github's security features. It checks out code, sets up Python, runs mobsfscan with SARIF output, and uploads the report. The `|| true` ensures the workflow continues even if mobsfscan finds issues. ```yaml name: mobsfscan sarif on: push: branches: [ master, main ] pull_request: branches: [ master, main ] jobs: mobsfscan: runs-on: ubuntu-latest name: mobsfscan code scanning steps: - name: Checkout the code uses: actions/checkout@v4.2.2 - uses: actions/setup-python@v5.3.0 with: python-version: '3.12' - name: mobsfscan uses: MobSF/mobsfscan@main with: args: '. --sarif --output results.sarif || true' - name: Upload mobsfscan report uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif ``` -------------------------------- ### Configure mobsfscan with YAML Source: https://github.com/mobsf/mobsfscan/blob/main/README.md This YAML configuration file allows users to customize mobsfscan's behavior by specifying files and paths to ignore, rules to exclude, and severity levels for findings. It can be placed in the root of the source code directory or specified via a --config argument. ```yaml --- - ignore-filenames: - skip.java ignore-paths: - __MACOSX - skip_dir ignore-rules: - android_kotlin_logging - android_safetynet_api - android_prevent_screenshot - android_detect_tapjacking - android_certificate_pinning - android_root_detection - android_certificate_transparency severity-filter: - WARNING - ERROR ``` -------------------------------- ### Automate Scans with GitHub Actions Source: https://context7.com/mobsf/mobsfscan/llms.txt Provides a workflow configuration for running MobSFScan automatically on push or pull request events in GitHub. ```yaml name: mobsfscan on: [push, pull_request] jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4.2.2 - uses: MobSF/mobsfscan@main with: args: '. --json' ``` -------------------------------- ### Update Pipfile and Requirements Source: https://github.com/mobsf/mobsfscan/blob/main/action.md This command sequence updates the Pipfile.lock based on the current Pipfile, synchronizes the environment, and generates a requirements.txt file. It uses PIPENV_IGNORE_VIRTUALENVS to ensure the commands run outside of any existing virtual environment. ```bash PIPENV_IGNORE_VIRTUALENVS=1 pipenv lock PIPENV_IGNORE_VIRTUALENVS=1 pipenv sync PIPENV_IGNORE_VIRTUALENVS=1 pipenv run pip freeze > requirements.txt ``` -------------------------------- ### Insecure Data Storage Patterns in Kotlin/Java Source: https://context7.com/mobsf/mobsfscan/llms.txt Identifies insecure data storage practices in Android applications. This covers world-writable/readable files, logging sensitive information, and the presence of hardcoded credentials, all of which can lead to data breaches. ```java FileOutputStream fos = openFileOutput("data.txt", MODE_WORLD_WRITABLE); FileOutputStream fos2 = openFileOutput("data.txt", 2); ``` ```java FileOutputStream fos = openFileOutput("data.txt", MODE_WORLD_READABLE); FileOutputStream fos2 = openFileOutput("data.txt", 1); ``` ```java Log.d("Auth", "User password: " + password); System.out.println("Secret key: " + apiKey); ``` ```java String password = "secretPassword123"; String apiKey = "sk_live_abc123"; String username = "admin"; ``` -------------------------------- ### Network Security Configuration Vulnerabilities Source: https://context7.com/mobsf/mobsfscan/llms.txt Examines Android Network Security Configuration files for insecure settings. This includes configurations that permit cleartext traffic, improperly trust user-installed certificates, or allow certificate pinning bypass, potentially leading to man-in-the-middle attacks. ```xml ``` ```xml example.com ``` ```xml ``` ```xml ``` -------------------------------- ### Android Manifest Security Misconfigurations Source: https://context7.com/mobsf/mobsfscan/llms.txt Analyzes the AndroidManifest.xml file for critical security misconfigurations. This includes settings related to backup, debugging, cleartext traffic, and minimum SDK versions, which can expose the application and user data to risks. ```xml ``` ```xml ``` ```xml ``` ```xml ``` ```xml ``` -------------------------------- ### Detecting Injection and Deserialization Vulnerabilities in Android Source: https://context7.com/mobsf/mobsfscan/llms.txt This snippet demonstrates common insecure coding patterns detected by mobsfscan, including raw SQL queries, command injection via Runtime/ProcessBuilder, and insecure Jackson or ObjectInputStream deserialization. ```java String query = "SELECT * FROM users WHERE id = " + userId; db.rawQuery(query, null); db.execSQL("DELETE FROM logs WHERE date < '" + cutoffDate + "'"); Runtime.getRuntime().exec("ping " + userInput); ProcessBuilder pb = new ProcessBuilder("sh", "-c", userCommand); ObjectMapper mapper = new ObjectMapper(); mapper.enableDefaultTyping(); ObjectInputStream ois = new ObjectInputStream(untrustedInput); Object obj = ois.readObject(); ``` -------------------------------- ### Android WebView SSL Error Handling in MainActivity.java Source: https://github.com/mobsf/mobsfscan/blob/main/README.md This snippet from MainActivity.java demonstrates the handling of SSL errors in a WebView. The `onReceivedSslError` method is overridden to potentially ignore SSL certificate errors, which could lead to security vulnerabilities if not handled carefully. The `.proceed()` call indicates that the WebView is instructed to continue loading the page despite the SSL error. ```java public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { // Ignoring SSL certificate errors for demonstration purposes. // In a production environment, this should be handled with extreme caution. handler.proceed(); } ``` -------------------------------- ### WebView Security Misconfigurations in Kotlin/Java Source: https://context7.com/mobsf/mobsfscan/llms.txt Detects common WebView security vulnerabilities in Android applications written in Kotlin or Java. This includes issues like enabling JavaScript interfaces with JavaScript enabled, allowing file access from URLs, enabling WebView debugging, and loading content from external storage. ```java WebView webView = new WebView(context); webView.getSettings().setJavaScriptEnabled(true); webView.addJavascriptInterface(new WebAppInterface(), "Android"); ``` ```java webView.getSettings().setJavaScriptEnabled(true); webView.getSettings().setAllowFileAccessFromFileURLs(true); webView.getSettings().setAllowUniversalAccessFromFileURLs(true); ``` ```java WebView.setWebContentsDebuggingEnabled(true); ``` ```java webView.loadUrl(Environment.getExternalStorageDirectory().toString() + "/page.html"); ``` -------------------------------- ### Suppress Findings with Inline Comments Source: https://context7.com/mobsf/mobsfscan/llms.txt Shows how to ignore specific security rules directly within source code files using the mobsf-ignore comment syntax. ```java String password = "intended_default"; // mobsf-ignore: android_kotlin_hardcoded Log.d("DEBUG", sensitiveData); // mobsf-ignore: android_kotlin_logging, android_kotlin_hardcoded ``` ```kotlin val apiKey = "test_key" // mobsf-ignore: android_kotlin_hardcoded ``` ```swift let password = "test123" // mobsf-ignore: ios_hardcoded_password ``` -------------------------------- ### Java Security Rules - Network Security Detection Source: https://context7.com/mobsf/mobsfscan/llms.txt This Java code snippet demonstrates how mobsfscan identifies network security issues. It includes detections for trusting all SSL certificates, WebViews ignoring SSL errors, the use of deprecated SSLv3, and default HTTP clients not enforcing TLS, highlighting potential vulnerabilities in network communication. ```java // DETECTED: Trusting all SSL certificates // Rule: android_kotlin_insecure_ssl - Severity: ERROR import javax.net.ssl.*; TrustAllSSLSocketFactory factory = new TrustAllSSLSocketFactory(); HostnameVerifier verifier = SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER; // DETECTED: WebView ignoring SSL errors // Rule: android_kotlin_webview_ignore_ssl - Severity: ERROR @Override public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) { handler.proceed(); // Ignores SSL certificate errors } // DETECTED: SSL v3 usage (deprecated/insecure) // Rule: insecure_ssl_v3 - Severity: ERROR SSLContext sslContext = SSLContext.getInstance("SSLv3"); // DETECTED: Default HTTP client without TLS // Rule: default_http_client_tls - Severity: WARNING DefaultHttpClient client = new DefaultHttpClient(); ``` -------------------------------- ### Formatting Scan Results as JSON Source: https://context7.com/mobsf/mobsfscan/llms.txt Utilizes the built-in JSON formatter to save scan results to a file or retrieve them as a string for further processing. ```python from mobsfscan.mobsfscan import MobSFScan from mobsfscan.formatters import json_fmt scanner = MobSFScan(paths=['/path/to/source'], json=True) scan_results = scanner.scan() json_fmt.json_output(outfile='results.json', scan_results=scan_results, version='0.4.5') json_output = json_fmt.json_output(outfile=None, scan_results=scan_results, version='0.4.5') ``` -------------------------------- ### Suppress mobsfscan Findings in Java Source: https://github.com/mobsf/mobsfscan/blob/main/README.md This Java code snippet demonstrates how to suppress specific mobsfscan findings by adding an inline comment `// mobsf-ignore: rule_id1, rule_id2` to the line that triggers the finding. This helps in managing and filtering out known or acceptable vulnerabilities. ```java String password = "strong password"; // mobsf-ignore: hardcoded_password ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.