Skip to content

Commit

Permalink
HOTFIX: NIAP 1.2 - > 1.3, Permission Analysis QA (#1629)
Browse files Browse the repository at this point in the history 
* NIAP v1.3. Fixes #1563

* permission analysis QA. Fixes #1556, #1617
  • Loading branch information
@ajinabraham
ajinabraham authored Dec 27, 2020
1 parent 8d6dfac commit 7b1d2ee
Show file tree
Hide file tree
Showing 8 changed files with 72 additions and 135 deletions.
6 changes: 1 addition & 5 deletions MalwareAnalyzer/views/domain_check.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,11 +40,7 @@ def update_malware_db():
with open(mal_db, 'wb') as wfp:
wfp.write(resp)
else:
logger.info('Malware Database format from '
'malwaredomainlist.com has changed.'
' Database is not updated. '
'Please report to: https://github.com/'
'MobSF/Mobile-Security-Framework-MobSF/issues')
logger.warning('Unable to Update Malware DB')
except Exception:
logger.exception('[ERROR] Malware DB Update')

Expand Down
2 changes: 1 addition & 1 deletion MobSF/settings.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


MOBSF_VER = 'v3.2.1 Beta'
MOBSF_VER = 'v3.2.2 Beta'

BANNER = """
__ __ _ ____ _____ _____ ____
Expand Down
21 changes: 12 additions & 9 deletions StaticAnalyzer/views/android/manifest_analysis.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,18 +153,21 @@ def manifest_data(mfxml):

for permission in permissions:
perm.append(permission.getAttribute('android:name'))

for i in perm:
prm = i
pos = i.rfind('.')
android_permission_tags = ('com.google.', 'android.', 'com.google.')
for full_perm in perm:
prm = full_perm
pos = full_perm.rfind('.')
if pos != -1:
prm = i[pos + 1:]
prm = full_perm[pos + 1:]
if not full_perm.startswith(android_permission_tags):
prm = full_perm
try:
dvm_perm[i] = DVM_PERMISSIONS['MANIFEST_PERMISSION'][prm]
dvm_perm[full_perm] = DVM_PERMISSIONS[
'MANIFEST_PERMISSION'][prm]
except KeyError:
dvm_perm[i] = [
'dangerous',
'Unknown permission from android reference',
dvm_perm[full_perm] = [
'unknown',
'Unknown permission',
'Unknown permission from android reference',
]

Expand Down
150 changes: 34 additions & 116 deletions StaticAnalyzer/views/android/rules/android_niap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,16 @@
credentials
else: does not store any credentials
class: Security Functional Requirements
- id: FCS_CKM_EXT.1.1
type: code
choice_type: or
description: Cryptographic Key Generation Services
selection: 'The application {}.'
choice:
- - java\.security\.KeyPairGenerator|KeyPairGenerator\.getInstance\(
- implement asymmetric key generation
else: generate no asymmetric cryptographic keys
class: Security Functional Requirements
- id: FDP_DEC_EXT.1.1
type: manifest
choice_type: all
Expand Down Expand Up @@ -121,16 +131,6 @@
- - java\.security\.SecureRandom
- null
class: Selection-Based Security Functional Requirements
- id: FCS_CKM_EXT.1.1
type: code
choice_type: or
description: Cryptographic Key Generation Services
selection: 'The application {}.'
choice:
- - java\.security\.KeyPairGenerator|KeyPairGenerator\.getInstance\(
- implement asymmetric key generation
else: generate no asymmetric cryptographic keys
class: Selection-Based Security Functional Requirements
- id: FCS_CKM.1.1(1)
type: code
choice_type: and
Expand All @@ -148,6 +148,17 @@
in accordance with a specified cryptographic key generation algorithm
RSA schemes using cryptographic key sizes of 2048-bit or greater
class: Selection-Based Security Functional Requirements
- id: 'FCS_CKM.1.1(3),FCS_CKM.1.2(3)'
type: code
choice_type: or
description: Password Conditioning
selection: >-
A password/passphrase shall perform [Password-based Key Derivation
Functions] {}.
choice:
- - \.getInstance\(\"PBKDF2|PBEKeySpec\(.*?\)
- in accordance with a specified cryptographic algorithm.
class: Selection-Based Security Functional Requirements
- id: FCS_COP.1.1(1)
type: code
choice_type: or
Expand Down Expand Up @@ -215,101 +226,6 @@
- - \.getInstance\(*.HmacMD5|put_HashAlgorithm\(\"MD5
- HMAC-MD5
class: Selection-Based Security Functional Requirements
- id: FCS_TLSC_EXT.1.1
type: code
choice_type: all
description: TLS Client Protocol
selection: 'The application invoke platform-provided TLS and cipher suites {}.'
choice:
- - \.getInstance\(.*TLSv1\.3|\(TlsVersion\.TLS_1_3
- TLS 1.3
- - \.getInstance\(.*TLSv1\.2|\(TlsVersion\.TLS_1_2
- TLS 1.2
- - \.getInstance\(.*TLSv1\.1|\(TlsVersion\.TLS_1_1
- 'TLS 1.1, This version is insecure'
- - \.getInstance\(.*TLSv1\.0|\(TlsVersion\.TLS_1_0
- 'TLS 1.0, This version is insecure'
- - TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- - TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- - TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
class: Selection-Based Security Functional Requirements
- id: FCS_TLSC_EXT.1.2
type: code
choice_type: and
description: TLS Client Protocol
selection: >-
The application verify that the presented identifier matches the reference
identifier according to RFC 6125.
choice:
- - - HostnameVerifier\(
- \.verify\(|\.setHostnameVerifier\(
- RSA schemes using cryptographic key sizes of 2048-bit or greater
class: Selection-Based Security Functional Requirements
- id: FCS_TLSC_EXT.1.3
type: code
choice_type: and
description: TLS Client Protocol
selection: >-
The application establish a trusted channel only if the peer certificate is
valid.
choice:
- - - \.getTrustManagers\(|TrustManagerFactory\.
- \.setCertificateEntry\(|trustedChain|\.init\(
- null
- - - org\.thoughtcrime\.ssl\.pinning
- >-
PinningHelper\.getPinnedHttpsURLConnection|PinningHelper\.getPinnedHttpClient|PinningSSLSocketFactory\(
- null
- - - CertificatePinner\.Builder\(
- \.add\(
- null
- - - Retrofit\.Builder\(
- \.baseUrl\(
- null
- - - Picasso\.Builder\(
- \.downloader\(
- null
- - - \.setHostnameVerifier\(
- PinningHostnameVerifier\(|\.verify\(|DynamicPinningHostnameVerifier\(
class: Selection-Based Security Functional Requirements
- id: FCS_TLSC_EXT.4.1
type: code
choice_type: all
description: TLS Client Protocol
selection: >-
The application present the supported Elliptic Curves Extension in the
Client Hello with the following NIST curves {}.
choice:
- - ECGenParameterSpec\(.*secp256r1
- secp256r1
- - ECGenParameterSpec\(.*secp384r1
- secp384r1
- - ECGenParameterSpec\(.*secp521r1
- secp521r1
class: Selection-Based Security Functional Requirements
- id: FCS_HTTPS_EXT.1.1
type: code
choice_type: or
Expand Down Expand Up @@ -393,17 +309,6 @@
- - java\.security\.cert\.X509Certificate
- null
class: Selection-Based Security Functional Requirements
- id: FIA_X509_EXT.2.1
type: code
choice_type: or
description: X.509 Certificate Authentication
selection: >-
The application use X.509v3 certificates as defined by RFC 5280 to support
authentication for HTTPS , TLS.
choice:
- - java\.security\.cert\.X509Certificate
- null
class: Selection-Based Security Functional Requirements
- id: FIA_X509_EXT.2.2
type: code
choice_type: and
Expand All @@ -419,6 +324,19 @@
- CertificateExpiredException|CertificateNotYetValidException
- null
class: Selection-Based Security Functional Requirements
- id: FPT_TUD_EXT.2.1
type: code
choice_type: or
description: Integrity for Installation and Update
selection: >-
The application shall be distributed using the format of the
platform-supported package manager.
choice:
- - \.enableInstallerId\(InstallerID\.GOOGLE_PLAY
- null
- - \.getInstallerPackageName\(
- null
class: Selection-Based Security Functional Requirements
- id: FCS_CKM.1.1(2)
type: code
choice_type: and
Expand Down
4 changes: 4 additions & 0 deletions static/others/css/pdf_report.css
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,10 @@ td{
color: green;
}

.secondary {
color: #6c757d;
}

html {
color: #393939;
font-size: 11pt;
Expand Down
16 changes: 14 additions & 2 deletions templates/pdf/android_report.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -202,7 +202,19 @@ <h2><i class="fa fa-list"></i> APPLICATION PERMISSIONS</h2>
{% for perm,desc in permissions.items %}
<tr>
<td>{{ perm }}</td>
<td>{{ desc.status }}</td>
<td>
{% if desc.status == 'dangerous' %}
<span class="danger">dangerous</span>
{% elif desc.status == 'normal' %}
<span class="info">normal</span>
{% elif desc.status == 'signatureOrSystem' %}
<span class="warning">SignatureOrSystem</span>
{% elif desc.status == 'signature' %}
<span class="success">signature</span>
{% elif desc.status == 'unknown' %}
<span class="secondary">unknown</span>
{% endif %}
</td>
<td>{{ desc.info }}</td>
<td>{{ desc.description }}</td>
</tr>
Expand Down Expand Up @@ -572,7 +584,7 @@ <h2><i class="fa fa-flag"></i> SHARED LIBRARY BINARY ANALYSIS</h2>
</table>
{% endif %}

<h2><i class="fa fa-id-badge"></i> NIAP ANALYSIS</h2>
<h2><i class="fa fa-id-badge"></i> NIAP ANALYSIS v1.3</h2>
<table class="basic">
<thead>
<tr>
Expand Down
4 changes: 3 additions & 1 deletion templates/static_analysis/android_binary_analysis.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -709,6 +709,8 @@ <h3>{{ providers | length }}</h3>
<span class="badge bg-warning">SignatureOrSystem</span>
{% elif desc.status == 'signature' %}
<span class="badge bg-success">signature</span>
{% elif desc.status == 'unknown' %}
<span class="badge bg-secondary">unknown</span>
{% endif %}
</td>
<td>{{ desc.info }}</td>
Expand Down Expand Up @@ -1125,7 +1127,7 @@ <h3>{{ providers | length }}</h3>
<div class="card">
<div class="card-body">
<p>
<strong><i class="fa fa-id-badge"></i> NIAP ANALYSIS</strong>
<strong><i class="fa fa-id-badge"></i> NIAP ANALYSIS v1.3</strong>
</p>
<div class="table-responsive">
<table id="table_file" class="table table-bordered table-hover table-striped">
Expand Down
4 changes: 3 additions & 1 deletion templates/static_analysis/android_source_analysis.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -555,6 +555,8 @@ <h3>{{ providers | length }}</h3>
<span class="badge bg-warning">SignatureOrSystem</span>
{% elif desc.status == 'signature' %}
<span class="badge bg-success">signature</span>
{% elif desc.status == 'unknown' %}
<span class="badge bg-secondary">unknown</span>
{% endif %}
</td>
<td>{{ desc.info }}</td>
Expand Down Expand Up @@ -893,7 +895,7 @@ <h3>{{ providers | length }}</h3>
<div class="card">
<div class="card-body">
<p>
<strong><i class="fa fa-id-badge"></i> NIAP ANALYSIS</strong>
<strong><i class="fa fa-id-badge"></i> NIAP ANALYSIS v1.3</strong>
</p>
<div class="table-responsive">
<table id="table_file" class="table table-bordered table-hover table-striped">
Expand Down

0 comments on commit 7b1d2ee

Please sign in to comment.