Fix Full RELRO/Partial RELRO/No RELRO check for Android

[SektorROM]

Describe the Pull Request

Returned string of relro() in mobsf/StaticAnalyzer/views/android/binary_analysis.py not properly checked in line 94 and 102, always leading to the "else" case in line 102 (no matter actual RELRO level of binary, always "No RELRO" is falsely shown).

This pull request fixes these checks accordingly.

Checklist for PR

• [ OK] Run MobSF unit tests and lint tox -e lint,test
• [ Linux] Tested Working on Linux, Mac, Windows, and Docker
• [ - ] Add unit test for any new Web API (Refer: StaticAnalyzer/tests.py)
• Make sure tests are passing on your PR

Additional Comments (if any)

iOS not impacted, as no RELRO there.

[ajinabraham]

Hi @SektorROM Thanks for the PR.
I am seeing the current logic working fine using lief 0.11.0 which we use for library analysis.

Can you share the APK where you see RELRO not getting detected?

[SektorROM]

Hi,

can't share the exact APK due to reasons, but I'll create a new one and try to reproduce.
Strange it works on your side (also weird you have the 'high' tag visible, although 'Full RELRO' is good and should be 'info')

[ajinabraham]

Now that you mentioned, something looks not alright. will take a look again.

[SektorROM]

*Exactly. You ran into the case I mentioned (I got confused myself)

Your binary does have "Full RELRO", the "relro" field is propagated correctly through to the WebView, but "desc" and "severity" are the wrong one, because "relro" was only matched against "Full" or "Partial" and not "Full RELRO" and "Partial RELRO", resulting in always landing in the else (No RELRO) case - hence the 'high' tag and description.

[ajinabraham]

Looks like this indeed is a bug