【Android】Mobile-Security-Framework-MobSF Manifest 静态扫描规则

这篇具有很好参考价值的文章主要介绍了【Android】Mobile-Security-Framework-MobSF Manifest 静态扫描规则。希望对大家有所帮助。如果存在错误或未考虑完全的地方,请大家不吝赐教,您也可以点击"举报违法"按钮提交疑问。

前言

移动安全框架(MobSF)是一个自动化的一体化移动应用程序(Android/iOS/Windows)测试、恶意软件分析和安全评估框架,能够执行静态和动态分析。MobSF支持移动应用程序二进制文件(APK、XAPK、IPA和APPX)以及压缩源代码,并提供REST API,可与您的CI/CD或DevSecOps管道无缝集成。动态分析器可帮助您执行运行时安全评估和交互式仪器测试。

通过分析源码中对manifest的检测规则,来学习其可能存在的安全风险。

正文

源码位置views/android/manifest_analysis.py的manifest_analysis函数

【Android】Mobile-Security-Framework-MobSF Manifest 静态扫描规则,Android_JAVA层_安全,android,漏洞,mobsf,manifest,静态扫描,客户端

 high*6

规则名 条件 级别 描述
a_clear_text android:usesCleartextTraffic=true high The app intends to use cleartext network traffic, such as cleartext HTTP, FTP stacks, DownloadManager, and MediaPlayer. The default value for apps that target API level 27 or lower is "true". Apps that target API level 28 or higher default to "false". The key reason for avoiding cleartext traffic is the lack of confidentiality, authenticity, and protections against tampering; a network attacker can eavesdrop on transmitted data and also modify it without being detected.
a_debuggable android:debuggable=true high Debugging was enabled on the app which makes it easier for reverse engineers to hook a debugger to it. This allows dumping a stack trace and accessing debugging helper classes.
a_testonly android:testOnly=true high It may expose functionality or data outside of itself that would cause a security hole.
a_launchmode android:launchMode = singleInstance or singleTask high An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
a_not_protected android:exported=true high A%s %s is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
a_improper_provider android:pathPrefix == / high A content provider permission was set to allows access from any other app on the device. Content providers may contain sensitive information about an app and therefore should not be shared.

warning*28

规则名 条件 级别 描述
a_allowbackup Application Data can be Backed up [android:allowBackup=true] warning This flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.
a_allowbackup_miss Application Data can be Backed up [android:allowBackup] flag is missing. warning The flag [android:allowBackup] should be set to false. By default it is set to true and allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.
a_taskaffinity TaskAffinity is set for Activity warning If taskAffinity is set, then other application could read the Intents sent to Activities belonging to another task. Always use the default setting keeping the affinity as the package name in order to prevent sensitive information inside sent or received Intents from being read by another application.
a_prot_normal is Protected by a permission, but the protection level of the permission should be checked.[android:exported=true] warning A%s %s is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission. However, the protection level of the  permission is set to normal. This means that a malicious application can request and obtain the permission and interact with the component. If it was set to signature, only applications signed with the same certificate could obtain the permission.
a_prot_danger is Protected by a permission, but the protection level of the permission should be checked.[android:exported=true] warning A%s %s is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission. However, the protection level of the permission is set to dangerous. This means that a malicious application can request and obtain the permission and interact with the component. If it was set to signature, only applications signed with the same certificate could obtain the permission.
a_prot_unknown is Protected by a permission, but the protection level of the permission should be checked.[android:exported=true] warning A%s %s is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
a_prot_normal_appl is Protected by a permission at the application level, but the protection level of the permission should be checked.[android:exported=true] warning A%s %s is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.  It is protected by a permission at the application level. However, the protection level of the permission is set to normal. This means that a malicious application can request and obtain the permission and interact with the component. If it was set to signature, only applications signed with the same certificate could obtain the permission.
a_prot_danger_appl is Protected by a permission at the application level, but the protection level of the permission should be checked.[android:exported=true] warning A%s %s is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission at the application level. However, the protection level of the permission is set to dangerous. This means that a malicious application can request and obtain the permission and interact with the component. If it was set to signature, only applications signed with the same certificate could obtain the permission.
a_prot_unknown_appl is Protected by a permission at the application, but the protection level of the permission should be checked.[android:exported=true] warning A%s %s is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission at the application level which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
a_not_protected_filter is not Protected.An intent-filter exists. warning A%s %s is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the %s is explicitly exported.
c_not_protected is not Protected.[[Content Provider, targetSdkVersion < 17] warning A%s %s is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is a Content Provider that targets an API level under 17, which makes it exported by default, regardless of the API level of the system that the application runs on.
c_not_protected2 would not be Protected if the application ran on a device where the the API level was less than 17.[Content Provider, targetSdkVersion >= 17] warning The Content Provider(%s %s) would be exported if the application ran on a device where the the API level was less than 17. In that situation, it would be shared with other apps on the device therefore leaving it accessible to any other application on the device.
c_prot_normal is Protected by a permission, but the protection level of the permission should be checked.[Content Provider, targetSdkVersion < 17] warning A%s %s is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission. However, the protection level of the permission is set to normal. This means that a malicious application can request and obtain the permission and interact with the component. If it was set to signature, only applications signed with the same certificate could obtain the permission.
c_prot_danger is Protected by a permission, but the protection level of the permission should be checked.[Content Provider, targetSdkVersion < 17] warning A%s %s is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission. However, the protection level of the permission is set to dangerous. This means that a malicious application can request and obtain the permission and interact with the component. If it was set to signature, only applications signed with the same certificate could obtain the permission.
c_prot_unknown is Protected by a permission, but the protection level of the permission should be checked.[Content Provider, targetSdkVersion < 17] warning A%s %s is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
c_prot_normal_appl is Protected by a permission at the application level, but the protection level of the permission should be checked.[Content Provider, targetSdkVersion < 17] warning A%s %s is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission at the application level. However, the protection level of the permission is set to normal. This means that a malicious application can request and obtain the permission and interact with the component. If it was set to signature, only applications signed with the same certificate could obtain the permission.
c_prot_danger_appl is Protected by a permission at the application level, but the protection level of the permission should be checked.[Content Provider, targetSdkVersion < 17] warning A%s %s is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission at the application level. However, the protection level of the permission is set to dangerous. This means that a malicious application can request and obtain the permission and interact with the component. If it was set to signature, only applications signed with the same certificate could obtain the permission.
c_prot_unknown_appl is Protected by a permission at application level, but the protection level of the permission should be checked.[Content Provider, targetSdkVersion < 17] warning A%s %s is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission at application level which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
c_prot_normal_new is Protected by a permission, but the protection level of the permission should be checked if the application runs on a device where the the API level is less than 17 [Content Provider, targetSdkVersion >= 17] warning The Content Provider (%s) would be exported if the application ran on a device where the the API level was less than 17. In that situation, it would still be protected by a permission. However, the protection level of the permission is set to normal. This means that a malicious application could request and obtain the permission and interact with the component. If it was set to signature, only applications signed with the same certificate could obtain the permission.
c_prot_danger_new is Protected by a permission, but the protection level of the permission should be checked if the application runs on a device where the the API level is less than 17.[Content Provider, targetSdkVersion >= 17] warning The Content Provider(%s) would be exported if the application ran on a device where the the API level was less than 17. In that situation, it would still be protected by a permission. However, the protection level of the permission is set to dangerous. This means that a malicious application could request and obtain the permission and interact with the component. If it was set to signature, only applications signed with the same certificate could obtain the permission.
c_prot_unknown_new is Protected by a permission, but the protection level of the permission should be checked  if the application runs on a device where the the API level is less than 17.[Content Provider, targetSdkVersion >= 17] warning The Content Provider(%s) would be exported if the application ran on a device where the the API level was less than 17. In that situation, it would still be protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
c_prot_normal_new_appl is Protected by a permission at the application level should be checked, but the protection level of the permission if the application runs on a device where the the API level is less than 17.[Content Provider, targetSdkVersion >= 17] warning The Content Provider (%s) would be exported if the application ran on a device where the the API level was less than 17. In that situation, it would still be protected by a permission. However, the protection level of the permission is set to normal. This means that a malicious application could request and obtain the permission and interact with the component. If it was set to signature, only applications signed with the same certificate could obtain the permission.
c_prot_danger_new_appl is Protected by a permission at the application level, but the protection level of the permission should be checked if the application runs on a device where the the API level is less than 17.[Content Provider, targetSdkVersion >= 17] warning The Content Provider(%s) would be exported if the application ran on a device where the the API level was less than 17. In that situation, it would still be protected by a permission. However, the protection level of the permission is set to dangerous. This means that a malicious application could request and obtain the permission and interact with the component. If it was set to signature, only applications signed with the same certificate could obtain the permission.
c_prot_unknown_new_appl is Protected by a permission at the application level, but the protection level of the permission should be checked  if the application runs on a device where the the API level is less than 17.[Content Provider, targetSdkVersion >= 17] warning The Content Provider(%s) would be exported if the application ran on a device where the the API level was less than 17. In that situation, it would still be protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
a_dailer_code Dailer Code: Found <br>[android:scheme="android_secret_code"] warning A secret code was found in the manifest. These codes, when entered into the dialer grant access to hidden content that may contain sensitive information.
a_sms_receiver_port Data SMS Receiver Set on Port: Found<br>[android:port] warning A binary SMS receiver is configured to listen on a port. Binary SMS messages sent to a device are processed by the application in whichever way the developer choses. The data in this SMS should be properly validated by the application. Furthermore, the application should assume that the SMS being received is from an untrusted source.
a_high_intent_priority High Intent Priority [android:priority] warning By setting an intent priority higher than another intent, the app effectively overrides other requests.
a_high_action_priority High Action Priority [android:priority] warning By setting an action priority higher than another action, the app effectively overrides other requests.

info*14

规则名 条件 级别 描述
a_boot_aware App is direct-boot aware [android:directBootAware=true] info This app can run before the user unlocks the device. If you're using a custom subclass of Application, and if any component inside your application is direct - boot aware, then your entire custom application is considered to be direct - boot aware.During Direct Boot, your application can only access the data that is stored in device protected storage.
a_network_sec App has a Network Security Configuration [android:networkSecurityConfig] info The Network Security Configuration feature lets apps customize their network security settings in a safe, declarative configuration file without modifying app code. These settings can be configured for specific domains and for a specific app. 
a_prot_sign is Protected by a permission.[android:exported=true] info A%s %s is found to be exported, but is protected by permission.
a_prot_sign_sys is Protected by a permission, but the protection level of the permission should be checked.[android:exported=true] info A%s %s is found to be exported, but is protected by a permission. However, the protection level of the permission is set to signatureOrSystem. It is recommended that signature level is used instead. Signature level should suffice for most purposes, and does not depend on where the applications are installed on the device.
a_prot_sign_appl Protected by a permission at the application level.[android:exported=true] info A%s %s is found to be exported, but is protected by a permission at the application level.
a_prot_sign_sys_appl is Protected by a permission at the application level, but the protection level of the permission should be checked.[android:exported=true] info A%s %s is found to be exported, but is protected by a permission at the application level. However, the protection level of the permission is set to signatureOrSystem. It is recommended that signature level is used instead. Signature level should suffice for most purposes, and does not depend on where the applications are installed on the device.
c_prot_sign is Protected by a permission.[Content Provider, targetSdkVersion < 17] info A%s %s is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by permission.
c_prot_sign_sys is Protected by a permission, but the protection level of the permission should be checked.[Content Provider, targetSdkVersion < 17] info A%s %s is found to be exported, but is protected by a permission. However, the protection level of the permission is set to signatureOrSystem. It is recommended that signature level is used instead. Signature level should suffice for most purposes, and does not depend on where the applications are installed on the device.
c_prot_sign_appl is Protected by a permission at the application level.[Content Provider, targetSdkVersion < 17] info A%s %s is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by permission at the application level.
c_prot_sign_sys_appl is Protected by a permission at the application level, but the protection level of the permission should be checked.[Content Provider, targetSdkVersion < 17] info A%s %s is found to be exported, but is protected by a permission at the application level. However, the protection level of the permission is set to signatureOrSystem. It is recommended that signature level is used instead. Signature level should suffice for most purposes, and does not depend on where the applications are installed on the device.
c_prot_sign_new is Protected by a permission.[Content Provider, targetSdkVersion >= 17] info The Content Provider(%s) would be exported if the application ran on a device where the the API level was less than 17. Nevertheless, it is protected by a permission.
c_prot_sign_sys_new is Protected by a permission, but the protection level of the permission should be checked.[Content Provider, targetSdkVersion >= 17] info The Content Provider(%s) would be exported if the application ran on a device where the API level was less than 17. In that situation, it would still be protected by a permission. However, the protection level of the permission is set to signatureOrSystem. It is recommended that signature level is used instead. Signature level should suffice for most purposes, and does not depend on where the applications are installed on the device.
c_prot_sign_new_appl is Protected by a permission at the application level.[Content Provider, targetSdkVersion >= 17] info The Content Provider(%s) would be exported if the application ran on a device where the the API level was less than 17. Nevertheless, it is protected by a permission.
c_prot_sign_sys_new_appl is Protected by a permission at the application level, but the protection level of the permission should be checked.[Content Provider, targetSdkVersion >= 17] info The Content Provider(%s) would be exported if the application ran on a device where the API level was less than 17. In that situation, it would still be protected by a permission. However, the protection level of the permission is set to signatureOrSystem. It is recommended that signature level is used instead. Signature level should suffice for most purposes, and does not depend on where the applications are installed on the device.

后话

上述的48个manifest的风险项应该是比较全的了,可以当做学习资料和风险checklist进行查询。文章来源地址https://www.toymoban.com/news/detail-662147.html

到了这里,关于【Android】Mobile-Security-Framework-MobSF Manifest 静态扫描规则的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处: 如若内容造成侵权/违法违规/事实不符,请点击违法举报进行投诉反馈,一经查实,立即删除!

领支付宝红包 赞助服务器费用

相关文章

  • Android Framework 之 ServiceManager

    ServiceManager 在 Android 系统中扮演了核心的角色。主要负责跨进程通信(IPC)的管理和服务的注册与查找。 管理系统服务 : ServiceManager 提供一个全局的服务注册表,用于存储所有的系统服务。一个服务一旦被注册到 ServiceManager,其他的进程就可以通过 **ServiceManager **来访问这

    2024年02月14日
    浏览(41)
  • Android Framework 之 Zygote

    Android Zygote 是 Android 操作系统中一个关键的系统服务,它在系统启动时加载,为应用程序的运行提供了一种快速且资源高效的方式。 Zygote 的主要作用如下: 预加载共享库和类 :Zygote 启动时,会预先加载 Android 系统中所有应用程序共享的库和类,例如 Android Runtime,标准 Ja

    2024年02月14日
    浏览(34)
  • Android Framework基础知识

    哈喽大家好,我是Zzz. 给大家分享一篇Framework入门的基础知识文章,内容纯纯原创。 一、Application,Activity和进程的关系?     Application、Activity只是进程虚拟机运行的一个类对象,只是属于系统的一个组件和进程没有直接联系。Android支持为每个组件可以单独进程方式运行。

    2024年03月24日
    浏览(38)
  • 【Android Framework (八) 】- Service

    1,挂载文件系统,创建文件目录 调用selinux_setup权限安全相关 2,初始化内存空间 初始化属性服务 创建Epoll 注册监听子进程重启异常操作等,对子进程进行线程守护 3,startPropertyServic 开启属性服务 进行监听 4,LoadBootScripts 加载init.rc文件 进行解析 调用do_class_start 文件开启

    2024年02月01日
    浏览(35)
  • Android Framework 之 启动流程

    Android 系统的启动流程 Android 系统的启动流程可以分为以下几个主要步骤: 引导加载器(Bootloader)启动 :当你打开一个 Android 设备时,首先启动的是引导加载器。引导加载器负责启动 Android 的核心操作系统。 Linux 内核启动 :引导加载器加载并启动 Linux 内核。Linux 内核负责

    2024年02月14日
    浏览(35)
  • 【移动安全】MobSF联动安卓模拟器配置动态分析教程

    MobSF联动安卓模拟器配置动态分析教程 Windows开启安卓模拟器并进行相关配置作为调试客户端,Linux使用docker开启MobSF作为服务端。 好处:干净,部署简单,不用安装乱七八糟的环境,防止破坏其他应用的运行环境! 安卓模拟器:雷电模拟器 虚拟机工具:VMware Workstation MobSF

    2024年04月15日
    浏览(39)
  • 【Android】Android Framework系列---CarPower深度睡眠STR

    之前博客说了CarPower的开机启动流程 这里分析一下,Android CarPower实现深度睡眠的流程。 首先, 什么是深度睡眠(Deep Sleep) ? Android进入Deep Sleep后, 关闭屏幕、关闭CPU的电源,保持RAM的电源(激活状态) 。深度睡眠会进行 Suspend-to-RAM 挂起到内存( 做车载的经常会听到的STR )。

    2024年02月05日
    浏览(39)
  • Android Framework 全局替换系统字体

    基于Android 11 Android Framework 全局替换系统字体 将需要替换的字体资源放置frameworks/base/data/fonts/目录下。 将系统默认的Roboto字体替换为HarmonyOs字体。 frameworks/base/data/fonts/fonts.xml frameworks/base/data/fonts/Android.mk frameworks/base/data/fonts/fonts.mk 编译刷机验证。 frameworks/base/graphics/java/and

    2024年02月12日
    浏览(37)
  • Android Framework——Binder 监控方案

    作者:低性能JsonCodec 在 Android 应用开发中,Binder 可以说是使用最为普遍的 IPC 机制了。我们考虑监控 Binder 这一 IPC 机制,一般是出于以下两个目的: 卡顿优化:IPC 流程完整链路较长,且依赖于其他进程,耗时不可控,而 Binder 调用本身通常又是以 RPC 形式对外提供能力的,

    2024年02月04日
    浏览(35)
  • Android Framework分析SystemServer进程

    SystemServer进程是Android系统的核心进程,运行在Android系统启动后,负责管理和加载系统服务。本文将介绍SystemServer进程的详细结构和工作原理,并使用代码注释的方式阐述其关键部分代码。 结构: SystemServer进程的核心是SystemServer类,它是Android系统启动后的第一个Java进程。

    2024年02月09日
    浏览(49)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

博客赞助

微信扫一扫打赏

请作者喝杯咖啡吧~博客赞助

支付宝扫一扫领取红包,优惠每天领

二维码1

领取红包

二维码2

领红包