Mobsf

- Features or Enhancements
- Added support for user defined SSO Maintainer or Viewer role mapping
- Dependency updates

- Security
- Fixed Partial Denial of Service due to strict regex check in iOS report view URL
- Fixed Local Privilege escalation due to leaked REST API key in web UI
- Fixed Stored Cross-Site Scripting in iOS dynamic_analysis view via `bundle` id
- Improved anti-SSRF checks and added extra checks in firebase and asset link check

- Bug Fixes
- Bug fix in docker build poetry cache clean
- Fix CI builds on mac
- Fix frida server download proxy SSL verify configuration

What's Changed
* [SECURITY] Security update to fix vulnerabilities reported by Positive Technologies researchers by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2488
* Saml group mapping by Antiksec in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2487
* March 25 QA by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2504
* [SECURITY] Improve SSRF checks, strict path check for well_known_path by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2510

New Contributors
* Antiksec made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2487

**Full Changelog**: https://github.com/MobSF/Mobile-Security-Framework-MobSF/compare/v4.3.0...v4.3.2

- Features or Enhancements
- Added django-q2-based asynchronous scans for Android and iOS binaries and source code
- Async analysis REST API support & Docs
- Unified async scan timeout
- Allow incomplete scan delete after async scan timeout duration
- Added support for Android SBOM analysis
- Added Anti-analysis bypasses
- Handle packed APKs, refactor unzip to handle malformed APK files
- Handle reserved filename conflict during ZIP extraction
- Fixed permissions of extracted files to counter anti-analysis techniques
- JADX fallback to DEX files on APK decompilation failure
- apktool fallback to androguard for AndroidManifest.xml extraction
- Resolved APK parsing errors in androguard
- apksigner.jar fallback to apksigtool/androguard for signature version extraction
- Added explicit timeout for all HTTP requests
- Support proxy for all HTTPS calls
- Optimize jadx download, support system proxy
- Replaced Quark with Behaviour Analysis using ported quark rules
- Add support for pulling split apks from Android Dynamic Analyzer
- Add support for sample download in recent scans.
- Support custom home directory from environment variables
- Reduce iOS binary findings severity to warning from high
- QA on docker-compose, added example nginx config
- Added docker-compose_swarm.yml and docker secrets support by antonkap
- IPA PNG Uncrush support for Windows and Linux
- Automatically handle https upgrade for http urls in Android Assetlinks check
- APKID QA.
- Bash and Batch file script QA.
- Android Report template optimizations on how exported components are displayed.
- Clickable Android Activities, Services, Providers, and Recievers
- Updated Android version support to 11.0 for Android Studio AVD
- Created helper scripts for AVDs `scripts/start_avd.sh` and `scripts/start_avd.ps1`
- Added malware lookup using SHA2 with VirusTotal, Triage, Hybrid Analysis, and MetaDefender
- Optimized APK ZIP analysis for improved performance
- Fixed untar permission errors in dynamic analysis
- Added bypass for SSL pinning in Boye's AbstractVerifier
- Updated bypass for SSL pinning in Appmattus's CertificateTransparencyInterceptor
- Introduced SSL pinning detector script
- Improved Frida intent dumper script
- Added Frida intent tracer script
- Enabled asynchronous scans in Docker Compose setup
- Performed QA for Android and iOS SAST modules
- Added Frida script for audit-webview
- Introduced Frida script for trace-javascript-interface
- Upgraded libsast for improved file reading, multiprocessing, and multithreading
- Fixed PNG crush issues on Darwin systems
- Performed QA on the home screen UI
- Updated httptools and libsast dependencies
- Improvements in scan queue
- Added a robots.txt
- Code QA untar permissions
- Added and updated permission mapping rules
- Handle errors gracefully from get_app_name and icon_analysis
- Add new scans in tasks view without needing and explicit refresh
- Optimizing downloads, adding downloads for source code types and windows appx
- Androguard, ApkInspector code bump
- Patch Androguard AXML to log a warning on parse error reserved must be zero! instead of raise
- Fallback on get app name when androguard returns empty string
- Bump to google fork of baksmali 3.0.8
- IPA: Graceful handling of plist dump exception
- Dockerfile QA
- Add sdk-build-tools to Docker image
- Replace biplist with plistlib std lib
- Added support for APK parsing with aapt2/aapt
- Use aapt/aapt2 as a fallback for APK parsing, files listing and string extraction
- Tasks List API to return string status
- Replaced all minidom calls with defusedxml.minidom
- Code QA on android manifest data extraction and parsing
- Improved android file analysis
- Improved android manifest data extraction
- Improved android icon file extraction
- Improved android app name extraction
- Improved android appstore package details extraction
- Android string extraction to fallback on aapt2 strings
- APK analysis arguments refactor
- Explicit Zipslip handling during ZIP extraction
- Graceful files extraction on unzip failure
- Removed bail out and continue analysis
- Moved androguard parsing to the start of static analysis
- AndroidManifest.xml fallback from apktool to androguard during extraction and parsing
- Updated Tasks UI to show started at
- Save only unique intent priorities in findings
- Add files list in scorecard description

- Bug Fixes
- Bug fix in firebase analysis
- Fixed bug in certificate analysis.
- Fix TOCTOU in delete scans view
- Bug fix in enqueue model schema
- Bug Fix in app_dict init.
- Fixed a bug in iOS pbxproj parsing
- Fixed a bug executing setup.sh script in python venv

What's Changed
* [HOTFIX] + Features by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2444
* 4.1.5 by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2445
* Add support for pulling split apks, Fixes 2271 by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2446
* docker compose QA, explict requests timeout by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2447
* 4.1.8 by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2448
* 4.1.9 by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2449
* 4.2.0 by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2450
* 4.2.1 by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2451
* 4.2.2 by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2452
* [4.2.3] Update status on task timeout by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2454
* [4.2.4] Async analysis REST API support, fix timeout handle function, Qa by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2456
* 4.2.5 by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2457
* 4.2.6 by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2459
* [4.2.7] Androguard & ApkInspector Bump + Patch AXMLParsing by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2461
* [4.2.7] Updates by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2462
* [4.2.8] Multiple APK Analysis improvements, general Code QA & bug fixes by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2470
* Save only unique intent priorities in findings by dmarushkin in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2474
* Add files list in scorecard desc by dmarushkin in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2473
* Byte snipers patch 2 by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2477
* Nick lupien nick lupien/fix fps manifest analysis by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2484

New Contributors
* dmarushkin made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2474
* nick-lupien made contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2484
* ByteSnipers made contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2477

**Full Changelog**: https://github.com/MobSF/Mobile-Security-Framework-MobSF/compare/v4.1.3...v4.3.0

- Features or Enhancements
- Improvement in SAST performance with libsast upgrade.
- Address a bug that cause SAST scans to timeout.
- Added Firebase Remote Config Check
- Add support for searching scans by package name, app name and file name
- Exposed a REST API for search
- Add timeouts for each scan steps
- Added Autopep8 for code linting
- Added postgres support by default and updated docs to enable postgres support
- Upgraded docker file and dependencies
- Support Python 3.12

What's Changed
* Dockerfile upgrade, Postgres Support by Default, Bug Fixes by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2439
* Multiple QA by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2441
* Libsast bump by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2443


**Full Changelog**: https://github.com/MobSF/Mobile-Security-Framework-MobSF/compare/v4.0.7...v4.1.3

- Features or Enhancements
- Support Authentication & Authorization in MobSF
- Added support for SSO + Okta SSO Documentation
- Promoted from Beta to Stable since v4.0.0
- Added Pagination support for recent scans
- Added support for scanning AAB with MobSF
- Convert AAB to APK for scanning
- Dockerfile QA
- Prevent docker container exits on volume mount
- Android Frida root bypass and debugger bypass scripts improvements
- Added a new Android SAST Rule `android_webview_allow_file_from_url`
- Deeplink Trigger Support for Android Dynamic Analyzer
- Added support for real time scan status and scan logs in scan report, REST API exposed
- Add support for numeric iOS Bundle ID
- General Code QA
- Dependency Bump

- Security
- Fixed an SSRF in firebase db check in MobSF <=3.9.7
- Fixes a zip slip vulnerability in MobSF <= 4.0.6 affecting AR archive extraction

What's Changed
* [SECURITY] Fixes an SSRF vulnerability report from positive technologies by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373
* Update README.md by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2383
* fix IP2Location error by ohyeah521 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2372
* Update SUPPORT.md by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2384
* [EFR] AuthZ and AuthN for MobSF + Bug Fixes by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2366
* [EFR] SSO Support + Okta SSO Documentation by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2389
* [HOTFIX] SSO Support hosts behind proxy by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2390
* feat(page): recent scans add page jumper by miaoyc666 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2348
* [HOTFIX] Support AAB with MobSF, Convert AAB to APK, Fixes 2387 by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2391
* [HOTFIX] Code QA by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2393
* [HOTFIX] AppSec PNW 2024, Deeplink Trigger Support for Android Dynamic Analyzer by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2402
* [HOTFIX] SECURITY.md by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2418
* [EFR] Realtime Scan status and logs by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2416
* [SECURITY][HOTFIX] Fixes GHSA-4hh3-vj32-gr6j by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2421
* [HOTFIX] Bump deps by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2426
* Check for internet before attempting to download APK by ayushmanchhabra in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2422
* [HOTFIX] dep bups + Fix 2424 by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2431

New Contributors
* miaoyc666 made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2348
* ayushmanchhabra made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2422

**Full Changelog**: https://github.com/MobSF/Mobile-Security-Framework-MobSF/compare/v3.9.7...v4.0.7

- Features or Enhancements
- iOS Dynamic Analyzer with Corellium
- Dynamic Analysis refactoring for Android and iOS
- Exposed iOS Dynamic Analysis REST APIs
- Added more helper Frida Scripts for Android and iOS Dynamic Analyzer
- Frida support improvements Injected Frida Code View, Injection, Spawn, Attach and Session
- Corellium Reverse SSH connection support
- Enhancements to ARC and Stack Canary Checks in Mach-O Parsing
- Frida RPC Hooks support
- Frida Script QA
- Runtime Executable Tampering Detection
- iOS Dynamic Analysis REST API Docs
- Global Datatables Export as PDF, CSV, XLS, Copy and Print
- Corellium custom host domain support
- Huge improvements in Static Analysis report generation page rendering for APKs/IPAs with large amount of data by JPSxzy8
- Scan independent library file (.so, .dylib, Framework dylib) from APK/IPA Static Analysis Report
- Library analysis refactored relative path helper for Django template.
- Re-introduced RELRO checks for Android, added Dart binary check to avoid Flutter false positives.
- Improved stripped debug symbol check for ELF and MachO using native OS tools such as nm and objdump when available.
- Merge iOS Framework and Dylib Analysis.
- SAST Performance improvements
- Android API Analysis rule QA
- Apksigner.jar fallback for signature parsing
- Simplify MobSF `scan` REST API
- Support for analysis of iOS Frameworks
- Android SVG icon parsing improvments
- Icon analysis refactor and support jpeg and webp icons
- Github action QA
- iOS merge findings from swift and objective c rules with same rule identifier. Fixes 2287
- iOS Binary analysis, sort regex matches. Fixes 2252
- Framework dylibs with no extensions to skip PIE checks. Fixes 2307
- Select correct network_security config. Fixes 2049
- Android Manifest Analysis added support for detecting task hijacking (StrandHogg 1.0 and StrandHogg 2.0) . Fixes 2124
- Added new manifest analysis rule to warn on apps targeting older Android OS
- Updated severity of findings
- UI improvement for AppSec dashboard to show a loader
- UI changes in Static Analysis to collapse large no of files in API and Code Analysis for better real estate
- Improved certificate file analysis for android, jar, aar, and iOS
- AppLink asset json check multithreading performance improvements
- Code QA and ruleset improvements with ChatGPT
- Fixes 2324 , Bug in parsing DSA Public Key parameters for fingerprint calculation.
- AssetLink check QA
- Remove Androguard dependency use only features required by MobSF

- Security
- Arbitrary file writes on Windows with apktool fixed
- Fixed an LFI reported by 0x33c0unt
- Fixed SSRF in AppLinks and Firebase database checks

What's Changed
* Performance Improvements on SAST by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2251
* add apksigner.jar for reading signatures by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2254
* [HOTFIX] add jar by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2255
* Bump Frida to address crash on M1 Mac by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2258
* Simplify Scan API by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2259
* [HOTFIX] iOS Framework Analysis + Multiple Feature QA by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2260
* [HOTFIX] Support webp for icon by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2267
* fixed that the icon cannot be found by ohyeah521 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2265
* [HOTFIX] Allow jpeg icons by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2268
* Fix jadx and apktool failure due to JDK changes by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2269
* [HOTFIX][EFR] Priority Bug Fixes by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2275
* update apktool to 2.9.0 by superpoussin22 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2278
* Build(deps): Bump django from 4.1.12 to 4.1.13 by dependabot in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2282
* iOS Dynamic Analysis with Corellium by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2194
* Dynamic Analysis Improvements Android & iOS by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2295
* Dec 2023 QA by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2297
* [HOTFIX] More Android & iOS Frida Scripts by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2299
* [HOTFIX] Android script loading, frida injected code view, paramiko SSH issues by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2300
* Enhancements to ARC and Stack Canary Checks in Mach-O Parsing by cpuu in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2284
* [HOTFIX] RPC hook suggestions + Bug Fix by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2301
* update apktool to 2.9.1 by superpoussin22 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2304
* [EFR] QA Request by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2306
* Bug Fixes + Improvements by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2307
* ChatGPT Permission Mapping + Improved Description by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2308
* Windows Python tempfile permission error fix by ohyeah521 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2309
* Multiple Features Improved or Added by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2310
* Malware Permission Check for Android by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2313
* [HOTFIX] Bug Fix and QA by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2315
* Using multithreading to improve code efficiency by ohyeah521 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2319
* GPT Goodness by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2318
* Update SECURITY.md by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2323
* [HOTFIX][SECURITY] Fix an LFI, DSA Pub Key parsing bug and dependencies by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2326
* Filter out invalid links by ohyeah521 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2322
* [SECURITY] Fix Arbitrary file writes on Windows by superpoussin22 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2328
* Runtime Exec Tampering Detection, iOS Dynamic REST APIs, Datatables Export by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2339
* MOBSF_CORELLIUM_API_DOMAIN Update by HackJJ in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2347
* poetry pyqt5 fixes by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2362
* Remove Androguard dependency use only features required by MobSF by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2363
* Optimize rendering of big lists by JPSxzy8 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2351
* Update SECURITY.md by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2364
* Update SECURITY.md by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2365
* Resolve the situation where the function name is bytes by ohyeah521 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2367

New Contributors
* cpuu made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2284
* HackJJ made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2347
* JPSxzy8 made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2351

**Full Changelog**: https://github.com/MobSF/Mobile-Security-Framework-MobSF/compare/v3.7.6...v3.9.7