Mobsf

- Features or Enhancements
- Improvement in SAST performance with libsast upgrade.
- Address a bug that cause SAST scans to timeout.
- Added Firebase Remote Config Check
- Add support for searching scans by package name, app name and file name
- Exposed a REST API for search
- Add timeouts for each scan steps
- Added Autopep8 for code linting
- Added postgres support by default and updated docs to enable postgres support
- Upgraded docker file and dependencies
- Support Python 3.12

What's Changed
* Dockerfile upgrade, Postgres Support by Default, Bug Fixes by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2439
* Multiple QA by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2441
* Libsast bump by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2443


**Full Changelog**: https://github.com/MobSF/Mobile-Security-Framework-MobSF/compare/v4.0.7...v4.1.3

- Features or Enhancements
- Support Authentication & Authorization in MobSF
- Added support for SSO + Okta SSO Documentation
- Promoted from Beta to Stable since v4.0.0
- Added Pagination support for recent scans
- Added support for scanning AAB with MobSF
- Convert AAB to APK for scanning
- Dockerfile QA
- Prevent docker container exits on volume mount
- Android Frida root bypass and debugger bypass scripts improvements
- Added a new Android SAST Rule `android_webview_allow_file_from_url`
- Deeplink Trigger Support for Android Dynamic Analyzer
- Added support for real time scan status and scan logs in scan report, REST API exposed
- Add support for numeric iOS Bundle ID
- General Code QA
- Dependency Bump

- Security
- Fixed an SSRF in firebase db check in MobSF <=3.9.7
- Fixes a zip slip vulnerability in MobSF <= 4.0.6 affecting AR archive extraction

What's Changed
* [SECURITY] Fixes an SSRF vulnerability report from positive technologies by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373
* Update README.md by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2383
* fix IP2Location error by ohyeah521 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2372
* Update SUPPORT.md by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2384
* [EFR] AuthZ and AuthN for MobSF + Bug Fixes by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2366
* [EFR] SSO Support + Okta SSO Documentation by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2389
* [HOTFIX] SSO Support hosts behind proxy by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2390
* feat(page): recent scans add page jumper by miaoyc666 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2348
* [HOTFIX] Support AAB with MobSF, Convert AAB to APK, Fixes 2387 by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2391
* [HOTFIX] Code QA by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2393
* [HOTFIX] AppSec PNW 2024, Deeplink Trigger Support for Android Dynamic Analyzer by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2402
* [HOTFIX] SECURITY.md by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2418
* [EFR] Realtime Scan status and logs by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2416
* [SECURITY][HOTFIX] Fixes GHSA-4hh3-vj32-gr6j by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2421
* [HOTFIX] Bump deps by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2426
* Check for internet before attempting to download APK by ayushmanchhabra in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2422
* [HOTFIX] dep bups + Fix 2424 by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2431

New Contributors
* miaoyc666 made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2348
* ayushmanchhabra made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2422

**Full Changelog**: https://github.com/MobSF/Mobile-Security-Framework-MobSF/compare/v3.9.7...v4.0.7

- Features or Enhancements
- iOS Dynamic Analyzer with Corellium
- Dynamic Analysis refactoring for Android and iOS
- Exposed iOS Dynamic Analysis REST APIs
- Added more helper Frida Scripts for Android and iOS Dynamic Analyzer
- Frida support improvements Injected Frida Code View, Injection, Spawn, Attach and Session
- Corellium Reverse SSH connection support
- Enhancements to ARC and Stack Canary Checks in Mach-O Parsing
- Frida RPC Hooks support
- Frida Script QA
- Runtime Executable Tampering Detection
- iOS Dynamic Analysis REST API Docs
- Global Datatables Export as PDF, CSV, XLS, Copy and Print
- Corellium custom host domain support
- Huge improvements in Static Analysis report generation page rendering for APKs/IPAs with large amount of data by JPSxzy8
- Scan independent library file (.so, .dylib, Framework dylib) from APK/IPA Static Analysis Report
- Library analysis refactored relative path helper for Django template.
- Re-introduced RELRO checks for Android, added Dart binary check to avoid Flutter false positives.
- Improved stripped debug symbol check for ELF and MachO using native OS tools such as nm and objdump when available.
- Merge iOS Framework and Dylib Analysis.
- SAST Performance improvements
- Android API Analysis rule QA
- Apksigner.jar fallback for signature parsing
- Simplify MobSF `scan` REST API
- Support for analysis of iOS Frameworks
- Android SVG icon parsing improvments
- Icon analysis refactor and support jpeg and webp icons
- Github action QA
- iOS merge findings from swift and objective c rules with same rule identifier. Fixes 2287
- iOS Binary analysis, sort regex matches. Fixes 2252
- Framework dylibs with no extensions to skip PIE checks. Fixes 2307
- Select correct network_security config. Fixes 2049
- Android Manifest Analysis added support for detecting task hijacking (StrandHogg 1.0 and StrandHogg 2.0) . Fixes 2124
- Added new manifest analysis rule to warn on apps targeting older Android OS
- Updated severity of findings
- UI improvement for AppSec dashboard to show a loader
- UI changes in Static Analysis to collapse large no of files in API and Code Analysis for better real estate
- Improved certificate file analysis for android, jar, aar, and iOS
- AppLink asset json check multithreading performance improvements
- Code QA and ruleset improvements with ChatGPT
- Fixes 2324 , Bug in parsing DSA Public Key parameters for fingerprint calculation.
- AssetLink check QA
- Remove Androguard dependency use only features required by MobSF

- Security
- Arbitrary file writes on Windows with apktool fixed
- Fixed an LFI reported by 0x33c0unt
- Fixed SSRF in AppLinks and Firebase database checks

What's Changed
* Performance Improvements on SAST by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2251
* add apksigner.jar for reading signatures by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2254
* [HOTFIX] add jar by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2255
* Bump Frida to address crash on M1 Mac by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2258
* Simplify Scan API by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2259
* [HOTFIX] iOS Framework Analysis + Multiple Feature QA by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2260
* [HOTFIX] Support webp for icon by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2267
* fixed that the icon cannot be found by ohyeah521 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2265
* [HOTFIX] Allow jpeg icons by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2268
* Fix jadx and apktool failure due to JDK changes by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2269
* [HOTFIX][EFR] Priority Bug Fixes by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2275
* update apktool to 2.9.0 by superpoussin22 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2278
* Build(deps): Bump django from 4.1.12 to 4.1.13 by dependabot in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2282
* iOS Dynamic Analysis with Corellium by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2194
* Dynamic Analysis Improvements Android & iOS by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2295
* Dec 2023 QA by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2297
* [HOTFIX] More Android & iOS Frida Scripts by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2299
* [HOTFIX] Android script loading, frida injected code view, paramiko SSH issues by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2300
* Enhancements to ARC and Stack Canary Checks in Mach-O Parsing by cpuu in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2284
* [HOTFIX] RPC hook suggestions + Bug Fix by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2301
* update apktool to 2.9.1 by superpoussin22 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2304
* [EFR] QA Request by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2306
* Bug Fixes + Improvements by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2307
* ChatGPT Permission Mapping + Improved Description by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2308
* Windows Python tempfile permission error fix by ohyeah521 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2309
* Multiple Features Improved or Added by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2310
* Malware Permission Check for Android by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2313
* [HOTFIX] Bug Fix and QA by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2315
* Using multithreading to improve code efficiency by ohyeah521 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2319
* GPT Goodness by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2318
* Update SECURITY.md by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2323
* [HOTFIX][SECURITY] Fix an LFI, DSA Pub Key parsing bug and dependencies by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2326
* Filter out invalid links by ohyeah521 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2322
* [SECURITY] Fix Arbitrary file writes on Windows by superpoussin22 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2328
* Runtime Exec Tampering Detection, iOS Dynamic REST APIs, Datatables Export by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2339
* MOBSF_CORELLIUM_API_DOMAIN Update by HackJJ in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2347
* poetry pyqt5 fixes by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2362
* Remove Androguard dependency use only features required by MobSF by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2363
* Optimize rendering of big lists by JPSxzy8 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2351
* Update SECURITY.md by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2364
* Update SECURITY.md by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2365
* Resolve the situation where the function name is bytes by ohyeah521 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2367

New Contributors
* cpuu made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2284
* HackJJ made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2347
* JPSxzy8 made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2351

**Full Changelog**: https://github.com/MobSF/Mobile-Security-Framework-MobSF/compare/v3.7.6...v3.9.7

- Features or Enhancements
- Docker base image update to Ubuntu 22.04
- Dockerfile QA
- Migrated from Pip to Poetry for dependency management
- Migrate from setup.py to use poetry for build and publish
- Python 3.11 support
- Docker ADB connection improvements (host.docker.internal translation for localhost)
- IOS Swift RulesUpdates `ios_biometric_bool`, `ios_biometric_acl`, `ios_keychain_weak_acl_device_passcode`, `ios_keychain_weak_accessibility_value`, `ios_insecure_random_no_generator`, `ios_biometry_hardened`
- Android SCA rules update
- Entropies scan support for strings
- Regex Hardening: Fixes possible Regex DoS in rules and MobSF code base
- Tox QA
- Added poetry build test
- Updated mobsf PyPI publishing workflow
- Update local DBs
- URLs/Email extraction refactor
- Static and Dynamic Binary Analysis QA
- Refactor Dex permissions
- Refactor Androguard `apk.APK()` usage
- Fallback certificate analysis using apksigtool
- Use BeautifulSoup4 to prettify malformed XML
- Detect non standard XML namespace in AndroidManifest.xml, Fixes : 2198
- Updated android permissions list
- Updated android permission update check script
- Github Actions version update
- Apktool bump
- Bump httptools
- Bump yara-python-dex
- Docker image build test for PRs
- iOS Source Report Fix
- Removed unwanted pinned repository
- Frida APK Patcher (WIP)
- Fix for Recent Scans `scan not completed` for iOS zip
- Fix for MachO stripped symbols false positive
- Fix bug in IPA download
- iOS/Android form validation fix
- Fix missing exported components
- Enterprise Feature Request
- String extraction from APK, Source, AAR, JAR, SO.
- Android strings sections to show source of strings extracted
- Strings extraction refactor
- Support for independent `.so` scan
- Dylib analysis support
- Dylib string extraction
- Improved iOS Plist secret extraction
- Support for Independent `.dylib` scan
- Symbols view for dylib and so
- Trackers support for so
- AAR/JAR obfuscation and debug check
- Independent Static Library(.a) ELF/MachO Analysis
- Mac FAT binary only supported on Mac







What's Changed
* Update dynamic_analysis.html by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2218
* Hotfix: Handle Docker <-> ADB connectivity internally by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2219
* update apktool to 2.8.1 by superpoussin22 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2220
* update apktool by superpoussin22 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2225
* HOTFIX: Dynamic Analyzer Support Alert by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2227
* [HOTFIX] Regex + Rule Update by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2232
* [EFR06] Independent Shared Object (.so) Scan and Improved String search by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2228
* Update macho_analysis.py - SYMBOLS STRIPPED False Negative by Karmaz95 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2234
* [EFR-08] Dylib + Symbols + Other Features by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2239
* Fix missing exported components by Abb4d0n in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2176
* [EFR09] AAR/JAR obfuscation and debug check + Exception Handed strings and symbols extraction by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2240
* [EFR10] Independent Static Library(.a) ELF/MachO Analysis by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2242
* Pip to poetry and Dockerfile update by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2244
* Docker Buildx test by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2247
* [HOTFIX] bs4 malformed xml parsing + xml namespace detection by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2248
* [HOTFIX] Migrate from setup.py to poetry, tox QA by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2249

New Contributors
* Karmaz95 made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2234
* Abb4d0n made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2176

**Full Changelog**: https://github.com/MobSF/Mobile-Security-Framework-MobSF/compare/v3.6.9...v3.7.6

- Features or Enhancements
- New Simplified and Updated Documentation https://mobsf.github.io/docs/#/
- MobSF Dynamic Analysis support for Docker image
- Updated Documentation to include support for Corellium ARM64 Android VMs
- Add support for environment variables to configure MobSF
- Android SCA extract icon from SVG
- OFAC Sanctioned Country Check
- Improved Android Certificate Analysis
- Updated Android Manifest Analysis Rules
- Enterprise Feature Request
- Summary of Findings under each section
- Support for independent scanning of AAR ad JAR files.

What's Changed
* Adding numeric_owner as a keyword argument by TrellixVulnTeam in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2050
* Scheduled weekly dependency update for week 41 by pyup-bot in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2046
* HOTFIX: UI changes and warning on mobsf.live by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2051
* Split certificate analysis out, suppression list fixes by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2052
* hotfix for quark rules location by superpoussin22 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2053
* HOTFIX: jadx update to 1.4.5 by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2064
* Installation script error: Solving spelling error by th3-d4v1d-c0de in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2067
* Android APK support extracting icon SVG from XML by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2060
* HOTFIX: Setup improvement by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2078
* Apktool 2.7.0 update by superpoussin22 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2082
* New Android Manifest Rule: App support vulnerable android versions by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2114
* Fix for filenames containing ampersand by evmxattr in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2129
* HOTFIX - Fix broken docker builds by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2135
* Fix Scorecard Severity Distribution chart data by antoinbo in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2140
* HOTIX: Update Dockerfile to install jq by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2149
* [HOTFIX] Add support for environment variable for MobSF config by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2150
* HOTFIX: Android min SDK check on janus vulnerability detection by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2159
* [Enterprise Feature Request EFR02] Support summary of severity in each section. by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2160
* [EFR05] Enterprise Feature Request: AAR and JAR support by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2163
* Scheduled weekly dependency update for week 24 by pyup-bot in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2187
* Feature updates and Bug Fixes by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2197
* HOTFIX: MobSF Android Dynamic Analysis Docker Support by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2214

New Contributors
* th3-d4v1d-c0de made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2067
* evmxattr made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2129
* antoinbo made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2140

**Full Changelog**: https://github.com/MobSF/Mobile-Security-Framework-MobSF/compare/v3.6.0...v3.6.9