Mobsf

- Features or Enhancements
- Docker base image update to Ubuntu 22.04
- Dockerfile QA
- Migrated from Pip to Poetry for dependency management
- Migrate from setup.py to use poetry for build and publish
- Python 3.11 support
- Docker ADB connection improvements (host.docker.internal translation for localhost)
- IOS Swift RulesUpdates `ios_biometric_bool`, `ios_biometric_acl`, `ios_keychain_weak_acl_device_passcode`, `ios_keychain_weak_accessibility_value`, `ios_insecure_random_no_generator`, `ios_biometry_hardened`
- Android SCA rules update
- Entropies scan support for strings
- Regex Hardening: Fixes possible Regex DoS in rules and MobSF code base
- Tox QA
- Added poetry build test
- Updated mobsf PyPI publishing workflow
- Update local DBs
- URLs/Email extraction refactor
- Static and Dynamic Binary Analysis QA
- Refactor Dex permissions
- Refactor Androguard `apk.APK()` usage
- Fallback certificate analysis using apksigtool
- Use BeautifulSoup4 to prettify malformed XML
- Detect non standard XML namespace in AndroidManifest.xml, Fixes : 2198
- Updated android permissions list
- Updated android permission update check script
- Github Actions version update
- Apktool bump
- Bump httptools
- Bump yara-python-dex
- Docker image build test for PRs
- iOS Source Report Fix
- Removed unwanted pinned repository
- Frida APK Patcher (WIP)
- Fix for Recent Scans `scan not completed` for iOS zip
- Fix for MachO stripped symbols false positive
- Fix bug in IPA download
- iOS/Android form validation fix
- Fix missing exported components
- Enterprise Feature Request
- String extraction from APK, Source, AAR, JAR, SO.
- Android strings sections to show source of strings extracted
- Strings extraction refactor
- Support for independent `.so` scan
- Dylib analysis support
- Dylib string extraction
- Improved iOS Plist secret extraction
- Support for Independent `.dylib` scan
- Symbols view for dylib and so
- Trackers support for so
- AAR/JAR obfuscation and debug check
- Independent Static Library(.a) ELF/MachO Analysis
- Mac FAT binary only supported on Mac







What's Changed
* Update dynamic_analysis.html by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2218
* Hotfix: Handle Docker <-> ADB connectivity internally by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2219
* update apktool to 2.8.1 by superpoussin22 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2220
* update apktool by superpoussin22 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2225
* HOTFIX: Dynamic Analyzer Support Alert by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2227
* [HOTFIX] Regex + Rule Update by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2232
* [EFR06] Independent Shared Object (.so) Scan and Improved String search by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2228
* Update macho_analysis.py - SYMBOLS STRIPPED False Negative by Karmaz95 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2234
* [EFR-08] Dylib + Symbols + Other Features by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2239
* Fix missing exported components by Abb4d0n in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2176
* [EFR09] AAR/JAR obfuscation and debug check + Exception Handed strings and symbols extraction by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2240
* [EFR10] Independent Static Library(.a) ELF/MachO Analysis by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2242
* Pip to poetry and Dockerfile update by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2244
* Docker Buildx test by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2247
* [HOTFIX] bs4 malformed xml parsing + xml namespace detection by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2248
* [HOTFIX] Migrate from setup.py to poetry, tox QA by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2249

New Contributors
* Karmaz95 made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2234
* Abb4d0n made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2176

**Full Changelog**: https://github.com/MobSF/Mobile-Security-Framework-MobSF/compare/v3.6.9...v3.7.6

- Features or Enhancements
- New Simplified and Updated Documentation https://mobsf.github.io/docs/#/
- MobSF Dynamic Analysis support for Docker image
- Updated Documentation to include support for Corellium ARM64 Android VMs
- Add support for environment variables to configure MobSF
- Android SCA extract icon from SVG
- OFAC Sanctioned Country Check
- Improved Android Certificate Analysis
- Updated Android Manifest Analysis Rules
- Enterprise Feature Request
- Summary of Findings under each section
- Support for independent scanning of AAR ad JAR files.

What's Changed
* Adding numeric_owner as a keyword argument by TrellixVulnTeam in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2050
* Scheduled weekly dependency update for week 41 by pyup-bot in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2046
* HOTFIX: UI changes and warning on mobsf.live by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2051
* Split certificate analysis out, suppression list fixes by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2052
* hotfix for quark rules location by superpoussin22 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2053
* HOTFIX: jadx update to 1.4.5 by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2064
* Installation script error: Solving spelling error by th3-d4v1d-c0de in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2067
* Android APK support extracting icon SVG from XML by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2060
* HOTFIX: Setup improvement by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2078
* Apktool 2.7.0 update by superpoussin22 in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2082
* New Android Manifest Rule: App support vulnerable android versions by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2114
* Fix for filenames containing ampersand by evmxattr in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2129
* HOTFIX - Fix broken docker builds by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2135
* Fix Scorecard Severity Distribution chart data by antoinbo in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2140
* HOTIX: Update Dockerfile to install jq by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2149
* [HOTFIX] Add support for environment variable for MobSF config by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2150
* HOTFIX: Android min SDK check on janus vulnerability detection by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2159
* [Enterprise Feature Request EFR02] Support summary of severity in each section. by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2160
* [EFR05] Enterprise Feature Request: AAR and JAR support by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2163
* Scheduled weekly dependency update for week 24 by pyup-bot in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2187
* Feature updates and Bug Fixes by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2197
* HOTFIX: MobSF Android Dynamic Analysis Docker Support by ajinabraham in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2214

New Contributors
* th3-d4v1d-c0de made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2067
* evmxattr made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2129
* antoinbo made their first contribution in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2140

**Full Changelog**: https://github.com/MobSF/Mobile-Security-Framework-MobSF/compare/v3.6.0...v3.6.9

- Features or Enhancements
- False Positive Triaging / Suppression Triaging Support for critical Android and iOS Security Analysis features.
- Android Binary & Source - Supports Code Analysis and Manifest Analysis
- iOS Binary - Supports Binary Code Analysis
- iOS Source - Supports Code Analysis
- New REST APIs for Suppression Support
- Android Certificate Analysis improvements
- Remove RELRO check from android binary analysis due to false positives
- iOS Bundle ID extraction improvements
- Feature parity - Allow IPA downloads from reports view
- Code QA: Reduce False positives in identified secrets
- Check for updates from Github releases
- M1 Mac support
- Disabled by default feature to support hotspots in AppSec Scorecard
- Dependency updates
- Added CodeQL scan on MobSF python code base

- Bug Fixes
- Fixes 1999, 1917, 2042 1981 2014 2043
- Fixed a bug in JSON response REST API
- iOS URL view fix
- Code fixes to address minor security issues in thrid party libraries.
- Handle JADX timeouts

- Features or Enhancements
- MobSF Application Security Scorecard for scoring mobile application security
- Scorecard REST API
- Published Static Analyzer online [mobsf.live](https://mobsf.live) (Thanks to Jovan Petrovic for sponsoring the server)
- Improved App Security Scoring Logic
- Improved PDF Report, Reduce generation times.
- Disable CVSSv2 by default.
- Non blocking file upload from home screen.
- Android and iOS SAST rule QA
- Manifest, Certificate, Transport Security and Network Security rule QA
- Common severity levels High, Warning, Info and Secure.


- Bug Fixes
- Fixes 1885
- Replaced PWD with dedicated server

- Features or Enhancements
- Quark Version Update
- New Frida Scripts from F-Secure labs
- Manual Activity Launcher and REST API
- Suppress warnings from third party
- LIEF integration QA
- Update Janus Vulnerability description
- General Code QA
- Improve Setup script
- Update Dockerfile to use non-root user
- PDF in landscape
- Add healthcheck to dockerfile
- Update Android API rules
- iOS Hardcoded Secret extraction from plists
- Add browsable activities in android diff
- Multiplatform docker image
- Added checks and bypass for certificate transparency
- Updated Android Static Analysis rules
- Improved Split APK support, now supports .apks file
- Ability to lookup and download APK from apktada/apkpure/apkplz
- Dynamic Analyzer: Get Runtime Application Third party dependencies
- Persist Frida Code change in session storage
- Show Base64 strings decoded at runtime and the called class
- Detect Trackers from Runtime Dependencies and Network Traffic
- Windows Binskim version pinning
- Global Proxy Configuration for Dynamic Analyzer

- Bug Fixes
- Fix Django 4.0 support
- Fix minor bugs
- Fix dependency issues

- Features or Enhancements
- Android Dynamic Analysis TLS/SSL Security Tester
- Dynamic Analysis without Static Analysis
- Support Dynamic Analysis of third party apps in VM/AVD
- Download and perform static analysis of third party apps from VM/AVD
- Dynamic Analysis enhancement to preserve app config/data
- Improved SSL Pinning Bypass script
- Added Intent dumper auxiliary Frida script
- Added an auxiliary method bypass template script
- Security Hardening
- Addressing LGTM issues and QA
- Android Permissions Mapping update and Typo fix
- VirusTotal Code QA
- Refactored Logcat log viewer to show only app specific logs
- Xposed Improvements and updates of agents
- Updated frontend libraries for CodeMirror and EnligherJS
- New REST API exposed for TLS/SSL tests
- General Code QA

- Bug Fixes
- Fixed Windows Setup script
- Fixed typo and incomplete description in Android permission mapping