SAST Support for iOS & Android via MobSF Analyzer

Problem to solve

Add SAST support for mobile application scanning including:

• iOS
  • Objective-C
  • Swift
• Android
  • Java
  • Kotlin

Intended users

• Sasha (Software Developer)
• Sam (Security Analyst)

Status

2020.09.30 Update: An analyzer has been contributed to us which is intended to be the starting port for this effort.

Implementation Plan

• Review code and ensure it meets our integration guidelines
• Migrate code to the Secure Analyzers repo
• Extend the SAST.gitlab-ci.yml vendored template to include the analyzer
• Write new unit tests
• Update QA projects

User experience goal

• Integrate MobSF as an official SAST analyzer

Release notes

Release post MR - gitlab-com/www-gitlab-com!64546 (diffs) @tmccaslin to make a feature image similar to this one.

Relevant Black Hat Presentation

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis of mobile applications. MobSF support mobile app binaries (APK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented tests.

Permissions and Security

• Scanner will be available to all plan types as a Core analyzer

Documentation

• Add new rows to the supported languages for SAST doc section

Availability & Testing

Links / references

@david @NicoleSchwartz in the AST MQ we were weak on mobile, next year if this is easy to incorporate it could help 2 MQ from now

mentioned in issue gitlab-org/quality/triage-reports#297 (closed)

added devopssecure groupstatic analysis typefeature labels

mentioned in issue #235088 (closed)

added Category:SAST SAST: New Scanner labels

added to epic &297

changed milestone to %Next 1-3 releases

Blackhat talk on this: https://blackhat.app.swapcard.com/event/black-hat-usa-virtual/planning/UGxhbm5pbmdfMTMyMTcy

I think from what I could see it seems to do SAST, SCA, and DAST (but DAST we won't be able to do b/c no android env) @tmccaslin i don't think it fuzzes? but it does seem to already be container-friendly

https://twitter.com/OpenSecurity_IN/status/1292916001668038663

added [deprecated] Accepting merge requests label

assigned to @david

assigned to @tmccaslin

@tmccaslin - Assigning to you and me so we can move the conversation forward on this. I'll add it to your 1:1 agenda for this week.

removed [deprecated] Accepting merge requests label

added sectionsec label

mentioned in issue #250482 (closed)

MobSF: https://github.com/MobSF/Mobile-Security-Framework-MobSF has both Malware Detection and static analysis. For upcoming work, we will focus only on static analysis for Mobile applications.

changed the description

changed title from evaluate Mobile Security Framework - MobSF to SAST Support for iOS & Android via MobSF Analyzer

added direction featureaddition labels

marked this issue as related to #199102 (closed)

marked this issue as related to #36783 (closed)

marked this issue as related to #216020 (closed)

mentioned in issue #199102 (closed)

mentioned in issue #36783 (closed)

mentioned in issue #216020 (closed)

unassigned @david

changed the description

@rossfuhrman @ssarka @twoodham this issue has been transformed to handle the integration review and promotion to an official SAST scanner. I will update this issue once we have the code from the customer.

Please feel free to review the implementation plan.

added workflowplanning breakdown label

added backend label

removed featureaddition label

changed the description

@rossfuhrman, @ssarka - https://gitlab.com/gitlab-org/security-products/analyzers/mobsf is here now. Would you please investigate and flesh out an implementation plan? We'll get a better feel for which milestone this will land within based upon your findings.

Sure. We will investigate this project.

Paired up with @rossfuhrman

The following are the initial findings and questions that we found so far.

• Lack of sufficient unit tests.
• Lack of integration test.
• We need to verify whether the report format is correct.
• Removing unnecessary references and adding credit to H-E-B to the readme
• We need to figure out how to distinguish Android project from normal java project.
• How to disable malware detection in MobSF.

Did we miss anything here? I will add more findings tomorrow.

I have a few things that were floating around on my To Do list.

• When I was testing it, I did have a few scans that came back with Unknown severity findings, so I think I wasn't able to discover all the severity levels (they aren't documented) (https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/-/blob/master/report.go#L59)
• For Android, MobSF expects AndroidManifest.xml to be at either the project root or at app/src/main/AndroidManifest.xml, but we had one Android project that had the manifest at base/src/main/AndroidManifest.xml. If it's not at the expected path, then the scan won't run, so it needs to either be copied over before analysis or fixed upstream.
• Right now, there is no differentiation between Android and iOS scans. I can't decide if there is value in differentiating the two.

We need to figure out how to distinguish Android project from normal java project.

The MatchFunc searches for an AndroidManifest.xml file. Is that not sufficient?

Thanks for all the work and these updates @williams.brian-heb!

The MatchFunc searches for an AndroidManifest.xml file. Is that not sufficient?

Yes, that should be sufficient. Saikat's comment was more regarding how we determine if a scan should kick off in the pipeline, but I think we can look for that manifest in the to-be-added MobSF job definition.

Another thing: I chose to use the ZIP format because that way we can do scans without having to compile the project. I wonder if it is worthwhile to support the compiled formats (.apk / .ipa) as well. I don't think it's something that would be needed for initial release, but may be a want somewhere down the road.

Ahh, thanks for calling that out. We hadn't made it that far in the review, but is good to know. I agree that support for .apk and .ipa files would make sense to add in the future.

More notes:

• We can use the same logic here in our SAST vendored template for determining if we should run the scan
• We should investigate the appropriateness of the various nosec directives Info on nosec

changed milestone to %13.5

assigned to @ssarka

assigned to @rossfuhrman

According to the discussion on today's backlog refinement meeting, the following issues have been created:

• #259830 (closed) (13.5)
• #259831 (closed) (future)
• #259832 (closed) (13.5)
• #259833 (closed) (future)
• #259834 (closed) (13.5)
• #259837 (closed) (13.5)

We need to add descriptions to these issues and assign milestones.

@tmccaslin I have not created the issue for File issue to add attribution to HEB in README. Do you want to create it? Moreover, we need to add an epic to all these issues so that we can easily keep track.

An ultimate prospect has asked if MobSF will will support ReactNative.

I believe it's a question if MobSF has rules for ReactNative for zip scanning, or if ReactNative would be supported via complied mobile binary.

marked this issue as related to #259832 (closed)

marked this issue as related to #259834 (closed)

marked this issue as related to #259837 (closed)

marked this issue as related to #259830 (closed)

added release post itemprimary label

added release post itemin review label and removed release post itemprimary label

mentioned in merge request gitlab-com/www-gitlab-com!64546 (merged)

changed the description