SAST Support for iOS & Android via MobSF Analyzer

Problem to solve

Add SAST support for mobile application scanning including:

• iOS
  • Objective-C
  • Swift
• Android
  • Java
  • Kotlin

Intended users

• Sasha (Software Developer)
• Sam (Security Analyst)

Status

2020.09.30 Update: An analyzer has been contributed to us which is intended to be the starting port for this effort.

Implementation Plan

• Review code and ensure it meets our integration guidelines
• Migrate code to the Secure Analyzers repo
• Extend the SAST.gitlab-ci.yml vendored template to include the analyzer
• Write new unit tests
• Update QA projects

User experience goal

• Integrate MobSF as an official SAST analyzer

Release notes

Release post MR - gitlab-com/www-gitlab-com!64546 (diffs) @tmccaslin to make a feature image similar to this one.

Relevant Black Hat Presentation

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis of mobile applications. MobSF support mobile app binaries (APK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented tests.

Permissions and Security

• Scanner will be available to all plan types as a Core analyzer

Documentation

• Add new rows to the supported languages for SAST doc section

Availability & Testing

Links / references