SAST Support for iOS & Android via MobSF Analyzer
Problem to solve
Add SAST support for mobile application scanning including:
- iOS
- Objective-C
- Swift
- Android
- Java
- Kotlin
Intended users
Status
2020.09.30 Update: An analyzer has been contributed to us which is intended to be the starting port for this effort.
Implementation Plan
- Review code and ensure it meets our integration guidelines
- Migrate code to the Secure Analyzers repo
- Extend the SAST.gitlab-ci.yml vendored template to include the analyzer
- Write new unit tests
- Update QA projects
User experience goal
- Integrate MobSF as an official SAST analyzer
Release notes
Release post MR - gitlab-com/www-gitlab-com!64546 (diffs) @tmccaslin to make a feature image similar to this one.
Relevant Black Hat Presentation
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis of mobile applications. MobSF support mobile app binaries (APK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented tests.
Permissions and Security
- Scanner will be available to all plan types as a Core analyzer
Documentation
- Add new rows to the supported languages for SAST doc section
Availability & Testing
Links / references
Designs
- Show closed items
Relates to
- #19910213.5
- #216020Next 1-3 releases
- #321709Backlog
Activity
-
Newest first Oldest first
-
Show all activity Show comments only Show history only
- Author
@david @NicoleSchwartz in the AST MQ we were weak on mobile, next year if this is easy to incorporate it could help 2 MQ from now
- 🤖 GitLab Bot 🤖 mentioned in issue gitlab-org/quality/triage-reports#297 (closed)
mentioned in issue gitlab-org/quality/triage-reports#297 (closed)
- Sofia Vistas added devopssecure groupstatic analysis typefeature labels
added devopssecure groupstatic analysis typefeature labels
- 🤖 GitLab Bot 🤖 mentioned in issue #235088 (closed)
mentioned in issue #235088 (closed)
- Taylor McCaslin added Category:SAST SAST: New Scanner labels
added Category:SAST SAST: New Scanner labels
- Taylor McCaslin added to epic &297
added to epic &297
- Taylor McCaslin changed milestone to %Next 1-3 releases
changed milestone to %Next 1-3 releases
- Developer
Blackhat talk on this: https://blackhat.app.swapcard.com/event/black-hat-usa-virtual/planning/UGxhbm5pbmdfMTMyMTcy
Collapse replies - Contributor
I think from what I could see it seems to do SAST, SCA, and DAST (but DAST we won't be able to do b/c no android env) @tmccaslin i don't think it fuzzes? but it does seem to already be container-friendly
- 🤖 GitLab Bot 🤖 added [deprecated] Accepting merge requests label
added [deprecated] Accepting merge requests label
- David DeSanto assigned to @david
assigned to @david
- David DeSanto assigned to @tmccaslin
assigned to @tmccaslin
- Maintainer
@tmccaslin - Assigning to you and me so we can move the conversation forward on this. I'll add it to your 1:1 agenda for this week.
- 🤖 GitLab Bot 🤖 removed [deprecated] Accepting merge requests label
removed [deprecated] Accepting merge requests label
- 🤖 GitLab Bot 🤖 added sectionsec label
added sectionsec label
- Taylor McCaslin mentioned in issue #250482 (closed)
mentioned in issue #250482 (closed)
- Contributor
MobSF: https://github.com/MobSF/Mobile-Security-Framework-MobSF has both Malware Detection and static analysis. For upcoming work, we will focus only on static analysis for Mobile applications.
- Taylor McCaslin changed the description
Compare with previous version changed the description
- Taylor McCaslin changed title from evaluate Mobile Security Framework - MobSF to SAST Support for iOS & Android via MobSF Analyzer
changed title from evaluate Mobile Security Framework - MobSF to SAST Support for iOS & Android via MobSF Analyzer
- Taylor McCaslin added direction featureaddition labels
added direction featureaddition labels
- Taylor McCaslin marked this issue as related to #199102 (closed)
marked this issue as related to #199102 (closed)
- Taylor McCaslin marked this issue as related to #36783 (closed)
marked this issue as related to #36783 (closed)
- Taylor McCaslin marked this issue as related to #216020 (closed)
marked this issue as related to #216020 (closed)
- Taylor McCaslin mentioned in issue #199102 (closed)
mentioned in issue #199102 (closed)
- Taylor McCaslin mentioned in issue #36783 (closed)
mentioned in issue #36783 (closed)
- Taylor McCaslin mentioned in issue #216020 (closed)
mentioned in issue #216020 (closed)
- Taylor McCaslin unassigned @david
unassigned @david
- Taylor McCaslin changed the description
Compare with previous version changed the description
- Developer
@rossfuhrman @ssarka @twoodham this issue has been transformed to handle the integration review and promotion to an official SAST scanner. I will update this issue once we have the code from the customer.
Please feel free to review the implementation plan.
Edited by Taylor McCaslin 3 - Taylor McCaslin added workflowplanning breakdown label
added workflowplanning breakdown label
- Thomas Woodham added backend label
added backend label
- Thomas Woodham removed featureaddition label
removed featureaddition label
- Thomas Woodham changed the description
Compare with previous version changed the description
- Developer
@rossfuhrman, @ssarka - https://gitlab.com/gitlab-org/security-products/analyzers/mobsf is here now. Would you please investigate and flesh out an implementation plan? We'll get a better feel for which milestone this will land within based upon your findings.
2 2 Collapse replies - Contributor
Sure. We will investigate this project.
- Contributor
Paired up with @rossfuhrman
The following are the initial findings and questions that we found so far.
- Lack of sufficient unit tests.
- Lack of integration test.
- We need to verify whether the report format is correct.
- Removing unnecessary references and adding credit to H-E-B to the readme
- We need to figure out how to distinguish Android project from normal java project.
- How to disable
malware detection
in MobSF.
Did we miss anything here? I will add more findings tomorrow.
Edited by Saikat Sarkar I have a few things that were floating around on my To Do list.
- When I was testing it, I did have a few scans that came back with Unknown severity findings, so I think I wasn't able to discover all the severity levels (they aren't documented) (https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/-/blob/master/report.go#L59)
- For Android, MobSF expects AndroidManifest.xml to be at either the project root or at
app/src/main/AndroidManifest.xml
, but we had one Android project that had the manifest atbase/src/main/AndroidManifest.xml
. If it's not at the expected path, then the scan won't run, so it needs to either be copied over before analysis or fixed upstream. - Right now, there is no differentiation between Android and iOS scans. I can't decide if there is value in differentiating the two.
We need to figure out how to distinguish Android project from normal java project.
The MatchFunc searches for an
AndroidManifest.xml
file. Is that not sufficient?- Developer
Thanks for all the work and these updates @williams.brian-heb!
The MatchFunc searches for an
AndroidManifest.xml
file. Is that not sufficient?Yes, that should be sufficient. Saikat's comment was more regarding how we determine if a scan should kick off in the pipeline, but I think we can look for that manifest in the to-be-added MobSF job definition.
Edited by rossfuhrman Another thing: I chose to use the ZIP format because that way we can do scans without having to compile the project. I wonder if it is worthwhile to support the compiled formats (.apk / .ipa) as well. I don't think it's something that would be needed for initial release, but may be a want somewhere down the road.
- Developer
Ahh, thanks for calling that out. We hadn't made it that far in the review, but is good to know. I agree that support for .apk and .ipa files would make sense to add in the future.
- Developer
More notes:
- We can use the same logic here in our SAST vendored template for determining if we should run the scan
- We should investigate the appropriateness of the various nosec directives Info on nosec
- Thomas Woodham changed milestone to %13.5
changed milestone to %13.5
- Saikat Sarkar assigned to @ssarka
assigned to @ssarka
- rossfuhrman assigned to @rossfuhrman
assigned to @rossfuhrman
- Contributor
According to the discussion on today's backlog refinement meeting, the following issues have been created:
- #259830 (closed) (13.5)
- #259831 (closed) (future)
- #259832 (closed) (13.5)
- #259833 (closed) (future)
- #259834 (closed) (13.5)
- #259837 (closed) (13.5)
We need to add descriptions to these issues and assign milestones.
@tmccaslin I have not created the issue for
File issue to add attribution to HEB in README
. Do you want to create it? Moreover, we need to add an epic to all these issues so that we can easily keep track.Edited by Saikat Sarkar - Developer
An ultimate prospect has asked if MobSF will will support ReactNative.
I believe it's a question if MobSF has rules for ReactNative for zip scanning, or if ReactNative would be supported via complied mobile binary.
- Thomas Woodham marked this issue as related to #259832 (closed)
marked this issue as related to #259832 (closed)
- Thomas Woodham marked this issue as related to #259834 (closed)
marked this issue as related to #259834 (closed)
- Thomas Woodham marked this issue as related to #259837 (closed)
marked this issue as related to #259837 (closed)
- Thomas Woodham marked this issue as related to #259830 (closed)
marked this issue as related to #259830 (closed)
- Taylor McCaslin added release post itemprimary label
added release post itemprimary label
- 🤖 GitLab Bot 🤖 added release post itemin review label and removed release post itemprimary label
added release post itemin review label and removed release post itemprimary label
- 🤖 GitLab Bot 🤖 mentioned in merge request gitlab-com/www-gitlab-com!64546 (merged)
mentioned in merge request gitlab-com/www-gitlab-com!64546 (merged)
- Taylor McCaslin changed the description
Compare with previous version changed the description
- rossfuhrman mentioned in merge request !45207 (merged)
mentioned in merge request !45207 (merged)
- Taylor McCaslin changed epic to &4645
changed epic to &4645
- Taylor McCaslin changed the description
Compare with previous version changed the description
- Taylor McCaslin added Community contribution label
added Community contribution label
- Developer
@rossfuhrman, @ssarka - is there more left to do here? If not, can we close out this issue?
Collapse replies - Developer
@twoodham I think we can close this out as we have shipped a v2.0.0 analyzer and we have open issues for the work that we did not accomplish yet. Curious to hear others' opinions though.
- Developer
Closing! All additional work can be logged under this parent epic: &4645
Amazing work everyone!
2
- Taylor McCaslin closed
closed
- Developer
For any customer wanting to use our new iOS and Android scanner please note that it is currently available in beta and requires you to opt in to use it.
https://docs.gitlab.com/ee/user/application_security/sast/#experimental-features
include: - template: Security/SAST.gitlab-ci.yml variables: SAST_EXPERIMENTAL_FEATURES: "true"
We appreciate any feedback you might have if you try it out!
Edited by Taylor McCaslin 1 Collapse replies - Maintainer
@tornikekikalishvili thanks for reporting this! I went ahead and opened a separate issue for us to schedule this and look into it #321709 (closed)
- Contributor
Yes. We can close this issue. As I mentioned in https://docs.google.com/document/d/15cOuMg6-UVpK7x7bt8MdLbeZg5tAau9ANBM_Se9P5pw/edit#heading=h.vxbn3vloezc9, we need to mention MOBSF_API_KEY in the .gitlab-ci.yml file in order to run MobSF. We have an issue to move this variable to SAST template: #270142 (closed).
As far as I have investigated, it is safe to store the variable is SAST template. Because, is only used for calling the service running inside the container: “http://mobsf:8000/”
Edited by Saikat Sarkar - Lucas Charles marked this issue as related to #321709 (closed)
marked this issue as related to #321709 (closed)
- Lucas Charles mentioned in issue #321709 (closed)
mentioned in issue #321709 (closed)
Does not show any vulnerabilities in security tab. #337743 (closed)
Edited by Anand Haridasan- Kate Grechishkina mentioned in issue #339733
mentioned in issue #339733