$ git blame

Hello and welcome. This will be an ongoing series of short posts where I outline the minor commits I make to security related OSS.

The Tool

This post will be discussing my minor commit to MobSF.

MobSF is an all-in-one open source mobile application (Android/iOS/Windows) automated pen-testing framework.

The Problem

ISSUE#476

An issue was reported where MobSF would give a false positive result, warning against the use of SHA1, when SHA1 was used for signing the APK certificate, but the actual APK was signed using SHA256.

My Contribution

PR#515

The fix to this bug required parsing the MANIFEST.MF file, and providing guidance to the user of the potential conflict.

Code changes:

• Add SHA256DIGEST field to the StaticAnalyzerAndroid Model

• in views/android/cert_analysis.py, check for existance of MANIFEST.MF, and check for the string SHA-256-Digest

• Add sha256digest to cert_dic, which later gets read by the db_interaction.py file for persistance

• Add a case to the template that provides the warning

• Edit the pdf template to match report

Old (buggy) template:

<strong>Certicate Status: </strong><span class="label label-danger">Bad</span>
<strong>Description:</strong>The app is signed with `SHA1withRSA`. SHA1 hash algorithm is known to have collision issues.

New template:

<strong>Certicate Status: </strong><span class="label label-warning">Warning</span>
<strong>Description:</strong>The app is signed with `SHA1withRSA`. SHA1 hash algorithm is known to have collision issues.
<strong>Note:</strong>The manifest indicates `SHA256withRSA` is in use. Be sure to manually confirm this issue.