$ git blame
Hello and welcome. This will be an ongoing series of short posts where I outline the minor commits I make to security related OSS.
This post will be discussing my minor commit to MobSF.
MobSF is an
all-in-one open source mobile application (Android/iOS/Windows) automated pen-testing framework.
An issue was reported where MobSF would give a false positive result, warning against the use of SHA1, when SHA1 was used for signing the APK certificate, but the actual APK was signed using SHA256.
The fix to this bug required parsing the MANIFEST.MF file, and providing guidance to the user of the potential conflict.
Add SHA256DIGEST field to the StaticAnalyzerAndroid Model
views/android/cert_analysis.py, check for existance of MANIFEST.MF, and check for the string
Add sha256digest to cert_dic, which later gets read by the db_interaction.py file for persistance
Add a case to the template that provides the warning
Edit the pdf template to match report
Old (buggy) template:
<strong>Certicate Status: </strong><span class="label label-danger">Bad</span> <strong>Description:</strong>The app is signed with `SHA1withRSA`. SHA1 hash algorithm is known to have collision issues.
<strong>Certicate Status: </strong><span class="label label-warning">Warning</span> <strong>Description:</strong>The app is signed with `SHA1withRSA`. SHA1 hash algorithm is known to have collision issues. <strong>Note:</strong>The manifest indicates `SHA256withRSA` is in use. Be sure to manually confirm this issue.