v4.1.3

v4.1.3 Changelog

• Features or Enhancements
  • Improvement in SAST performance with libsast upgrade.
  • Address a bug that cause SAST scans to timeout.
  • Added Firebase Remote Config Check
  • Add support for searching scans by package name, app name and file name
  • Exposed a REST API for search
  • Add timeouts for each scan steps
  • Added Autopep8 for code linting
  • Added postgres support by default and updated docs to enable postgres support
  • Upgraded docker file and dependencies
  • Support Python 3.12

What's Changed

• Dockerfile upgrade, Postgres Support by Default, Bug Fixes by @ajinabraham in #2439
• Multiple QA by @ajinabraham in #2441
• Libsast bump by @ajinabraham in #2443

Full Changelog: v4.0.7...v4.1.3

v4.0.7

v4.0.7 Changelog

• Features or Enhancements

  • Support Authentication & Authorization in MobSF
  • Added support for SSO + Okta SSO Documentation
  • Promoted from Beta to Stable since v4.0.0
  • Added Pagination support for recent scans
  • Added support for scanning AAB with MobSF
  • Convert AAB to APK for scanning
  • Dockerfile QA
  • Prevent docker container exits on volume mount
  • Android Frida root bypass and debugger bypass scripts improvements
  • Added a new Android SAST Rule android_webview_allow_file_from_url
  • Deeplink Trigger Support for Android Dynamic Analyzer
  • Added support for real time scan status and scan logs in scan report, REST API exposed
  • Add support for numeric iOS Bundle ID
  • General Code QA
  • Dependency Bump

• Security

  • Fixed an SSRF in firebase db check in MobSF <=3.9.7
  • Fixes a zip slip vulnerability in MobSF <= 4.0.6 affecting AR archive extraction

What's Changed

• [SECURITY] Fixes an SSRF vulnerability report from positive technologies by @ajinabraham in #2373
• Update README.md by @ajinabraham in #2383
• fix IP2Location error by @ohyeah521 in #2372
• Update SUPPORT.md by @ajinabraham in #2384
• [EFR] AuthZ and AuthN for MobSF + Bug Fixes by @ajinabraham in #2366
• [EFR] SSO Support + Okta SSO Documentation by @ajinabraham in #2389
• [HOTFIX] SSO Support hosts behind proxy by @ajinabraham in #2390
• feat(page): recent scans add page jumper by @miaoyc666 in #2348
• [HOTFIX] Support AAB with MobSF, Convert AAB to APK, Fixes #2387 by @ajinabraham in #2391
• [HOTFIX] Code QA by @ajinabraham in #2393
• [HOTFIX] AppSec PNW 2024, Deeplink Trigger Support for Android Dynamic Analyzer by @ajinabraham in #2402
• [HOTFIX] SECURITY.md by @ajinabraham in #2418
• [EFR] Realtime Scan status and logs by @ajinabraham in #2416
• [SECURITY][HOTFIX] Fixes GHSA-4hh3-vj32-gr6j by @ajinabraham in #2421
• [HOTFIX] Bump deps by @ajinabraham in #2426
• Check for internet before attempting to download APK by @ayushmanchhabra in #2422
• [HOTFIX] dep bups + Fix #2424 by @ajinabraham in #2431

New Contributors

• @miaoyc666 made their first contribution in #2348
• @ayushmanchhabra made their first contribution in #2422

Full Changelog: v3.9.7...v4.0.7

v3.9.7 Beta

v3.9.7 Beta Changelog

• Features or Enhancements

  • iOS Dynamic Analyzer with Corellium
  • Dynamic Analysis refactoring for Android and iOS
  • Exposed iOS Dynamic Analysis REST APIs
  • Added more helper Frida Scripts for Android and iOS Dynamic Analyzer
  • Frida support improvements Injected Frida Code View, Injection, Spawn, Attach and Session
  • Corellium Reverse SSH connection support
  • Enhancements to ARC and Stack Canary Checks in Mach-O Parsing
  • Frida RPC Hooks support
  • Frida Script QA
  • Runtime Executable Tampering Detection
  • iOS Dynamic Analysis REST API Docs
  • Global Datatables Export as PDF, CSV, XLS, Copy and Print
  • Corellium custom host domain support
  • Huge improvements in Static Analysis report generation page rendering for APKs/IPAs with large amount of data by @JPSxzy8
  • Scan independent library file (.so, .dylib, Framework dylib) from APK/IPA Static Analysis Report
  • Library analysis refactored relative path helper for Django template.
  • Re-introduced RELRO checks for Android, added Dart binary check to avoid Flutter false positives.
  • Improved stripped debug symbol check for ELF and MachO using native OS tools such as nm and objdump when available.
  • Merge iOS Framework and Dylib Analysis.
  • SAST Performance improvements
  • Android API Analysis rule QA
  • Apksigner.jar fallback for signature parsing
  • Simplify MobSF scan REST API
  • Support for analysis of iOS Frameworks
  • Android SVG icon parsing improvments
  • Icon analysis refactor and support jpeg and webp icons
  • Github action QA
  • iOS merge findings from swift and objective c rules with same rule identifier. Fixes #2287
  • iOS Binary analysis, sort regex matches. Fixes #2252
  • Framework dylibs with no extensions to skip PIE checks. Fixes #2307
  • Select correct network_security config. Fixes #2049
  • Android Manifest Analysis added support for detecting task hijacking (StrandHogg 1.0 and StrandHogg 2.0) . Fixes #2124
  • Added new manifest analysis rule to warn on apps targeting older Android OS
  • Updated severity of findings
  • UI improvement for AppSec dashboard to show a loader
  • UI changes in Static Analysis to collapse large no of files in API and Code Analysis for better real estate
  • Improved certificate file analysis for android, jar, aar, and iOS
  • AppLink asset json check multithreading performance improvements
  • Code QA and ruleset improvements with ChatGPT
  • Fixes #2324 , Bug in parsing DSA Public Key parameters for fingerprint calculation.
  • AssetLink check QA
  • Remove Androguard dependency use only features required by MobSF

• Security

  • Arbitrary file writes on Windows with apktool fixed
  • Fixed an LFI reported by @0x33c0unt
  • Fixed SSRF in AppLinks and Firebase database checks

What's Changed

• Performance Improvements on SAST by @ajinabraham in #2251
• add apksigner.jar for reading signatures by @ajinabraham in #2254
• [HOTFIX] add jar by @ajinabraham in #2255
• Bump Frida to address crash on M1 Mac by @ajinabraham in #2258
• Simplify Scan API by @ajinabraham in #2259
• [HOTFIX] iOS Framework Analysis + Multiple Feature QA by @ajinabraham in #2260
• [HOTFIX] Support webp for icon by @ajinabraham in #2267
• fixed that the icon cannot be found by @ohyeah521 in #2265
• [HOTFIX] Allow jpeg icons by @ajinabraham in #2268
• Fix jadx and apktool failure due to JDK changes by @ajinabraham in #2269
• [HOTFIX][EFR] Priority Bug Fixes by @ajinabraham in #2275
• update apktool to 2.9.0 by @superpoussin22 in #2278
• Build(deps): Bump django from 4.1.12 to 4.1.13 by @dependabot in #2282
• iOS Dynamic Analysis with Corellium by @ajinabraham in #2194
• Dynamic Analysis Improvements Android & iOS by @ajinabraham in #2295
• Dec 2023 QA by @ajinabraham in #2297
• [HOTFIX] More Android & iOS Frida Scripts by @ajinabraham in #2299
• [HOTFIX] Android script loading, frida injected code view, paramiko SSH issues by @ajinabraham in #2300
• Enhancements to ARC and Stack Canary Checks in Mach-O Parsing by @cpuu in #2284
• [HOTFIX] RPC hook suggestions + Bug Fix by @ajinabraham in #2301
• update apktool to 2.9.1 by @superpoussin22 in #2304
• [EFR] QA Request by @ajinabraham in #2306
• Bug Fixes + Improvements by @ajinabraham in #2307
• ChatGPT Permission Mapping + Improved Description by @ajinabraham in #2308
• Windows Python tempfile permission error fix by @ohyeah521 in #2309
• Multiple Features Improved or Added by @ajinabraham in #2310
• Malware Permission Check for Android by @ajinabraham in #2313
• [HOTFIX] Bug Fix and QA by @ajinabraham in #2315
• Using multithreading to improve code efficiency by @ohyeah521 in #2319
• GPT Goodness by @ajinabraham in #2318
• Update SECURITY.md by @ajinabraham in #2323
• [HOTFIX][SECURITY] Fix an LFI, DSA Pub Key parsing bug and dependencies by @ajinabraham in #2326
• Filter out invalid links by @ohyeah521 in #2322
• [SECURITY] Fix Arbitrary file writes on Windows by @superpoussin22 in #2328
• Runtime Exec Tampering Detection, iOS Dynamic REST APIs, Datatables Export by @ajinabraham in #2339
• MOBSF_CORELLIUM_API_DOMAIN Update by @HackJJ in #2347
• poetry pyqt5 fixes by @ajinabraham in #2362
• Remove Androguard dependency use only features required by MobSF by @ajinabraham in #2363
• Optimize rendering of big lists by @JPSxzy8 in #2351
• Update SECURITY.md by @ajinabraham in #2364
• Update SECURITY.md by @ajinabraham in #2365
• Resolve the situation where the function name is bytes by @ohyeah521 in #2367

New Contributors

• @cpuu made their first contribution in #2284
• @HackJJ made their first contribution in #2347
• @JPSxzy8 made their first contribution in #2351

Full Changelog: v3.7.6...v3.9.7

v3.7.6 Beta

v3.7.6 Beta Changelog

• Features or Enhancements
  • Docker base image update to Ubuntu 22.04
  • Dockerfile QA
  • Migrated from Pip to Poetry for dependency management
  • Migrate from setup.py to use poetry for build and publish
  • Python 3.11 support
  • Docker ADB connection improvements (host.docker.internal translation for localhost)
  • IOS Swift RulesUpdates ios_biometric_bool, ios_biometric_acl, ios_keychain_weak_acl_device_passcode, ios_keychain_weak_accessibility_value, ios_insecure_random_no_generator, ios_biometry_hardened
  • Android SCA rules update
  • Entropies scan support for strings
  • Regex Hardening: Fixes possible Regex DoS in rules and MobSF code base
  • Tox QA
  • Added poetry build test
  • Updated mobsf PyPI publishing workflow
  • Update local DBs
  • URLs/Email extraction refactor
  • Static and Dynamic Binary Analysis QA
  • Refactor Dex permissions
  • Refactor Androguard apk.APK() usage
  • Fallback certificate analysis using apksigtool
  • Use BeautifulSoup4 to prettify malformed XML
  • Detect non standard XML namespace in AndroidManifest.xml, Fixes : #2198
  • Updated android permissions list
  • Updated android permission update check script
  • Github Actions version update
  • Apktool bump
  • Bump httptools
  • Bump yara-python-dex
  • Docker image build test for PRs
  • iOS Source Report Fix
  • Removed unwanted pinned repository
  • Frida APK Patcher (WIP)
  • Fix for Recent Scans scan not completed for iOS zip
  • Fix for MachO stripped symbols false positive
  • Fix bug in IPA download
  • iOS/Android form validation fix
  • Fix missing exported components
• Enterprise Feature Request
  • String extraction from APK, Source, AAR, JAR, SO.
  • Android strings sections to show source of strings extracted
  • Strings extraction refactor
  • Support for independent .so scan
  • Dylib analysis support
  • Dylib string extraction
  • Improved iOS Plist secret extraction
  • Support for Independent .dylib scan
  • Symbols view for dylib and so
  • Trackers support for so
  • AAR/JAR obfuscation and debug check
  • Independent Static Library(.a) ELF/MachO Analysis
  • Mac FAT binary only supported on Mac

What's Changed

• Update dynamic_analysis.html by @ajinabraham in #2218
• Hotfix: Handle Docker <-> ADB connectivity internally by @ajinabraham in #2219
• update apktool to 2.8.1 by @superpoussin22 in #2220
• update apktool by @superpoussin22 in #2225
• HOTFIX: Dynamic Analyzer Support Alert by @ajinabraham in #2227
• [HOTFIX] Regex + Rule Update by @ajinabraham in #2232
• [EFR06] Independent Shared Object (.so) Scan and Improved String search by @ajinabraham in #2228
• Update macho_analysis.py - SYMBOLS STRIPPED False Negative by @Karmaz95 in #2234
• [EFR-08] Dylib + Symbols + Other Features by @ajinabraham in #2239
• Fix missing exported components by @Abb4d0n in #2176
• [EFR09] AAR/JAR obfuscation and debug check + Exception Handed strings and symbols extraction by @ajinabraham in #2240
• [EFR10] Independent Static Library(.a) ELF/MachO Analysis by @ajinabraham in #2242
• Pip to poetry and Dockerfile update by @ajinabraham in #2244
• Docker Buildx test by @ajinabraham in #2247
• [HOTFIX] bs4 malformed xml parsing + xml namespace detection by @ajinabraham in #2248
• [HOTFIX] Migrate from setup.py to poetry, tox QA by @ajinabraham in #2249

New Contributors

• @Karmaz95 made their first contribution in #2234
• @Abb4d0n made their first contribution in #2176

Full Changelog: v3.6.9...v3.7.6

v3.6.9 Beta

v3.6.9 Beta Changelog

• Features or Enhancements
  • New Simplified and Updated Documentation https://mobsf.github.io/docs/#/
  • MobSF Dynamic Analysis support for Docker image
  • Updated Documentation to include support for Corellium ARM64 Android VMs
  • Add support for environment variables to configure MobSF
  • Android SCA extract icon from SVG
  • OFAC Sanctioned Country Check
  • Improved Android Certificate Analysis
  • Updated Android Manifest Analysis Rules
  • Enterprise Feature Request
    • Summary of Findings under each section
    • Support for independent scanning of AAR ad JAR files.

What's Changed

• Adding numeric_owner as a keyword argument by @TrellixVulnTeam in #2050
• Scheduled weekly dependency update for week 41 by @pyup-bot in #2046
• HOTFIX: UI changes and warning on mobsf.live by @ajinabraham in #2051
• Split certificate analysis out, suppression list fixes by @ajinabraham in #2052
• hotfix for quark rules location by @superpoussin22 in #2053
• HOTFIX: jadx update to 1.4.5 by @ajinabraham in #2064
• Installation script error: Solving spelling error by @th3-d4v1d-c0de in #2067
• Android APK support extracting icon SVG from XML by @ajinabraham in #2060
• HOTFIX: Setup improvement by @ajinabraham in #2078
• Apktool 2.7.0 update by @superpoussin22 in #2082
• New Android Manifest Rule: App support vulnerable android versions by @ajinabraham in #2114
• Fix for filenames containing ampersand by @evmxattr in #2129
• HOTFIX - Fix broken docker builds by @ajinabraham in #2135
• Fix Scorecard Severity Distribution chart data by @antoinbo in #2140
• HOTIX: Update Dockerfile to install jq by @ajinabraham in #2149
• [HOTFIX] Add support for environment variable for MobSF config by @ajinabraham in #2150
• HOTFIX: Android min SDK check on janus vulnerability detection by @ajinabraham in #2159
• [Enterprise Feature Request EFR02] Support summary of severity in each section. by @ajinabraham in #2160
• [EFR05] Enterprise Feature Request: AAR and JAR support by @ajinabraham in #2163
• Scheduled weekly dependency update for week 24 by @pyup-bot in #2187
• Feature updates and Bug Fixes by @ajinabraham in #2197
• HOTFIX: MobSF Android Dynamic Analysis Docker Support by @ajinabraham in #2214

New Contributors

• @th3-d4v1d-c0de made their first contribution in #2067
• @evmxattr made their first contribution in #2129
• @antoinbo made their first contribution in #2140

Full Changelog: v3.6.0...v3.6.9

v3.6.0 Beta

IMPORTANT - IF YOU ARE UPDATING MOBSF

This release has database model changes. To update see: https://mobsf.github.io/docs/#/updating
This release has a breaking change. Please rescan all existing scans after the update. Perform rescan from Recent Scans view.

v3.6.0 Beta Changelog

• Features or Enhancements

  • False Positive Triaging / Suppression Triaging Support for critical Android and iOS Security Analysis features.
    • Android Binary & Source - Supports Code Analysis and Manifest Analysis
    • iOS Binary - Supports Binary Code Analysis
    • iOS Source - Supports Code Analysis
    • New REST APIs for Suppression Support
  • Android Certificate Analysis improvements
  • Remove RELRO check from android binary analysis due to false positives
  • iOS Bundle ID extraction improvements
  • Feature parity - Allow IPA downloads from reports view
  • Code QA: Reduce False positives in identified secrets
  • Check for updates from Github releases
  • M1 Mac support
  • Disabled by default feature to support hotspots in AppSec Scorecard
  • Dependency updates
  • Added CodeQL scan on MobSF python code base

• Bug Fixes

  • Fixes #1999, #1917, #2042 #1981 #2014 #2043
  • Fixed a bug in JSON response REST API
  • iOS URL view fix
  • Code fixes to address minor security issues in thrid party libraries.
  • Handle JADX timeouts

v3.5.0 Beta

IMPORTANT - IF YOU ARE UPDATING MOBSF

This release has database model changes. To update see: https://mobsf.github.io/docs/#/updating
This release has a breaking change. Please rescan all existing scans after the update. Perform rescan from Recent Scans view.

v3.5.0 Beta Changelog

• Features or Enhancements

  • MobSF Application Security Scorecard for scoring mobile application security
  • Scorecard REST API
  • Published Static Analyzer online mobsf.live (Thanks to Jovan Petrovic for sponsoring the server)
  • Improved App Security Scoring Logic
  • Improved PDF Report, Reduce generation times.
  • Disable CVSSv2 by default.
  • Non blocking file upload from home screen.
  • Android and iOS SAST rule QA
  • Manifest, Certificate, Transport Security and Network Security rule QA
  • Common severity levels High, Warning, Info and Secure.

• Bug Fixes

  • Fixes #1885
  • Replaced PWD with dedicated server

v3.4.6 Beta

v3.4.6 Beta Changelog

• Features or Enhancements

  • Quark Version Update
  • New Frida Scripts from F-Secure labs
  • Manual Activity Launcher and REST API
  • Suppress warnings from third party
  • LIEF integration QA
  • Update Janus Vulnerability description
  • General Code QA
  • Improve Setup script
  • Update Dockerfile to use non-root user
  • PDF in landscape
  • Add healthcheck to dockerfile
  • Update Android API rules
  • iOS Hardcoded Secret extraction from plists
  • Add browsable activities in android diff
  • Multiplatform docker image
  • Added checks and bypass for certificate transparency
  • Updated Android Static Analysis rules
  • Improved Split APK support, now supports .apks file
  • Ability to lookup and download APK from apktada/apkpure/apkplz
  • Dynamic Analyzer: Get Runtime Application Third party dependencies
  • Persist Frida Code change in session storage
  • Show Base64 strings decoded at runtime and the called class
  • Detect Trackers from Runtime Dependencies and Network Traffic
  • Windows Binskim version pinning
  • Global Proxy Configuration for Dynamic Analyzer

• Bug Fixes

  • Fix Django 4.0 support
  • Fix minor bugs
  • Fix dependency issues

v3.4.3 Beta

v3.4.3 Beta Changelog

• Features or Enhancements

  • Android Dynamic Analysis TLS/SSL Security Tester
  • Dynamic Analysis without Static Analysis
  • Support Dynamic Analysis of third party apps in VM/AVD
  • Download and perform static analysis of third party apps from VM/AVD
  • Dynamic Analysis enhancement to preserve app config/data
  • Improved SSL Pinning Bypass script
  • Added Intent dumper auxiliary Frida script
  • Added an auxiliary method bypass template script
  • Security Hardening
  • Addressing LGTM issues and QA
  • Android Permissions Mapping update and Typo fix
  • VirusTotal Code QA
  • Refactored Logcat log viewer to show only app specific logs
  • Xposed Improvements and updates of agents
  • Updated frontend libraries for CodeMirror and EnligherJS
  • New REST API exposed for TLS/SSL tests
  • General Code QA

• Bug Fixes

  • Fixed Windows Setup script
  • Fixed typo and incomplete description in Android permission mapping

v3.4.0 Beta

From 3.4.0 onwards MobSF user configuration and data is stored under <user_home_dir>/.MobSF/ . Also instead of mobsf/MobSF/settings.py, please use <user_home_dir>/.MobSF/config.py

You can now install mobsf from pypi https://pypi.org/project/mobsf/ provided you have installed all the requirements in documentation.

Install and Setup

python3 -m venv venv
source venv/bin/activate
pip install mobsf
mobsfdb # migrate database

Run

mobsf 127.0.0.1:8000 # run mobsf

v3.4.0 Beta Changelog

• Features or Enhancements

  • Android Hardcoded Secrets False Positive Improvement
  • New Android Crypto Rule
  • Rescan Fail-Safe and Code QA
  • Auto Comment for PR and Issues
  • USE_HOME by default
  • Dynamically Display Config Location

• Bug Fixes

  • Fixed a bug in iOS ATS plist analysis