code

package
Version: v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 29, 2019 License: MPL-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var APIs = []entities.ApiMatcher{
	{
		ApiRule: entities.ApiRule{
			Description: "Network Calls",
		},
		Match: func(s string) bool {
			r, _ := regexp.MatchString(`NSURL|CFStream|NSStream`, s)
			return r
		},
	},
	{ApiRule: entities.ApiRule{
		Description: "Local File I/O Operations.",
	},
		Match: func(s string) bool {
			r, _ := regexp.MatchString(
				`Keychain|kSecAttrAccessibleWhenUnlocked|kSecAttrAccessibleAfterFirstUnlock|SecItemAdd|`+`
				SecItemUpdate|NSDataWritingFileProtectionComplete`, s)
			return r
		},
	},
	{
		ApiRule: entities.ApiRule{
			Description: "WebView Component",
		},
		Match: func(s string) bool {
			r, _ := regexp.MatchString("UIWebView", s)
			return r
		},
	},
	{
		ApiRule: entities.ApiRule{
			Description: "Encryption API",
		},
		Match: func(s string) bool {
			r, _ := regexp.MatchString("RNEncryptor|RNDecryptor|AESCrypt", s)
			return r
		},
	},
	{
		ApiRule: entities.ApiRule{
			Description: "Keychain Access",
		},
		Match: func(s string) bool {
			return strings.Contains(s, "PDKeychainBindings")
		},
	},
	{
		ApiRule: entities.ApiRule{
			Description: "WebView Load Request",
		},
		Match: func(s string) bool {
			return strings.Contains(s, "loadRequest") && strings.Contains(s, "webView")
		},
	},
}
View Source
var Rules = [...]entities.CodeMatcher{
	{
		CodeRule: entities.CodeRule{
			Description: "The App may contain banned API(s). These API(s) are insecure and must not be used.",
			Level:       entities.HighLevel,
			Cvss:        2.2,
			Cwe:         "CWE-676",
		},
		Match: func(s string) bool {
			r, _ := regexp.MatchString(`strcpy|memcpy|strcat|strncat|strncpy|sprintf|vsprintf|gets`, s)
			return r
		},
	},
	{
		CodeRule: entities.CodeRule{
			Description: "App allows self signed or invalid SSL certificates. App is vulnerable to MITM attacks.",
			Level:       entities.HighLevel,
			Cvss:        7.4,
			Cwe:         "CWE-295",
		},
		Match: func(s string) bool {
			r, _ := regexp.MatchString(
				`canAuthenticateAgainstProtectionSpace|continueWithoutCredentialForAuthenticationChallenge|`+
					`kCFStreamSSLAllowsExpiredCertificates|kCFStreamSSLAllowsAnyRoot|`+
					`kCFStreamSSLAllowsExpiredRoots|validatesSecureCertificate\s*=\s*(no|NO)|`+
					`allowInvalidCertificates\s*=\s*(YES|yes)`, s)
			return r
		},
	},
	{
		CodeRule: entities.CodeRule{
			Description: "UIWebView in App ignore SSL errors and accept any SSL Certificate. App is vulnerable to MITM attacks.",
			Level:       entities.HighLevel,
			Cvss:        7.4,
			Cwe:         `CWE-295`,
		},
		Match: func(s string) bool {
			r, _ := regexp.MatchString(
				`setAllowsAnyHTTPSCertificate:\s*YES|allowsAnyHTTPSCertificateForHost|`+
					`loadingUnvalidatedHTTPSPage\s*=\s*(YES|yes)`, s)
			return r
		},
	},
	{
		CodeRule: entities.CodeRule{
			Description: "Files may contain hardcoded sensitive informations like usernames, passwords, keys etc.",
			Level:       entities.HighLevel,
			Cvss:        7.4,
			Cwe:         "CWE-312",
		},
		Match: func(s string) bool {
			r, _ := regexp.MatchString(
				`(password\s*=\s*@*\s*['|"].+['|"]\s{0,5})|(pass\s*=\s*@*\s*['|"].+['|"]\s{0,5})|`+
					`(username\s*=\s*@*\s*['|"].+['|"]\s{0,5})|(secret\s*=\s*@*\s*['|"].+['|"]\s{0,5})|`+
					`(key\s*=\s*@*\s*['|"].+['|"]\s{0,5})`, strings.ToLower(s))
			return r
		},
	},
	{
		CodeRule: entities.CodeRule{
			Description: "IP Address disclosure",
			Level:       entities.WarningLevel,
			Cvss:        4.3,
			Cwe:         "CWE-200",
		},
		Match: func(s string) bool {
			r, _ := regexp.MatchString(`\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}`, s)
			return r
		},
	},
	{
		CodeRule: entities.CodeRule{
			Description: "The App logs information. Sensitive information should never be logged.",
			Level:       entities.InfoLevel,
			Cvss:        7.5,
			Cwe:         "CWE-532",
		},
		Match: func(s string) bool {
			r, _ := regexp.MatchString(`NSLog|NSAssert|fprintf|Logging`, s)
			return r
		},
	},
	{
		CodeRule: entities.CodeRule{
			Description: "This app listens to Clipboard changes. Some malwares also listen to Clipboard changes.",
			Level:       entities.WarningLevel,
			Cvss:        0.,
			Cwe:         "",
		},
		Match: func(s string) bool {
			r, _ := regexp.MatchString(`UIPasteboardChangedNotification|generalPasteboard]\.string`, s)
			return r
		},
	},
	{
		CodeRule: entities.CodeRule{
			Description: "App uses SQLite Database. Sensitive Information should be encrypted.",
			Level:       entities.InfoLevel,
			Cvss:        0.,
			Cwe:         "",
		},
		Match: func(s string) bool {
			return strings.Contains(s, "sqlite3_exec")
		},
	},
	{
		CodeRule: entities.CodeRule{
			Description: "Untrusted user input to \"NSTemporaryDirectory()\" will result in path traversal vulnerability.",
			Level:       entities.WarningLevel,
			Cvss:        7.5,
			Cwe:         "CWE-22",
		},
		Match: func(s string) bool {
			return strings.Contains(s, "NSTemporaryDirectory()")
		},
	},
	{
		CodeRule: entities.CodeRule{
			Description: "User input in \"loadHTMLString\" will result in JavaScript Injection.",
			Level:       entities.WarningLevel,
			Cvss:        8.8,
			Cwe:         "CWE-95",
		},
		Match: func(s string) bool {
			return strings.Contains(s, "loadHTMLString") && strings.Contains(s, "webView")
		},
	},
	{
		CodeRule: entities.CodeRule{
			Description: "SFAntiPiracy Jailbreak checks found",
			Level:       entities.GoodLevel,
			Cvss:        0,
			Cwe:         "",
		},
		Match: func(s string) bool {
			return strings.Contains(s, "SFAntiPiracy.h") && strings.Contains(s, "SFAntiPiracy") &&
				strings.Contains(s, "isJailbroken")
		},
	},
	{
		CodeRule: entities.CodeRule{
			Description: "SFAntiPiracy Piracy checks found",
			Level:       entities.GoodLevel,
			Cvss:        0,
			Cwe:         "",
		},
		Match: func(s string) bool {
			return strings.Contains(s, "SFAntiPiracy.h") && strings.Contains(s, "SFAntiPiracy") &&
				strings.Contains(s, "isPirated")
		},
	},
	{
		CodeRule: entities.CodeRule{
			Description: "MD5 is a weak hash known to have hash collisions.",
			Level:       entities.HighLevel,
			Cvss:        7.4,
			Cwe:         "CWE-327",
		},
		Match: func(s string) bool {
			return strings.Contains(s, "CommonDigest.h") && strings.Contains(s, "CC_MD5")
		},
	},
	{
		CodeRule: entities.CodeRule{
			Description: "SHA1 is a weak hash known to have hash collisions.",
			Level:       entities.HighLevel,
			Cvss:        7.4,
			Cwe:         "CWE-327",
		},
		Match: func(s string) bool {
			return strings.Contains(s, "CommonDigest.h") && strings.Contains(s, "CC_SHA1")
		},
	},
	{
		CodeRule: entities.CodeRule{
			Description: "The App uses ECB mode in Cryptographic encryption algorithm. ECB mode is known to be weak as it " +
				"results in the same ciphertext for identical blocks of plaintext.",
			Level: entities.HighLevel,
			Cvss:  5.9,
			Cwe:   "CWE-327",
		},
		Match: func(s string) bool {
			return strings.Contains(s, "kCCOptionECBMode") && strings.Contains(s, "kCCAlgorithmAES")
		},
	},
	{
		CodeRule: entities.CodeRule{
			Description: "The App has anti-debugger code using ptrace()",
			Level:       entities.HighLevel,
			Cvss:        0,
			Cwe:         "",
		},
		Match: func(s string) bool {
			return strings.Contains(s, "ptrace_ptr") && strings.Contains(s, "PT_DENY_ATTACH")
		},
	},
	{
		CodeRule: entities.CodeRule{
			Description: "This App has anti-debugger code using Mach Exception Ports.",
			Level:       entities.InfoLevel,
			Cvss:        0,
			Cwe:         "",
		},
		Match: func(s string) bool {
			return strings.Contains(s, "mach/mach_init.h") && (strings.Contains(s, "MACH_PORT_VALID") ||
				strings.Contains(s, "mach_task_self()"))
		},
	},
	{
		CodeRule: entities.CodeRule{
			Description: "This App copies data to clipboard. Sensitive data should not be copied to clipboard as other " +
				"applications can access it.",
			Level: entities.InfoLevel,
			Cvss:  0,
			Cwe:   "",
		},
		Match: func(s string) bool {
			return strings.Contains(s, "UITextField") && (strings.Contains(s, "@select(cut:)") ||
				strings.Contains(s, "@select(copy:)"))
		},
	},
	{
		CodeRule: entities.CodeRule{
			Description: "This App may have Jailbreak detection capabilities.",
			Level:       entities.GoodLevel,
			Cvss:        0,
			Cwe:         "",
		},
		Match: func(s string) bool {
			for _, m := range []string{
				"/Applications/Cydia.app", "/Library/MobileSubstrate/MobileSubstrate.dylib",
				"/usr/sbin/sshd", "/etc/apt", "cydia://", "/var/lib/cydia", "/Applications/FakeCarrier.app",
				"/Applications/Icy.app", "/Applications/IntelliScreen.app", "/Applications/SBSettings.app",
				"/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist",
				"/System/Library/LaunchDaemons/com.ikey.bbot.plist",
				"/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist",
				"/etc/ssh/sshd_config", "/private/var/tmp/cydia.log", "/usr/libexec/ssh-keysign",
				"/Applications/MxTube.app", "/Applications/RockApp.app", "/Applications/WinterBoard.app",
				"/Applications/blackra1n.app", "/Library/MobileSubstrate/DynamicLibraries/Veency.plist",
				"/private/var/lib/apt", "/private/var/lib/cydia", "/private/var/mobile/Library/SBSettings/Themes",
				"/private/var/stash", "/usr/bin/sshd", "/usr/libexec/sftp-server", "/var/cache/apt",
				"/var/lib/apt", "/usr/sbin/frida-server", "/usr/bin/cycript", "/usr/local/bin/cycript",
				"/usr/lib/libcycript.dylib", "frida-server",
			} {
				if strings.Contains(s, m) {
					return true
				}
			}
			return false
		},
	},
}

Functions

func Analysis

func Analysis(command entities.Command, entity *entities.CodeAnalysis, adapter adapters.AdapterMap)

Types

type Level

type Level int

type Match

type Match func(string) bool

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto
y or Y : Canonical URL