Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var APIs = []entities.ApiMatcher{ { ApiRule: entities.ApiRule{ Description: "Network Calls", }, Match: func(s string) bool { r, _ := regexp.MatchString(`NSURL|CFStream|NSStream`, s) return r }, }, {ApiRule: entities.ApiRule{ Description: "Local File I/O Operations.", }, Match: func(s string) bool { r, _ := regexp.MatchString( `Keychain|kSecAttrAccessibleWhenUnlocked|kSecAttrAccessibleAfterFirstUnlock|SecItemAdd|`+` SecItemUpdate|NSDataWritingFileProtectionComplete`, s) return r }, }, { ApiRule: entities.ApiRule{ Description: "WebView Component", }, Match: func(s string) bool { r, _ := regexp.MatchString("UIWebView", s) return r }, }, { ApiRule: entities.ApiRule{ Description: "Encryption API", }, Match: func(s string) bool { r, _ := regexp.MatchString("RNEncryptor|RNDecryptor|AESCrypt", s) return r }, }, { ApiRule: entities.ApiRule{ Description: "Keychain Access", }, Match: func(s string) bool { return strings.Contains(s, "PDKeychainBindings") }, }, { ApiRule: entities.ApiRule{ Description: "WebView Load Request", }, Match: func(s string) bool { return strings.Contains(s, "loadRequest") && strings.Contains(s, "webView") }, }, }
View Source
var Rules = [...]entities.CodeMatcher{ { CodeRule: entities.CodeRule{ Description: "The App may contain banned API(s). These API(s) are insecure and must not be used.", Level: entities.HighLevel, Cvss: 2.2, Cwe: "CWE-676", }, Match: func(s string) bool { r, _ := regexp.MatchString(`strcpy|memcpy|strcat|strncat|strncpy|sprintf|vsprintf|gets`, s) return r }, }, { CodeRule: entities.CodeRule{ Description: "App allows self signed or invalid SSL certificates. App is vulnerable to MITM attacks.", Level: entities.HighLevel, Cvss: 7.4, Cwe: "CWE-295", }, Match: func(s string) bool { r, _ := regexp.MatchString( `canAuthenticateAgainstProtectionSpace|continueWithoutCredentialForAuthenticationChallenge|`+ `kCFStreamSSLAllowsExpiredCertificates|kCFStreamSSLAllowsAnyRoot|`+ `kCFStreamSSLAllowsExpiredRoots|validatesSecureCertificate\s*=\s*(no|NO)|`+ `allowInvalidCertificates\s*=\s*(YES|yes)`, s) return r }, }, { CodeRule: entities.CodeRule{ Description: "UIWebView in App ignore SSL errors and accept any SSL Certificate. App is vulnerable to MITM attacks.", Level: entities.HighLevel, Cvss: 7.4, Cwe: `CWE-295`, }, Match: func(s string) bool { r, _ := regexp.MatchString( `setAllowsAnyHTTPSCertificate:\s*YES|allowsAnyHTTPSCertificateForHost|`+ `loadingUnvalidatedHTTPSPage\s*=\s*(YES|yes)`, s) return r }, }, { CodeRule: entities.CodeRule{ Description: "Files may contain hardcoded sensitive informations like usernames, passwords, keys etc.", Level: entities.HighLevel, Cvss: 7.4, Cwe: "CWE-312", }, Match: func(s string) bool { r, _ := regexp.MatchString( `(password\s*=\s*@*\s*['|"].+['|"]\s{0,5})|(pass\s*=\s*@*\s*['|"].+['|"]\s{0,5})|`+ `(username\s*=\s*@*\s*['|"].+['|"]\s{0,5})|(secret\s*=\s*@*\s*['|"].+['|"]\s{0,5})|`+ `(key\s*=\s*@*\s*['|"].+['|"]\s{0,5})`, strings.ToLower(s)) return r }, }, { CodeRule: entities.CodeRule{ Description: "IP Address disclosure", Level: entities.WarningLevel, Cvss: 4.3, Cwe: "CWE-200", }, Match: func(s string) bool { r, _ := regexp.MatchString(`\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}`, s) return r }, }, { CodeRule: entities.CodeRule{ Description: "The App logs information. Sensitive information should never be logged.", Level: entities.InfoLevel, Cvss: 7.5, Cwe: "CWE-532", }, Match: func(s string) bool { r, _ := regexp.MatchString(`NSLog|NSAssert|fprintf|Logging`, s) return r }, }, { CodeRule: entities.CodeRule{ Description: "This app listens to Clipboard changes. Some malwares also listen to Clipboard changes.", Level: entities.WarningLevel, Cvss: 0., Cwe: "", }, Match: func(s string) bool { r, _ := regexp.MatchString(`UIPasteboardChangedNotification|generalPasteboard]\.string`, s) return r }, }, { CodeRule: entities.CodeRule{ Description: "App uses SQLite Database. Sensitive Information should be encrypted.", Level: entities.InfoLevel, Cvss: 0., Cwe: "", }, Match: func(s string) bool { return strings.Contains(s, "sqlite3_exec") }, }, { CodeRule: entities.CodeRule{ Description: "Untrusted user input to \"NSTemporaryDirectory()\" will result in path traversal vulnerability.", Level: entities.WarningLevel, Cvss: 7.5, Cwe: "CWE-22", }, Match: func(s string) bool { return strings.Contains(s, "NSTemporaryDirectory()") }, }, { CodeRule: entities.CodeRule{ Description: "User input in \"loadHTMLString\" will result in JavaScript Injection.", Level: entities.WarningLevel, Cvss: 8.8, Cwe: "CWE-95", }, Match: func(s string) bool { return strings.Contains(s, "loadHTMLString") && strings.Contains(s, "webView") }, }, { CodeRule: entities.CodeRule{ Description: "SFAntiPiracy Jailbreak checks found", Level: entities.GoodLevel, Cvss: 0, Cwe: "", }, Match: func(s string) bool { return strings.Contains(s, "SFAntiPiracy.h") && strings.Contains(s, "SFAntiPiracy") && strings.Contains(s, "isJailbroken") }, }, { CodeRule: entities.CodeRule{ Description: "SFAntiPiracy Piracy checks found", Level: entities.GoodLevel, Cvss: 0, Cwe: "", }, Match: func(s string) bool { return strings.Contains(s, "SFAntiPiracy.h") && strings.Contains(s, "SFAntiPiracy") && strings.Contains(s, "isPirated") }, }, { CodeRule: entities.CodeRule{ Description: "MD5 is a weak hash known to have hash collisions.", Level: entities.HighLevel, Cvss: 7.4, Cwe: "CWE-327", }, Match: func(s string) bool { return strings.Contains(s, "CommonDigest.h") && strings.Contains(s, "CC_MD5") }, }, { CodeRule: entities.CodeRule{ Description: "SHA1 is a weak hash known to have hash collisions.", Level: entities.HighLevel, Cvss: 7.4, Cwe: "CWE-327", }, Match: func(s string) bool { return strings.Contains(s, "CommonDigest.h") && strings.Contains(s, "CC_SHA1") }, }, { CodeRule: entities.CodeRule{ Description: "The App uses ECB mode in Cryptographic encryption algorithm. ECB mode is known to be weak as it " + "results in the same ciphertext for identical blocks of plaintext.", Level: entities.HighLevel, Cvss: 5.9, Cwe: "CWE-327", }, Match: func(s string) bool { return strings.Contains(s, "kCCOptionECBMode") && strings.Contains(s, "kCCAlgorithmAES") }, }, { CodeRule: entities.CodeRule{ Description: "The App has anti-debugger code using ptrace()", Level: entities.HighLevel, Cvss: 0, Cwe: "", }, Match: func(s string) bool { return strings.Contains(s, "ptrace_ptr") && strings.Contains(s, "PT_DENY_ATTACH") }, }, { CodeRule: entities.CodeRule{ Description: "This App has anti-debugger code using Mach Exception Ports.", Level: entities.InfoLevel, Cvss: 0, Cwe: "", }, Match: func(s string) bool { return strings.Contains(s, "mach/mach_init.h") && (strings.Contains(s, "MACH_PORT_VALID") || strings.Contains(s, "mach_task_self()")) }, }, { CodeRule: entities.CodeRule{ Description: "This App copies data to clipboard. Sensitive data should not be copied to clipboard as other " + "applications can access it.", Level: entities.InfoLevel, Cvss: 0, Cwe: "", }, Match: func(s string) bool { return strings.Contains(s, "UITextField") && (strings.Contains(s, "@select(cut:)") || strings.Contains(s, "@select(copy:)")) }, }, { CodeRule: entities.CodeRule{ Description: "This App may have Jailbreak detection capabilities.", Level: entities.GoodLevel, Cvss: 0, Cwe: "", }, Match: func(s string) bool { for _, m := range []string{ "/Applications/Cydia.app", "/Library/MobileSubstrate/MobileSubstrate.dylib", "/usr/sbin/sshd", "/etc/apt", "cydia://", "/var/lib/cydia", "/Applications/FakeCarrier.app", "/Applications/Icy.app", "/Applications/IntelliScreen.app", "/Applications/SBSettings.app", "/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist", "/System/Library/LaunchDaemons/com.ikey.bbot.plist", "/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist", "/etc/ssh/sshd_config", "/private/var/tmp/cydia.log", "/usr/libexec/ssh-keysign", "/Applications/MxTube.app", "/Applications/RockApp.app", "/Applications/WinterBoard.app", "/Applications/blackra1n.app", "/Library/MobileSubstrate/DynamicLibraries/Veency.plist", "/private/var/lib/apt", "/private/var/lib/cydia", "/private/var/mobile/Library/SBSettings/Themes", "/private/var/stash", "/usr/bin/sshd", "/usr/libexec/sftp-server", "/var/cache/apt", "/var/lib/apt", "/usr/sbin/frida-server", "/usr/bin/cycript", "/usr/local/bin/cycript", "/usr/lib/libcycript.dylib", "frida-server", } { if strings.Contains(s, m) { return true } } return false }, }, }
Functions ¶
func Analysis ¶
func Analysis(command entities.Command, entity *entities.CodeAnalysis, adapter adapters.AdapterMap)
Types ¶
Click to show internal directories.
Click to hide internal directories.