Horusec Mobile (Java e Kotlin)
O que é?
O Horusec-Kotlin e o Horusec-Java são ferramentas SAST criadas pela equipe do Horusec para fazer a busca de vulnerabilidades em projetos Kotlin e Java.
Você pode aplicar regras especificas para suas linguagens e também identificar algumas regras genéricas para aplicações mobile que utilizam Kotlin/Java para Android ou IOS.
Exemplos de vulnerabilidades
No Log Sensitive Information
The App logs information. Sensitive information should never be logged. For more information checkout the CWE-532 (https://cwe.mitre.org/data/definitions/532.html) advisory.
Example of a vulnerable code:
const DatabaseURI = "..."
Log.info("Connection string of the database: " + DatabaseURI)
HTTP Requests, Connections and Sessions
No uses Http request, connections and sessions with insecure.
Example of a vulnerable code:
import http.client.HttpClient
No uses safety API
No uses safety api in your application.
Example of a vulnerable code:
import com.google.android.gms.safetynet.SafetyNetApi
No uses Content Provider
No uses Content Provider.
Example of a vulnerable code:
import android.content.ContentProvider
No Use With Unsafe Bytes
Using this implementation of ‘.withUnsafeBytes’ can lead to the compiler’s decision to use unsafe APIs, such as _malloc and _strcpy, as the method calls closing with an UnsafeRawBufferPointer. For more information checkout the CWE-789 advisory.
Local File I/O Operations
No use operations of input or output in files.
Example of a vulnerable code:
var query: [String: Any] = [kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlocked]
WebView Component
No use WebView Component.
Encryption API
No use Encryption API with vulnerabilities.
No Use Prohibited APIs
The application may contain prohibited APIs. These APIs are insecure and should not be used. For more information checkout the CWE-676 (https://cwe.mitre.org/data/definitions/676.html) advisory.
strcpymemcpystrcatstrncatstrncpysprintfvsprintf
Application allow MITM attacks
UIWebView in application ignoring errors SSL
The in-app UIWebView ignores SSL errors and accepts any SSL certificate. The application is vulnerable to attacks from MITM (Man-In-The-Middle). For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.
No List changes on the clipboard
The application allows you to list the changes on the Clipboard. Some malware also lists changes to the Clipboard.
Exemplo de código vulnerável:
const NSNotificationName UIPasteboardChangedNotification
The application is using SQLite
The application is using SQLite. Confidential information must be encrypted.
Example of a vulnerable code:
sqlite3_exec(...)
No use NSTemporaryDirectory
User use in “NSTemporaryDirectory ()” is unreliable, it can result in vulnerabilities in the directory. For more information checkout the CWE-22 (https://cwe.mitre.org/data/definitions/22.html) advisory.
Example of a vulnerable code:
const tempDirectory NSTemporaryDirectory
No copies data to the Clipboard
The application copies data to the Clipboard. Confidential data must not be copied to the Clipboard, as other applications can access it. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.
Example of a vulnerable code:
var clipboard UIPasteboard
No Download File Using Android Download Manager
This App downloads files using Android Download Manager.
import android.app.DownloadManager;
Android Keystore
No use Android Keystore to manager.
Android Notifications
No read android notifications
Potential Android SQL Injection
The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory and OWASP: Top 10 2017-A1-Injection.
Example of a vulnerable code:
String query = "SELECT * FROM messages WHERE uid= '"+userInput+"'" ;
Cursor cursor = this.getReadableDatabase().rawQuery(query,null);
Example of an invulnerable code:
String query = "SELECT * FROM messages WHERE uid= ?" ;
Cursor cursor = this.getReadableDatabase().rawQuery(query,new String[] {userInput});
SQL Injection With SQLite
App uses SQLite Database and execute raw SQL query. Untrusted user input in raw SQL queries can cause SQL Injection. Also sensitive information should be encrypted and written to the database. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory and OWASP: Top 10 2017-A1-Injection..
Example of a vulnerable code:
import android.database.sqlite;
...
String query = "SELECT * FROM messages WHERE uid= '"+userInput+"'" ;
Cursor cursor = conn.rawQuery(query,null);
Example of an invulnerable code:
import android.database.sqlite;
...
String query = "SELECT * FROM messages WHERE uid= ?" ;
Cursor cursor = conn.rawQuery(query,new String[] {userInput});
WebView GET Request
WebView POST Request
Base64 Decode
Basic authentication’s only means of obfuscation is Base64 decoding. Since Base64 decoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used. For more information checkout the OWASP Top Ten 2017 A3(https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html) advisory and CWE-522 (https://cwe.mitre.org/data/definitions/522.html).
Example of a vulnerable code:
var password = "PASSWORD_IN_BASE64";
String passwordDecoded = Base64Encoder.decode(password);
WebView Load Request
WebView Load Request
Cookie Storage
No use cookie storage to save sensitive information. NSHTTPCookieStorage. sharedHTTPCookieStorage
28 Set or Read Clipboard
Using LoadHTMLString can result Inject
User input not sanitized in ‘loadHTMLString’ can result in an injection of JavaScript in the context of your application, allowing access to private data. For more information checkout the CWE-95 (https://cwe.mitre.org/data/definitions/95.html) advisory.
No Use SFAntiPiracy Jailbreak
Verifications found of type SFAntiPiracy Jailbreak.
Send SMS
This App is send sms without security.
Example of a vulnerable code:
import telephony.SmsManager
No Use SFAntiPiracy IsPirated
Verifications found of type SFAntiPiracy isPirated.
Weak md5 hash using
MD5 is a weak hash, which can generate repeated hashes. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.
Weak sha1 hash using
SHA1 is a weak hash, which can generate repeated hashes. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.
Weak ECB encryption algorithm using
The application uses ECB mode in the encryption algorithm. It is known that the ECB mode is weak, as it results in the same ciphertext for identical blocks of plain text. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.
The application has anti-debugger using ptrace()
The application has anti-debugger using ptrace().
Super User Privileges
This App may request root (Super User) privileges. For more information checkout the CWE-250 (https://cwe.mitre.org/data/definitions/250.html) advisory.
Example of a vulnerable code:
import com.noshufou.android.su
Send SMS
Send SMS. For more information checkout the OWASP-M3 advisory.
Base64 Encode
Basic authentication’s only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used. For more information checkout the OWASP Top Ten 2017 A3(https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html) advisory and CWE-522 (https://cwe.mitre.org/data/definitions/522.html).
Example of a vulnerable code:
// Using HttpPost from Apache HttpClient
String encoding = Base64Encoder.encode ("login:passwd");
org.apache.http.client.methods.HttpPost httppost = new HttpPost(url);
httppost.setHeader("Authorization", "Basic " + encoding); // Noncompliant
GPS Location Known
No use GPS Location to get last known location.
Jailbreak Detection Methods
The application may contain Jailbreak detection mechanisms.
Possible vulnerabilities when use:
/Applications/Cydia.app
/Applications/FakeCarrier.app
/Applications/Icy.app
/Applications/IntelliScreen.app
/Applications/SBSettings.app
/etc/apt
/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist
/Library/MobileSubstrate/MobileSubstrate.dylib
/Library/MobileSubstrate/DynamicLibraries/Veency.plist
/System/Library/LaunchDaemons/com.ikey.bbot.plist
/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
/etc/ssh/sshd_config
/Applications/MxTube.app
/Applications/RockApp.app
/Applications/WinterBoard.app
/Applications/blackra1n.app
/private/var/tmp/cydia.log
/private/var/lib/apt
/private/var/lib/cydia
/private/var/mobile/Library/SBSettings/Themes
/private/var/stash
/var/lib/cydia
/var/cache/apt
/var/lib/apt
/usr/sbin/sshd
/usr/sbin/frida-server
/usr/libexec/ssh-keysign
/usr/libexec/sftp-server
/usr/bin/sshd
/usr/bin/cycript
/usr/local/bin/cycript
/usr/lib/libcycript.dylib
cydia://
frida-server
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.