Ejemplo n.º 1
0
    def run(self):
        result = {
            "title": "Application Has Insecure ATS Configurations",
            "details": "",
            "severity": "Medium",
            "report": False
        }

        info_content = plist(self.info)

        Log.info("Parsing Info.plist file contents")
        ats_xml = plist_dict_to_xml(info_content, self._ats_key)

        Log.info("Analysing Info.plist file")
        if self._ats_key not in info_content or not info_content[
                self._ats_key]:
            result.update({
                "report":
                True,
                "details":
                "No evidence of ATS being implemented found."
            })

        if any(option in ats_xml for option in self._insecure_options):
            result.update({
                "report":
                True,
                "details":
                "The following insecure ATS configuration was \
found : {}".format(ats_xml)
            })

        return {"{}_result".format(self.name()): result}
Ejemplo n.º 2
0
    def run(self):
        result = {"print": "Could not find Info.plist."}

        Log.info("Looking for Info.plist file")
        app_path = application_path(self.unzipped_ipa)

        filename = "{}/Info.plist".format(app_path)
        if _exists(filename):
            Log.info("Parsing Info.plist file")
            # get plist info
            info_plist = plist(filename)
            identifier = info_plist["CFBundleIdentifier"]

            result = {"{}_info".format(identifier): info_plist}

            if hasattr(self, "output") and self.output:
                Log.info("Converting Info.plist to XML file")
                filename = "{}/{}.info.xml".format(self.output, identifier)
                with open(filename, "w") as fp:
                    fp.write(plist_dict_to_xml(info_plist))

                result.update({
                    "{}_info_file".format(identifier):
                    filename,
                    "print":
                    "Info file saved in {}.".format(filename)
                })

        return result
Ejemplo n.º 3
0
    def plist(self, plist_file_path):
        """
        Returns the contents of a plist file on the remote device

        :param str plist_file_path: the plist file to be read
        :return: returns a dict with the plist contents
        """
        from scrounger.utils.ios import plist
        from scrounger.utils.general import execute

        # get local file
        local_file = "/tmp/Info.plist"
        self.get(plist_file_path, local_file)
        plist_content = plist(local_file)

        # clean up tmp file
        execute("rm -rf {}".format(local_file))

        return plist_content
        """
Ejemplo n.º 4
0
    def run(self):
        result = {
            "title": "Application Uses Excessive Permissions",
            "details": "",
            "severity": "Medium",
            "report": False
        }

        ent_module = EModule()
        ent_module.binary = self.binary
        ent_result, entitlements = ent_module.run(), None
        for key in ent_result:
            if key.endswith("_entitlements"):
                entitlements = ent_result[key]

        if not entitlements:
            return {"print": "Couldn't get entitlements from binary."}

        Log.info("Analysing Entitlements")
        permissions = []
        if 'get-tasks-allow' in entitlements:
            permissions += ['get-tasks-allow']

        Log.info("Analysing Info.plist")
        info_content = plist(self.info)
        permissions += [
            permission for permission in self.excessive_permissions.split("|")
            if permission in info_content
        ]

        if permissions:
            result.update({
                "report": True,
                "details": "The following permissions were found: * {}".format(
                    "\n* ".join(sorted(permissions)))
            })

        return {
            "{}_result".format(self.name()): result
        }