Esempio n. 1
0
    def target(self, queue):
        # get all decompiled files that contains usage of TelephonyManager
        files = common.text_scan(common.java_files, self.telephonyManagerRegex)

        res = []
        count = 0
        for f in files:
            count += 1
            pub.sendMessage('progress', bar=self.getName(), percent=round(count * 100 / len(files)))

            # get decompiled file body
            fileName = f[1]
            with open(fileName, 'r') as fi:
                fileBody = fi.read()

            # report if file contains inline call
            if PluginUtil.contains(self.inlineRegex, fileBody):
                PluginUtil.reportInfo(fileName, self.PhoneIdentifierIssueDetails(fileName), res)
                break

            # report if any TelephonyManager variables invokes calls to get phone identifiers
            for varName in PluginUtil.returnGroupMatches(self.varNameRegex, 2, fileBody):
                if PluginUtil.contains(r'%s\.(getLine1Number|getDeviceId)\(.*?\)' % varName, fileBody):
                    PluginUtil.reportInfo(fileName, self.PhoneIdentifierIssueDetails(fileName), res)
                    break

        queue.put(res)
Esempio n. 2
0
    def target(self, queue):
        # get all decompiled files that contains usage of WebView
        files = common.text_scan(common.java_files, self.webViewRegex)

        res = []
        count = 0
        for f in files:
            count += 1
            pub.sendMessage('progress', bar=self.getName(), percent=round(count * 100 / len(files)))

            # get decompiled file body
            fileName = f[1]
            with open(fileName, 'r') as fi:
                fileBody = fi.read()

            # report if file contains any inline calls
            if PluginUtil.contains(self.inlineRegex, fileBody):
                PluginUtil.reportIssue(fileName, self.createIssueDetails(fileName), res)
                break

            # report if any WebView variables invoke calls
            for varName in PluginUtil.returnGroupMatches(self.varNameRegex, 2, fileBody):
                if PluginUtil.contains(r'%s\.addJavascriptInterface\(.*?\)' % varName, fileBody):
                    PluginUtil.reportIssue(fileName, self.createIssueDetails(fileName), res)
                    break

        queue.put(res)
Esempio n. 3
0
    def target(self, queue):
        files = common.java_files
        global filepath, tree
        parser = plyj.Parser()
        tree = ''
        res = []
        count = 0
        for f in files:
            count += 1
            pub.sendMessage('progress', bar=self.name, percent=round(count * 100 / len(files)))
            filepath = str(f)
            try:
                tree = parser.parse_file(f)
            except Exception as e:
                common.logger.exception(
                    "Unable to parse the file and generate as AST. Error: " + str(e))
                continue

            try:
                for import_decl in tree.import_declarations:
                    # Check if Intent is called in the import statement
                    if 'Intent' in import_decl.name.value:
                        with open(filepath, 'r') as r:
                            file_body = r.read()
                        if PluginUtil.contains(self.NEW_TASK, file_body):
                            PluginUtil.reportInfo(filepath, new_task(filepath), res)
                            break
                        if PluginUtil.contains(self.MULTIPLE_TASK_TASK, file_body):
                            PluginUtil.reportInfo(filepath, multiple_task(filepath), res)
                            break
            except Exception as e:
                common.logger.debug("Plyj parser failed while parsing the file: " + filepath + "\nError" + str(e))
                continue

        queue.put(res)
Esempio n. 4
0
def test_check_perm_regex7():
    assert PluginUtil.contains(plugin.CHECK_PERMISSION, 'SelfUriPermission') is False
Esempio n. 5
0
def test_check_perm_regex2():
    assert PluginUtil.contains(plugin.CHECK_PERMISSION, 'checkPermission') is True
Esempio n. 6
0
def testlog_regex():
    assert PluginUtil.contains(plugin.debug_regex, 'Log.d') is True
Esempio n. 7
0
def testlog_regex2():
    assert PluginUtil.contains(plugin.verbose_regex, 'Log.v') is True
Esempio n. 8
0
def testTelephonyManagerRegex():
    assert PluginUtil.contains(plugin.telephonyManagerRegex, 'import android.telephony.TelephonyManager') is True
Esempio n. 9
0
def test_regex5():
    assert not PluginUtil.contains(plugin.CHECK_PUBLIC_DIR, 'GetExternalStoragePublicDirectory')
Esempio n. 10
0
def test_regex2():
    text = 'intent.setFlags(Intent.FLAG_ACTIVITY_MULTIPLE_TASK);'
    assert not PluginUtil.contains(plugin.NEW_TASK, text)
Esempio n. 11
0
def test_regex():
    assert PluginUtil.contains(plugin.DEX_CLASS_LOADER, 'DexClassLoader') is True
Esempio n. 12
0
def test_regex5():
    assert PluginUtil.contains(plugin.DYNAMIC_BROADCAST_RECEIVER, 'RegisterReceiver') is False
Esempio n. 13
0
def test_regex3():
    assert PluginUtil.contains(plugin.CLASS_LOADER, 'Classload') is False
Esempio n. 14
0
def test_regex2():
    assert PluginUtil.contains(plugin.CLASS_LOADER, 'loadClass') is True
Esempio n. 15
0
def test_regex():
    text = 'intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);'
    assert PluginUtil.contains(plugin.NEW_TASK, text)
Esempio n. 16
0
def test_regex5():
    text = 'intent.setFlags(Intent.FLAGACTIVITYMULTIPLETASK);'
    assert not PluginUtil.contains(plugin.MULTIPLE_TASK, text)
Esempio n. 17
0
def test_enforce_perm_regex2():
    text = 'enforcePermission'
    assert PluginUtil.contains(plugin.ENFORCE_PERMISSION, text) is True
Esempio n. 18
0
def test_regex1():
    assert PluginUtil.contains(plugin.DEX_CLASS_LOADER, 'ClassLoader') is False
Esempio n. 19
0
def test_enforce_perm_regex8():
    text = 'enforcePermission("santos.benign.permission","Not allowed to start MyService")'
    assert PluginUtil.contains(plugin.ENFORCE_PERMISSION, text) is True
Esempio n. 20
0
def test_regex2():
    text = '"NtY163ManCAb"'
    assert not PluginUtil.contains(plugin.API_KEY_REGEX, text)
Esempio n. 21
0
def test_regex1():
    text = 'intent.setFlags(Intent.FLAGACTIVITYNEWTASK);'
    assert not PluginUtil.contains(plugin.NEW_TASK, text)
Esempio n. 22
0
def test_regex4():
    text = 'public static final String API_TOKEN = "1234thisisaninvalidapitoken937235"'
    assert PluginUtil.contains(plugin.API_KEY_REGEX, text)
Esempio n. 23
0
def testInlineWithoutPackageName():
    text = '((TelephonyManager)paramContext.getSystemService("phone")).getLine1Number();'
    assert PluginUtil.contains(plugin.inlineRegex, text) is True
Esempio n. 24
0
def test_regex5():
    text = 'public static final String API_TOKEN = "$%#%~!^"'
    assert PluginUtil.contains(plugin.SPECIAL_CHAR_REGEX, text)
Esempio n. 25
0
def testNotContains():
    assert PluginUtil.contains(r'test123', 'test321') is False
Esempio n. 26
0
def test_regex1():
    text = 'public static final String API_TOKEN = "Nti4kWY-qRHTYq3dsbeip0P1tbGCzs2BAY163ManCAb"'
    assert PluginUtil.contains(plugin.API_KEY_REGEX, text)
Esempio n. 27
0
def testlog_regex3():
    assert PluginUtil.contains(plugin.verbose_regex, 'v') is False
Esempio n. 28
0
def test_regex1():
    assert PluginUtil.contains(plugin.PATH_USAGE,
                               'android:pathPrefix=') is False
Esempio n. 29
0
def testlog_regex1():
    assert PluginUtil.contains(plugin.debug_regex, 'd') is False
Esempio n. 30
0
def test_regex2():
    assert PluginUtil.contains(plugin.PATH_USAGE,
                               'android:pathPattern') is False
Esempio n. 31
0
def test_check_perm_regex6():
    assert PluginUtil.contains(plugin.CHECK_PERMISSION, 'checkCalling') is False
Esempio n. 32
0
def test_regex3():
    text = "android:launchMode='singleTask'"
    assert PluginUtil.contains(plugin.LAUNCH_MODE, text) is True
Esempio n. 33
0
def test_enforce_perm_regex1():
    text = 'enforceCallingOrSelfUriPermission'
    assert PluginUtil.contains(plugin.ENFORCE_PERMISSION, text) is True
Esempio n. 34
0
def test_regex4():
    text = 'android:launchMode="singleTask"'
    assert PluginUtil.contains(plugin.LAUNCH_MODE, text) is True
Esempio n. 35
0
def test_enforce_perm_regex6():
    text = 'enforceCallingPermission'
    assert PluginUtil.contains(plugin.ENFORCE_PERMISSION, text) is False
Esempio n. 36
0
def test_regex5():
    text = "android:allowTaskReparenting='true'"
    assert PluginUtil.contains(plugin.TASK_REPARENTING, text) is True
Esempio n. 37
0
def test_check_perm_regex1():
    assert PluginUtil.contains(plugin.CHECK_PERMISSION, 'checkCallingOrSelfUriPermission') is True
Esempio n. 38
0
def test_regex6():
    text = 'android:allowTaskReparenting="true"'
    assert PluginUtil.contains(plugin.TASK_REPARENTING, text) is True
Esempio n. 39
0
def test_regex5():
    text = 'intent.setFlags(Intent.FLAGACTIVITYMULTIPLETASK);'
    assert not PluginUtil.contains(plugin.MULTIPLE_TASK, text)
Esempio n. 40
0
def test_regex8():
    text = '<receiver android:name=".FormatOutgoingCallReceiver" android:enabled="true" android:exported="true"'
    assert PluginUtil.contains(plugin.RECEIVER_REGEX, text) is False
Esempio n. 41
0
def test_regex3():
    assert not PluginUtil.contains(plugin.CHECK_EXTERNAL_MEDIA, 'GetExternalMediaDirs')
Esempio n. 42
0
def test_regex11():
    text = 'Priority'
    assert PluginUtil.contains(plugin.PRIORITY_REGEX, text) is False
Esempio n. 43
0
def test_regex():
    assert PluginUtil.contains(plugin.CHECK_EXTERNAL_STORAGE, 'getExternalFilesDir')
Esempio n. 44
0
    def target(self, queue):
        global filepath, tree
        files = common.java_files
        parser = plyj.Parser()
        tree = ''
        external_pub_dir, external_media, external_storage, res = (
            [] for _ in xrange(4))
        count = 0
        for f in files:
            count += 1
            pub.sendMessage('progress',
                            bar=self.name,
                            percent=round(count * 100 / len(files)))
            filepath = str(f)
            try:
                tree = parser.parse_file(f)
            except Exception as e:
                common.logger.exception(
                    "Unable to parse the file and generate as AST. Error: " +
                    str(e))
                continue
            try:
                for import_decl in tree.import_declarations:
                    if 'File' in import_decl.name.value:
                        with open(filepath, 'r') as fr:
                            file_body = fr.read()
                        if PluginUtil.contains(self.CHECK_EXTERNAL_STORAGE,
                                               file_body):
                            external_storage.append(filepath)
                            break

                        if PluginUtil.contains(self.CHECK_EXTERNAL_MEDIA,
                                               file_body):
                            external_media.append(filepath)
                            break

                        if PluginUtil.contains(self.CHECK_PUBLIC_DIR,
                                               file_body):
                            external_pub_dir.append(filepath)
                            break

            except Exception as e:
                common.logger.debug(
                    "Plyj parser failed while parsing the file: " + filepath +
                    "\nError" + str(e))
                continue

        # Store the content obtained above in a column format
        storage = "\n".join(external_storage)
        media = "\n".join(external_media)
        pub_dir = "\n".join(external_pub_dir)

        if external_storage:
            PluginUtil.reportWarning(filepath, check_external_storage(storage),
                                     res)

        if external_media:
            PluginUtil.reportWarning(filepath, check_media_directory(media),
                                     res)

        if external_pub_dir:
            PluginUtil.reportWarning(filepath, check_public_directory(pub_dir),
                                     res)

        queue.put(res)
Esempio n. 45
0
def testInlineGetDeviceId():
    text = '((android.telephony.TelephonyManager)paramContext.getSystemService("phone")).getDeviceId();'
    assert PluginUtil.contains(plugin.inlineRegex, text) is True
Esempio n. 46
0
def test_regex1():
    text = 'call(String method, String args, Bundle extras)'
    assert PluginUtil.contains(plugin.CALL_FUNCTION, text)
Esempio n. 47
0
def test_regex():
    text = 'call'
    assert PluginUtil.contains(plugin.CALL_FUNCTION, text)
Esempio n. 48
0
def testContains():
    assert PluginUtil.contains(r'test123', 'test123') is True