def scan(self):
# On Android, the config file is usually in the assets folder but can be placed elsewhere.
# On iOS the configuration file can be anywhere.
# Load file
self.zip_file = TruegazeUtils.open_file_as_zip(self.filename)
# Search all paths for the config file
paths = AdobeMobileSdkPlugin.get_paths(self.zip_file)
if len(paths) == 0:
click.echo(
'-- Cannot find the "ADBMobileConfig.json" file, skipping')
return
# Loop through files, parse the JSON and analyze
click.echo('-- Found ' + str(len(paths)) + ' configuration file(s)')
for path in paths:
click.echo('-- Scanning "' + path + "'")
# Try to parse the data
parsed_data = AdobeMobileSdkPlugin.parse_data(self.zip_file, path)
if not parsed_data:
click.echo(
'---- ERROR: Unable to parse config file - will skip. File: '
+ path)
continue
# Validate the file
messages = AdobeMobileSdkPlugin.validate(parsed_data)
if len(messages) > 0:
click.echo("-- Found " + str(len(messages)) + ' issues')
for message in messages:
click.echo(message)
else:
click.echo("-- No issues found")
def scan(filenames):
"""Scan the provided files for vulnerabilities"""
for filename in filenames:
click.echo('\nProcessing file: ' + filename)
# Try to open the provided file as a ZIP, fail otherwise
zip_file = TruegazeUtils.open_file_as_zip(filename)
if zip_file is None:
click.echo(
'ERROR: Unable to open file - please check to make sure it is an APK or IPA file'
)
sys.exit(-1)
# Detect manifest
is_android = False
is_ios = False
android_manifest = TruegazeUtils.get_android_manifest(zip_file)
ios_manifest = TruegazeUtils.get_ios_manifest(zip_file)
# Set flags, error out if no manifest is found
if android_manifest:
click.echo(
'Identified as an Android application via a manifest located at: '
+ android_manifest)
is_android = True
elif ios_manifest:
click.echo(
'Identified as an iOS application via a manifest located at: '
+ ios_manifest)
is_ios = True
else:
click.echo(
'ERROR: Unable to identify the file as an Android or iOS application'
)
sys.exit(-2)
# Pass the filename to the individual modules for scanning
for PLUGIN in ACTIVE_PLUGINS:
click.echo()
click.echo('Scanning using the "' + PLUGIN.name + '" plugin')
instance = PLUGIN(filename, is_android, is_ios)
# Show error if OS is not supported
# TODO: Add tests
if instance.is_os_supported():
instance.scan()
else:
click.echo('-- OS is not supported by this plugin, skipping')
click.echo("Done!")
def test_valid_zip(self):
zip_buffer = io.BytesIO()
zip_file = ZipFile(zip_buffer, 'a')
zip_file.writestr('testfile', 'testdata')
zip_file.close()
assert TruegazeUtils.open_file_as_zip(zip_buffer) is not None
def test_invalid_not_zip(self):
assert TruegazeUtils.open_file_as_zip(
io.StringIO('foobar data')) is None
def test_invalid_empty(self):
assert TruegazeUtils.open_file_as_zip(io.BytesIO()) is None
def test_not_found(self):
assert TruegazeUtils.open_file_as_zip('blablabla') is None
