卓护平台开发文档2安全扫描

2.4安全扫描的实现方案

文章目录
  1. 1. 静态扫描
  2. 2. 动态扫描

静态扫描

我们需要预先指定描述漏洞的规则,然后在扫描的过程中把它们捕获出来,而我们采用Python中的正则表达式模块来完成这个任务,值得一提的是,我们不仅通过匹配相应的模式,还可以捕获应用的基本信息,如版本号、对应SDK的版本、包名、主活动等等。

详细的静态扫描的漏洞清单请参见第三章,这里我们列出涉及到的漏洞的捕获的正则表达式:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
# 正则表达式类
class Regex:
    # 01001.文件名提取
    file_name_pattern = re.compile(r'apk_sources/(.*?\.apk)')
    # 01004.包名检测
    package_pattern = re.compile(r'package="(.*?)"')
    # 01005.主活动检测
    main_activity_pattern = re.compile(r'activity.*?android:name=\"(.*?)\".*intent-filter.*MAIN', re.S)
    # 01006.最小SDK检测
    min_sdk_pattern = re.compile(r'minSdkVersion: \'(\d*)\'')
    # 01007.目标SDK检测
    target_sdk_pattern = re.compile(r'targetSdkVersion: \'(\d*)\'')
    # 02001.权限信息检测
    permission_pattern = re.compile(r'android\.permission\.(\w*)', re.M)
    # 03001 - 03004.四大组件检测
    activity_pattern = re.compile(r'<activity.*?android:name="(.*?)"', re.S)
    service_pattern = re.compile(r'<service.*?android:name="(.*?)"', re.S)
    receiver_pattern = re.compile(r'<receiver.*?android:name="(.*?)"', re.S)
    provider_pattern = re.compile(r'<provider.*?android:name="(.*?)"', re.S)
    # 04001.权限组检测
    permission_group_pattern = re.compile(r'(<permission.*?android:permissionGroup="(.*?)".*?>)', re.S)
    # 04002.系统权限使用检测,使用02001的正则匹配式
    # 04003.protectionLevel检测
    protection_level_pattern = re.compile(r'(<permission.*?android:protectionLevel="(.*?)".*?>)', re.S)
    # 04004.SharedUserId检测
    shared_user_id_pattern = re.compile(r'<manifest.*?android:sharedUserId="android.uid.system".*?>', re.S)
    # 04005.Allowbackup检测
    allowbackup_pattern = re.compile(r'<application.*android:allowBackup="true".*?>')
    # 04006.Debuggable检测
    debuggable_pattern = re.compile(r'<application.*android:debuggable="true".*?>')
    # 05001.Activity组件导出检测
    # 05002.Service组件导出检测
    # 05003.Receiver组件导出检测
    # 05004.Provider组件导出检测
    activity_component_pattern = re.compile(r'<activity(.*?)/>', re.S)
    service_component_pattern = re.compile(r'<service(.*?)/>', re.S)
    receiver_component_pattern = re.compile(r'<receiver(.*?)/>', re.S)
    provider_component_pattern = re.compile(r'<provider(.*?)/>', re.S)

    component_name_pattern = re.compile(r'android:name="(.*?)"', re.S)
    component_exported_pattern = re.compile(r'android:exported="(.*?)"', re.S)
    component_filter_pattern = re.compile(r'intent-filter', re.S)
    component_permission_pattern = re.compile(r'android:permission="(.*?)"', re.S)

    # 05005.Provider:grant-uri-permission属性检测
    provider_grant_uri_permission_pattern = re.compile(r'android:grantUriPermissions="true"', re.S)

    # 05006.Activity Intent-Based攻击检测
    activity_double_tag_pattern = re.compile(r'<activity.*?</activity>', re.S)
    activity_intent_browsable_pattern = re.compile(r'android.intent.category.BROWSABLE', re.S)

    # 05007.Intent Scheme URL漏洞攻击检测
    is_exist_intent_parseuri_pattern = re.compile(r'Intent +(\w+) *= *Intent\.parseUri', re.M)

    # 05008.应用本地拒绝服务漏洞检测
    new_intent_pattern = re.compile(r'Intent +(\w+) *= *new +Intent', re.M)
    get_intent_pattern = re.compile(r'Intent +(\w+) *= *getIntent', re.M)

    # 05010.Debug或Test敏感测试组件泄露检测
    debug_test_pattern = re.compile(r'debug|test', re.M | re.I)

    # 06001.WebView远程执行漏洞检测
    webview_addjs_pattern = re.compile(r'(\S+\.addJavascriptInterface.*);', re.M)
    webview_loadurl_pattern = re.compile(r'(\S+\.loadUrl.*);', re.M)

    # 06002.WebView潜在XSS攻击检测
    webview_setjs_pattern = re.compile(r'\S+\.setJavaScriptEnabled\(true\)', re.M)
    # 06003.WebView File域同源策略绕过漏洞检测
    webview_setfile_pattern = re.compile(r'\S+\.setAllowFileAccess\(true\)', re.M)
    # 06004.webview密码明文存储漏洞检测
    webview_setpw_pattern = re.compile(r'\S+\.setSavePassword\(true\)', re.M)

    # 06005.主机名弱校验漏洞检测
    hostname_pattern = re.compile(
        r'HostnameVerifier.*?new.*?boolean\s+verify\s*?\(String.*?SSLSession \w+\)\s*?{\s*?return true;\s*?}.*?}',
        re.S)

    # 06006.证书弱校验漏洞检测
    checkclient_pattern = re.compile(r'void checkClientTrusted', re.M)
    checkserver_pattern = re.compile(r'void checkServerTrusted', re.M)
    getissuers_pattern_A = re.compile(r'getAcceptedIssuers\(\)\s*?{\s*?return null;\s*?}', re.S)
    getissuers_pattern_B = re.compile(
        r'getAcceptedIssuers\(\)\s*?{\s*?return new X509Certificate\[0\];\s*?}',
        re.S)
    # 06007.中间人攻击漏洞检测
    allow_all_hostname_pattern = re.compile(r'(\S*ALLOW_ALL_HOSTNAME_VERIFIER\S*);', re.M)
    # 06008.WebView不校验证书漏洞检测
    webview_ignore_ssl_error_pattern = re.compile(r'new WebViewClient.*?onReceivedSslError.*?handler\.proceed', re.S)

    # 06009.WebView组件系统隐藏接口未移除漏洞
    webview_is_defined_pattern = re.compile(r'WebView (\w*)\b.*;', re.M)

    # 08001.SSL连接检测
    http_url_pattern = re.compile(r'"(http://.*?)"', re.M)

    # 08002.SSL不安全组件检测
    # SSLCertificateSocketFactory.getInsecure()是静态方法
    ssl_get_insecure_pattern = re.compile(r'^\s*(.*SSLCertificateSocketFactory\.getInsecure.*);', re.M)

    # 08003.HttpHost检测
    # java.lang.Object -> org.apache.hc.core5.http.HttpHost
    http_host_pattern = re.compile(r'^\s*(.*HttpHost.DEFAULT_SCHEME.*);', re.M)

    # 08005.网络端口开放威胁检测
    server_socket_pattern = re.compile(r'^\s*(.*ServerSocket\((\d*)\))', re.M)
    datagram_socket_pattern = re.compile(r'^\s*(.*DatagramSocket\((\d*)\))', re.M)

    # 09001.DES弱加密风险检测
    des_pattern = re.compile(r'^\s*(.*DES/\w{3}/.+Padding.*);', re.M)
    # 09002.不安全的密钥长度风险检测
    unsafe_key_pattern = re.compile(r'KeyPairGenerator\s+(\w+)\s*=\s*KeyPairGenerator\.getInstance.*;', re.M)
    # 09003.AES-ECB弱加密风险检测.
    aes_ecb_pattern = re.compile(r'^\s*(.*AES/ECB/.+Padding.*);', re.M)
    # 09004.IVParameterSpec不安全初始化向量检测
    iv_parameter_spec_pattern = re.compile(r'new\s+IvParameterSpec\((\w+)\)', re.M)
    # 09005.RSA中不使用Padding风险检测
    rsa_no_padding_pattern = re.compile(r'^\s*(.*RSA/\w+/NoPadding.*);', re.M)

    # 10001.敏感信息检测
    email_pattern = re.compile(r'[\w.-]+@[\w-]+\.[\w.]+', re.M)
    telephone_pattern = re.compile(r'((13\d|14[57]|15[0-3|5-8]|18[0-3|5-9])\d{8})', re.M)
    # 身份证号码为15位或者18位,15位时全为数字,18位前17位为数字,最后一位是校验位,可能为数字或字符X
    identity_code_pattern = re.compile(r'\d{15}|\d{17}[\dx]', re.M | re.I)
    # 10002.剪贴板敏感信息泄露风险检测
    clip_data_pattern = re.compile(r'\s*(.*ClipData\.newPlainText.*);', re.M)
    # 10003.Intent敏感数据泄露风险检测
    # intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
    intent_setflag_pattern = re.compile(r'\s*(.*setFlags.*FLAG_ACTIVITY_NEW_TASK.*);', re.M)
    # 10004.PendingIntent误用风险
    pending_intent_pattern = re.compile(r'(PendingIntent\.get(Service|Activity|Broadcast)\(\w*, \w*, (\w*).*\))')
    # 10005.密钥硬编码
    # String str = "keyTest0755";
    # byte[] key = str.getBytes();
    # SecretKey secretKey = new SecretKeySpec(key, "AES");
    secretkeyspec_pattern = re.compile(r'new\s+SecretKeySpec\((\w+),.*\)')
    # 10007.BASE64安全检测
    base64_pattern = re.compile(r'"(([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==))"', re.M)
    # 10008.文件全局读写漏洞检测
    # MODE_WORLD_READABLE / MODE_WORLD_WRITEABLE -> MODE_PRIVATE
    # openFileOutput(String name, int mode)
    # getDir(String name, int mode)
    # getSharedPreferences(string name,int mode)
    openfile_output_pattern = re.compile(r'\s*(.*openFileOutput.*(MODE_WORLD_READABLE|MODE_WORLD_WRITEABLE).*);', re.M)
    getdir_pattern = re.compile(r'\s*(.*getDir.*(MODE_WORLD_READABLE|MODE_WORLD_WRITEABLE).*);', re.M)
    getsharedprefer_pattern = re.compile(
        r'\s*(.*getSharedPreferences.*(MODE_WORLD_READABLE|MODE_WORLD_WRITEABLE).*);',
        re.M)
    # 10009.日志泄露风险检测
    # Log.v、Log.d、Log.e、Log.i、Log.w、Log.f、Log.s
    log_pattern = re.compile(r'\s*(Log\.[vdeiwfs].*);', re.M)
    # 11001.安全相关的函数检测
    safe_function_pattern = re.compile(
        r'(\w*(encrypt|decrypt|encod|decod|aes|sha1|sha256|sha512|md5|decode|encode)\w*\(.*?\))',
        re.M | re.I)
    # 11002.安全相关的类检测
    safe_class_pattern = re.compile(
        r'encrypt|decrypt|encod|decod|aes|sha1|sha256|sha512|md5|decode|encode',
        re.M | re.I)
    # 11003.运行命令检测
    getruntime_pattern = re.compile(r'Runtime\s+(\w+).*Runtime\.getRuntime\(\);', re.M)
    # 11004.Native Library加载检测
    load_library_pattern = re.compile(r'(System.loadLibrary\("\w+\.so"\));', re.M)
    # 11005.外部动态加载DEX检测
    # dexclassloader_pattern = re.compile(r'DexClassLoader.*=\s*?new\s+DexClassLoader\s*?\(.*?\);', re.S)
    dexclassloader_pattern = re.compile(r'\s*(.*=\s*?new\s+DexClassLoader\s*?\(.*?\));', re.M)
    # 11006.root代码检测
    root_exec_pattern = re.compile(r'\s*(.*\w+\.exec\s*\(\"su"\));', re.M)
    # 11007.获取IMEI和Device ID敏感信息代码检测
    getdeviceid_pattern = re.compile(r'\s*(.*getDeviceId.*);')
    # 11008.获取AndroidID敏感信息代码检测
    secure_androidid_pattern = re.compile(r'\s*(Secure\.getString.*Secure\.ANDROID_ID.*);', re.M)
    # 11009.发送SMS敏感代码检测
    send_sms_pattern = re.compile(r'\s*(.*send(Text|Data|Multimedia)Message\(.*\));', re.M)
    # 11010.文件删除代码检测
    getfile_pattern = re.compile(r'File\s+(\w+).*new\s+File.*;', re.M)
    # 11011.signature代码检测
    signature_pattern = re.compile(r'(\w+\s*=\s*\w+\.getPackageInfo.*?PackageManager\.GET_SIGNATURES\).*?);', re.S)
    # 12001.Fragment注入漏洞CVE-2013-6271检测
    isvalid_fragment_pattern = re.compile(
        r'extends PreferenceActivity.*boolean isValidFragment.*?{\s*return true;\s*?}',
        re.S)
    # 12003.随机数生成漏洞
    set_seed_pattern = re.compile(r'\s*(.*\.setSeed.+);', re.M)

动态扫描

目前动态扫描仍需要人工进行操作,比如将APP运行在Android虚拟机上,执行相应的命令来检测相应的漏洞,至于实现自动化检测,目前还未实现,实现方案有待研究。