MobSF vulnerability analysis

Question

MobSF vulnerability analysis

francopettinari opened this issue a month ago · comments

Description

Our application is net8.0-android and customer is sending us a MobSF static analysis that gives security alerts related to Stack Canary.
I'm not an expert in this fields, so I simply ask confirmation if MobSF gives a false positive or if it is a real issue.
In case it is a false positive, what alternative tool can I use to proof the real status?

The alert is on most of the .so files included in the apk.
In example in arm64-v8a/libaot-System.Runtime.dll.so the alert is present.

Thanks in advance!

Steps to Reproduce

Just create a net8.0-android app and build apk

Link to public reproduction project repository

No response

Version with bug

Unknown/Other

Is this a regression from previous behavior?

Not sure, did not test other versions

Last version that worked well

Unknown/Other

Affected platforms

Android

Affected platform versions

Android 14

Did you find any workaround?

no

Relevant log output

no

Shane Neuville · Answer 1 · Fri Jul 19 2024 00:56:07 GMT+0800 (China Standard Time)

@jonathanpeppers thoughts?

Jonathan Peppers · Answer 2 · Fri Jul 19 2024 00:58:59 GMT+0800 (China Standard Time)

libaot-*.so files are generated by the AOT compiler.

In the past, we have not found MobSF actually reports any actionable security issues, but we can move to dotnet/runtime for them to take a look.

Steve Pfister · Answer 3 · Thu Jul 25 2024 05:00:23 GMT+0800 (China Standard Time)

@francopettinari since we are aot compiling managed code, not having fstack-protector-all isn't a big problem. It's likely a bit of work on our end because our aot compiler emits assembly and so it's not as simple as just setting a build flag. That said, I'll keep it in our backlog as it is something we should address.