Android - Picking wrong network security config file.

[su-vikas]

ENVIRONMENT

OS and Version: MacOS 12.6
Python Version: 3.10.7
MobSF Version: 

EXPLANATION OF THE ISSUE

In APK's where networksecurityconfig attribute declares a filename like "another_security_config.xml" and then in res/xml folder both, "network_security_config.xml" and "another_security_config.xml" is present, MobSF will choose "network_security_config.xml" file (basically whichever comes first while iterating over xml files in the folder).

The reason being, in the code in network_security.py, it is checking for presence of either declare config file name or "network_security_config", and in current case it is always choosing "network_security_config", as co-incidentally "network_security_config.xml" file is also present in the application.

STEPS TO REPRODUCE THE ISSUE

Can be reproduced for MyJio v7.0.19 application (https://www.apkmirror.com/apk/jio-platforms-limited/myjio/myjio-7-0-19-release/).

In the app, the manifest declares:

networkSecurityConfig="@xml/network_security"

And application contains two network security config files:

• network_security.xml
• network_security_config.xml

MobSF will choose "network_security_config.xml"

[github-actions[bot]]

👋 @su-vikas Issues is only for reporting a bug/feature request. For limited support, questions, and discussions, please join MobSF Slack channel Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.

[ajinabraham]

Thanks for the report. I will take a look at this and revert.

[ajinabraham]

Took a lot of time, but addressed in https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2307