super icon indicating copy to clipboard operation
super copied to clipboard
verified publisher icon SUPERAndroidAnalyzer

Complex AndroidManifest.xml analysis

Open Razican opened this issue 9 years ago • 3 comments

We need to add content providers, receivers, etc. to manifest analysis, and rules to decide what to analyze. Here is the complete list:

  • <provider>:
    • if android:exported="false" everything is OK.
    • if android:exported="true" and any targetSdkVersion or no android:exported and minSdkVersion < 17, we could have a vulnerability:
      • if android:permission or android:readPermission or android:writePermission, only warning.
      • if no permissions, medium or high vulnerability: other apps can read it.
  • <receiver>, <activity>, <activity-alias> or <service>:
    • if android:exported="false" everything is OK.
    • if android:exported="true" we could have a vulnerability:
      • if android:permission, only warning.
      • if no permissions, medium or high vulnerability: other apps can access it.
    • If no android:exported, we could have a vulnerability:
      • if no <intent-filter>, everything is OK.
      • if <intent-filter>:
        • if android:permission, only warning.
        • if no permissions, medium or high vulnerability: other apps can access it.

Analysis from AndroBugs: https://github.com/AndroBugs/AndroBugs_Framework/blob/master/androbugs.py

Razican avatar Sep 22 '16 20:09 Razican

Complex AndroidManifest.xml analysis implemented but some clarifications are required in order to improve these detections in the next version (0.3.0). That's why this issue will remain openned.

Chuky9 avatar Nov 03 '16 22:11 Chuky9

This depends on #20. We suppose that it will be available before the launch of 0.3.0 with enough time to implement it, so we maintain it for 0.3.0.

Razican avatar Nov 10 '16 21:11 Razican

Moving this to SUPER 0.5.0.

Razican avatar Apr 02 '17 10:04 Razican