Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Static review stuck in code analysis #2162

Open
berial5 opened this issue Apr 14, 2023 · 23 comments
Open

Static review stuck in code analysis #2162

berial5 opened this issue Apr 14, 2023 · 23 comments
Labels
android sca Android Static Code Analysis related bug MobSF bugs investigating MobSF collaborators are investigating this issue static analyzer Static Analyzer related
Projects
MobSF 2024 Development

Comments

@berial5
Copy link

berial5 commented Apr 14, 2023
edited

ENVIRONMENT

OS and Version: Win11 21H2 22000.16963.
Python Version: python 3.8.8
MobSF Version: v3.6.3Beta

EXPLANATION OF THE ISSUE

I can check some old version of this apk and they are lillte.
But as for the latest,it doesn't work and just stuck.

STEPS TO REPRODUCE THE ISSUE

1. run.bat
2. upload in locahost:8000
3. 100%upload then console stuck

LOG FILE

 |  \/  | ___ | |__/ ___||  ___|_   _|___ / / /_  
 | |\/| |/ _ \| '_ \___ \| |_  \ \ / / |_ \| '_ \ 
 | |  | | (_) | |_) |__) |  _|  \ V / ___) | (_) |
 |_|  |_|\___/|_.__/____/|_|     \_/ |____(_)___/ 

[INFO] 13/Apr/2023 14:02:30 - Mobile Security Framework v3.6.3 Beta
[INFO] 13/Apr/2023 14:02:30 - OS: Windows
[INFO] 13/Apr/2023 14:02:30 - Platform: Windows-10-10.0.22000-SP0
[INFO] 13/Apr/2023 14:02:30 - MobSF Basic Environment Check
[WARNING] 13/Apr/2023 14:02:31 - Dynamic Analysis related functions will not work. 
Make sure a Genymotion Android VM/Android Studio Emulator is running before performing Dynamic Analysis.
[WARNING] 13/Apr/2023 14:02:32 - Dynamic Analysis related functions will not work. 
Make sure a Genymotion Android VM/Android Studio Emulator is running before performing Dynamic Analysis.
[ERROR] 13/Apr/2023 14:02:35 - Is the Android VM running?
MobSF cannot identify device id.
Please set ANALYZER_IDENTIFIER in C:\Users\Berial\.MobSF\config.py
[INFO] 13/Apr/2023 14:02:36 - Checking for Update.
[INFO] 13/Apr/2023 14:02:37 - No updates available.
[INFO] 13/Apr/2023 14:02:48 - MIME Type: application/vnd.android.package-archive FILE: 6.6.2.apk
[INFO] 13/Apr/2023 14:02:48 - Performing Static Analysis of Android APK
[INFO] 13/Apr/2023 14:02:48 - Scan Hash: dd3c654e23322a631e155256588b9907
[INFO] 13/Apr/2023 14:02:48 - Starting Analysis on: 6.6.2.apk
[INFO] 13/Apr/2023 14:02:48 - Generating Hashes
[INFO] 13/Apr/2023 14:02:49 - Unzipping
[INFO] 13/Apr/2023 14:02:55 - APK Extracted
[INFO] 13/Apr/2023 14:02:55 - Getting Hardcoded Certificates/Keystores
[INFO] 13/Apr/2023 14:02:55 - Getting AndroidManifest.xml from APK
[INFO] 13/Apr/2023 14:02:55 - Converting AXML to XML
[INFO] 13/Apr/2023 14:03:09 - Parsing AndroidManifest.xml
[INFO] 13/Apr/2023 14:03:11 - Fetching icon path
[INFO] 13/Apr/2023 14:03:12 - Extracting Manifest Data
[INFO] 13/Apr/2023 14:03:12 - Fetching Details from Play Store: com.xiaomi.hm.health
[INFO] 13/Apr/2023 14:03:33 - Manifest Analysis Started
[INFO] 13/Apr/2023 14:03:33 - Reading Network Security Config
[INFO] 13/Apr/2023 14:03:33 - Parsing Network Security Config
[INFO] 13/Apr/2023 14:03:33 - Binary Analysis Started
[INFO] 13/Apr/2023 14:03:33 - Analyzing lib/arm64-v8a/libab153x-peq.so
[INFO] 13/Apr/2023 14:03:34 - Analyzing lib/arm64-v8a/libaivs_jni.so
[INFO] 13/Apr/2023 14:03:34 - Analyzing lib/arm64-v8a/libAMapSDK_MAP_v9_4_0.so
[INFO] 13/Apr/2023 14:03:34 - Analyzing lib/arm64-v8a/libantidebug-lib.so
[INFO] 13/Apr/2023 14:03:34 - Analyzing lib/arm64-v8a/libantirepack-lib.so
[INFO] 13/Apr/2023 14:03:34 - Analyzing lib/arm64-v8a/libBodyfat.so
[INFO] 13/Apr/2023 14:03:34 - Analyzing lib/arm64-v8a/libbsdiffpatch.so
[INFO] 13/Apr/2023 14:03:34 - Analyzing lib/arm64-v8a/libc++_shared.so
[INFO] 13/Apr/2023 14:03:35 - Analyzing lib/arm64-v8a/libcardioDecider.so
[INFO] 13/Apr/2023 14:03:35 - Analyzing lib/arm64-v8a/libcardioRecognizer.so
[INFO] 13/Apr/2023 14:03:35 - Analyzing lib/arm64-v8a/libcardioRecognizer_tegra2.so
[INFO] 13/Apr/2023 14:03:35 - Analyzing lib/arm64-v8a/libcrypto-lib.so
[INFO] 13/Apr/2023 14:03:35 - Analyzing lib/arm64-v8a/libdataProcess.so
[INFO] 13/Apr/2023 14:03:35 - Analyzing lib/arm64-v8a/libdevice-compress.so
[INFO] 13/Apr/2023 14:03:35 - Analyzing lib/arm64-v8a/libdevice-encrypt.so
[INFO] 13/Apr/2023 14:03:35 - Analyzing lib/arm64-v8a/libete.so
[INFO] 13/Apr/2023 14:03:35 - Analyzing lib/arm64-v8a/libfb.so
[INFO] 13/Apr/2023 14:03:35 - Analyzing lib/arm64-v8a/libfolly_json.so
[INFO] 13/Apr/2023 14:03:35 - Analyzing lib/arm64-v8a/libglog.so
[INFO] 13/Apr/2023 14:03:36 - Analyzing lib/arm64-v8a/libglog_init.so
[INFO] 13/Apr/2023 14:03:36 - Analyzing lib/arm64-v8a/libgps-filter.so
[INFO] 13/Apr/2023 14:03:36 - Analyzing lib/arm64-v8a/libHealthCare.so
[INFO] 13/Apr/2023 14:03:36 - Analyzing lib/arm64-v8a/libhtBodyfatBia4TwoLegs.so
[INFO] 13/Apr/2023 14:03:36 - Analyzing lib/arm64-v8a/libimagepipeline.so
[INFO] 13/Apr/2023 14:03:36 - Analyzing lib/arm64-v8a/libimage_processing_util_jni.so
[INFO] 13/Apr/2023 14:03:36 - Analyzing lib/arm64-v8a/libiwds.so
[INFO] 13/Apr/2023 14:03:37 - Analyzing lib/arm64-v8a/libJhmSignal.so
[INFO] 13/Apr/2023 14:03:37 - Analyzing lib/arm64-v8a/libjni_liveness_silent.so
[INFO] 13/Apr/2023 14:03:37 - Analyzing lib/arm64-v8a/libjsc.so
[INFO] 13/Apr/2023 14:03:37 - Analyzing lib/arm64-v8a/libjscexecutor.so
[INFO] 13/Apr/2023 14:03:37 - Analyzing lib/arm64-v8a/libjsinspector.so
[INFO] 13/Apr/2023 14:03:37 - Analyzing lib/arm64-v8a/libkoom-fast-dump.so
[INFO] 13/Apr/2023 14:03:37 - Analyzing lib/arm64-v8a/libkoom-strip-dump.so
[INFO] 13/Apr/2023 14:03:38 - Analyzing lib/arm64-v8a/libkwai-android-base.so
[INFO] 13/Apr/2023 14:03:38 - Analyzing lib/arm64-v8a/liblogan.so
[INFO] 13/Apr/2023 14:03:38 - Analyzing lib/arm64-v8a/libmibraindec.so
[INFO] 13/Apr/2023 14:03:38 - Analyzing lib/arm64-v8a/libmibrainjni.so
[INFO] 13/Apr/2023 14:03:38 - Analyzing lib/arm64-v8a/libmibrainsdk.so
[INFO] 13/Apr/2023 14:03:38 - Analyzing lib/arm64-v8a/libmmkv.so
[INFO] 13/Apr/2023 14:03:38 - Analyzing lib/arm64-v8a/libocr-sdk.so
[INFO] 13/Apr/2023 14:03:38 - Analyzing lib/arm64-v8a/libopencv_core.so
[INFO] 13/Apr/2023 14:03:39 - Analyzing lib/arm64-v8a/libopencv_imgproc.so
[INFO] 13/Apr/2023 14:03:39 - Analyzing lib/arm64-v8a/libopencv_java4.so
[INFO] 13/Apr/2023 14:03:40 - Analyzing lib/arm64-v8a/libopustool.so
[INFO] 13/Apr/2023 14:03:41 - Analyzing lib/arm64-v8a/libpng2tga.so
[INFO] 13/Apr/2023 14:03:41 - Analyzing lib/arm64-v8a/libquicklz.so
[INFO] 13/Apr/2023 14:03:41 - Analyzing lib/arm64-v8a/libreactnativejni.so
[INFO] 13/Apr/2023 14:03:41 - Analyzing lib/arm64-v8a/libresample.so
[INFO] 13/Apr/2023 14:03:41 - Analyzing lib/arm64-v8a/libsdk_patcher_jni.so
[INFO] 13/Apr/2023 14:03:41 - Analyzing lib/arm64-v8a/libsharewind.so
[INFO] 13/Apr/2023 14:03:41 - Analyzing lib/arm64-v8a/libsogouenc.so
[INFO] 13/Apr/2023 14:03:41 - Analyzing lib/arm64-v8a/libsport-run.so
[INFO] 13/Apr/2023 14:03:41 - Analyzing lib/arm64-v8a/libstidsilent_liveness.so
[INFO] 13/Apr/2023 14:03:41 - Analyzing lib/arm64-v8a/libtha.so
[INFO] 13/Apr/2023 14:03:41 - Analyzing lib/arm64-v8a/libuptsmblesdk.so
[INFO] 13/Apr/2023 14:03:41 - Analyzing lib/arm64-v8a/libuptsmblesdkservice.so
[INFO] 13/Apr/2023 14:03:42 - Analyzing lib/arm64-v8a/libvad2.so
[INFO] 13/Apr/2023 14:03:42 - Analyzing lib/arm64-v8a/libweibosdkcore.so
[INFO] 13/Apr/2023 14:03:42 - Analyzing lib/arm64-v8a/libxhook_lib.so
[INFO] 13/Apr/2023 14:03:42 - Analyzing lib/arm64-v8a/libxmd.so
[INFO] 13/Apr/2023 14:03:43 - Analyzing lib/arm64-v8a/libyoga.so
[INFO] 13/Apr/2023 14:03:43 - Reading Code Signing Certificate
[INFO] 13/Apr/2023 14:03:43 - Running APKiD 2.1.4
[INFO] 13/Apr/2023 14:04:06 - Trackers Database is up-to-date
[INFO] 13/Apr/2023 14:04:06 - Detecting Trackers
[INFO] 13/Apr/2023 14:04:21 - APK -> JAVA
[INFO] 13/Apr/2023 14:04:21 - Decompiling to Java with jadx
[INFO] 13/Apr/2023 14:06:17 - DEX -> SMALI
[INFO] 13/Apr/2023 14:06:17 - Converting classes.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes10.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes11.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes12.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes13.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes14.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes15.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes16.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes17.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes18.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes19.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes2.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes20.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes21.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes22.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes23.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes24.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes3.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes4.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes5.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes6.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes7.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes8.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Converting classes9.dex to Smali Code
[INFO] 13/Apr/2023 14:06:17 - Code Analysis Started on - java_source

the apk just by this url (it's so big that upload fail)
https://mega.nz/file/YGgEiarD#yRR8dZK3UCb3t09TWt4I5c67aGQbtXVSmi5yCvyqKPk
@github-actions
Copy link

👋 @berial5
Issues is only for reporting a bug/feature request. For limited support, questions, and discussions, please join MobSF Slack channel
Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.

@ajinabraham
Copy link
Member

Reproduced this, code analysis works at my end, but there is a pid kill happening just before string extraction.

@ajinabraham ajinabraham added bug MobSF bugs investigating MobSF collaborators are investigating this issue labels Apr 18, 2023
@berial5
Copy link
Author

berial5 commented Apr 19, 2023

So Memory leak is not true?
And Could you tell me some advices to continue the process ? update ?

@ajinabraham
Copy link
Member

We need to investigate this and identify the root cause of why the PID is getting killed, the error code suggests that it is a memory leak, but can only confirm after investigation.

I guess you cannot scan the said APK(s) until this is fixed.

@cibermike20
Copy link

cibermike20 commented Apr 29, 2023
edited

Hi guys,
I got the same problem with another APK, stuck during the Code Analysis on MobSF 3.6.6 Beta.
Find below the error logs after several hours running:

[INFO] 28/Apr/2023 12:08:46 - Code Analysis Started on - java_source
[2023-04-28 23:32:46 +0200] [59117] [CRITICAL] WORKER TIMEOUT (pid:59118)
[2023-04-28 23:32:47 +0200] [59117] [WARNING] Worker with pid 59118 was terminated due to signal 9
[2023-04-28 23:32:47 +0200] [59525] [INFO] Booting worker with pid: 59525
[2023-04-29 01:33:34 +0200] [59117] [CRITICAL] WORKER TIMEOUT (pid:59525)
[2023-04-29 01:33:35 +0200] [59535] [INFO] Booting worker with pid: 59535
[2023-04-29 05:09:50 +0200] [59117] [CRITICAL] WORKER TIMEOUT (pid:59535)
[2023-04-29 05:09:50 +0200] [59604] [INFO] Booting worker with pid: 59604
[2023-04-29 07:02:55 +0200] [59117] [CRITICAL] WORKER TIMEOUT (pid:59604)
[2023-04-29 07:02:56 +0200] [59648] [INFO] Booting worker with pid: 59648
[2023-04-29 09:03:44 +0200] [59117] [CRITICAL] WORKER TIMEOUT (pid:59648)
[2023-04-29 09:03:44 +0200] [59655] [INFO] Booting worker with pid: 59655
[2023-04-29 10:21:33 +0200] [59117] [CRITICAL] WORKER TIMEOUT (pid:59655)
[2023-04-29 10:21:33 +0200] [59658] [INFO] Booting worker with pid: 59658

Regards!

@junwei-liu
Copy link

Hi, guys:
I got the same problem with another APK, stuck during the Code Analysis on MobSF 3.6.6 Beta.

[INFO] 15/May/2023 09:41:19 -

| / | ___ | |/ || | | / / /
| |/| |/ _ | ' _ | |_ \ \ / / |_ | '_ \
| | | | () | |) |) | _| \ V / ) | () |
|| ||_/|_.//|| _/ |()__/

[INFO] 15/May/2023 09:41:19 - �[1m�[34mMobile Security Framework v3.6.3 Beta�[0m
[INFO] 15/May/2023 09:41:19 - OS: Linux
[INFO] 15/May/2023 09:41:19 - Platform: Linux-5.4.0-146-generic-x86_64-with-glibc2.27
[INFO] 15/May/2023 09:41:20 - Dist: ubuntu 18.04 Bionic Beaver
[INFO] 15/May/2023 09:41:20 - MobSF Basic Environment Check
[WARNING] 15/May/2023 09:41:20 - Dynamic Analysis related functions will not work.
Make sure a Genymotion Android VM/Android Studio Emulator is running before performing Dynamic Analysis.
[INFO] 15/May/2023 09:41:24 - MIME Type: application/octet-stream FILE: InceptioIda.ipa
[INFO] 15/May/2023 09:41:24 - Performing Static Analysis of iOS IPA
[INFO] 15/May/2023 09:41:25 - Checking for Update.
[INFO] 15/May/2023 09:41:25 - No updates available.
[INFO] 15/May/2023 09:42:08 -

If you use the API interface to upload the installation package for static analysis, you will get stuck here.

@Unkn0wnHunt
Copy link

Hello guys,

It is also the same with me. Stuck on the analysis after uploading the APK. I've been waiting for it to complete for hours but no luck.

image

@junwei-liu
Copy link

I have avoided this problem by modifying the process and triggering an additional submission through the API. This method may only be regarded as a temporary solution, for your reference only.

@HackJJ
Copy link
Contributor

HackJJ commented Jun 1, 2023
edited

I have avoided this problem by modifying the process and triggering an additional submission through the API. This method may only be regarded as a temporary solution, for your reference only.

Any steps to reproduce this?

I get something similar. An IPA at 100Mb+ is fine but an APK at 40Mb breaks with the following

[INFO] 01/Jun/2023 09:03:20 - Converting classes9.dex to Smali Code
[INFO] 01/Jun/2023 09:03:20 - Converting classes11.dex to Smali Code
[INFO] 01/Jun/2023 09:03:20 - Converting classes3.dex to Smali Code
[INFO] 01/Jun/2023 09:03:20 - Converting classes7.dex to Smali Code
[INFO] 01/Jun/2023 09:03:21 - Converting classes6.dex to Smali Code
[INFO] 01/Jun/2023 09:03:21 - Converting classes.dex to Smali Code
[INFO] 01/Jun/2023 09:03:21 - Converting classes13.dex to Smali Code
[INFO] 01/Jun/2023 09:03:21 - Converting classes5.dex to Smali Code
[INFO] 01/Jun/2023 09:03:21 - Converting classes4.dex to Smali Code
[INFO] 01/Jun/2023 09:03:21 - Converting classes2.dex to Smali Code
[INFO] 01/Jun/2023 09:03:21 - Converting classes8.dex to Smali Code
[INFO] 01/Jun/2023 09:03:21 - Converting classes10.dex to Smali Code
[INFO] 01/Jun/2023 09:03:21 - Converting classes12.dex to Smali Code
[INFO] 01/Jun/2023 09:03:21 - Code Analysis Started on - java_source
[2023-06-01 09:04:48 +0000] [56] [WARNING] Worker with pid 3467 was terminated due to signal 9
[2023-06-01 09:04:48 +0000] [4189] [INFO] Booting worker with pid: 4189
[INFO] 01/Jun/2023 09:05:27 -
  __  __       _    ____  _____       _____  __
 |  \/  | ___ | |__/ ___||  ___|_   _|___ / / /_
 | |\/| |/ _ \| '_ \___ \| |_  \ \ / / |_ \| '_ \
 | |  | | (_) | |_) |__) |  _|  \ V / ___) | (_) |
 |_|  |_|\___/|_.__/____/|_|     \_/ |____(_)___/

[INFO] 01/Jun/2023 09:05:27 - Mobile Security Framework v3.6.3 Beta
REST API Key: XXX
[INFO] 01/Jun/2023 09:05:27 - OS: Linux
[INFO] 01/Jun/2023 09:05:27 - Platform: Linux-5.15.90.1-microsoft-standard-WSL2-x86_64-with-glibc2.29
[INFO] 01/Jun/2023 09:05:27 - Dist: ubuntu 20.04 Focal Fossa
[INFO] 01/Jun/2023 09:05:27 - MobSF Basic Environment Check
[INFO] 01/Jun/2023 09:05:28 - Checking for Update.
[INFO] 01/Jun/2023 09:05:28 - No updates available.

@Unkn0wnHunt
Copy link

I have avoided this problem by modifying the process and triggering an additional submission through the API. This method may only be regarded as a temporary solution, for your reference only.

Are you using it on a docker environment? Can you give a tutorial on how you did the work around please? Thanks mate!

@Unkn0wnHunt
Copy link

Unkn0wnHunt commented Jun 2, 2023
edited

Upon checking some of the past versions of MobSF, the following versions all have the same issue of getting stuck.

  • MobSF v3.6.7 Beta
  • MobSF v3.4.6 Beta
  • MobSF v3.4.3 Beta

Then after trying the version MobSF v3.4.0 Beta it works.

The problem here is I want to use the latest version. I hope this get fixed soon.

Additional information.

The versions that are getting stuck is stopped around the logs below.

[INFO] 02/Jun/2023 06:11:39 - Trackers Database is outdated!
[INFO] 02/Jun/2023 06:11:39 - Updating Trackers Database....
[INFO] 02/Jun/2023 06:11:39 - Detecting Trackers
[INFO] 02/Jun/2023 06:11:40 - APK -> JAVA
[INFO] 02/Jun/2023 06:11:40 - Decompiling to Java with jadx
[INFO] 02/Jun/2023 06:11:49 - DEX -> SMALI
[INFO] 02/Jun/2023 06:11:49 - Converting classes.dex to Smali Code
[INFO] 02/Jun/2023 06:11:49 - Code Analysis Started on - java_source
[INFO] 02/Jun/2023 06:11:53 - Running NIAP Analyzer
[INFO] 02/Jun/2023 06:12:06 - Finished Code Analysis, Email and URL Extraction
[INFO] 02/Jun/2023 06:12:06 - Extracting Strings from APK
[INFO] 02/Jun/2023 06:12:06 - Detecting Firebase URL(s)
[INFO] 02/Jun/2023 06:12:06 - Performing Malware Check on extracted Domains
[INFO] 02/Jun/2023 06:12:07 - Maltrail Database is outdated!
[INFO] 02/Jun/2023 06:12:07 - Updating Maltrail Database
[INFO] 02/Jun/2023 06:12:07 - Connecting to Database
[INFO] 02/Jun/2023 06:12:07 - Saving to Database

@sebastiantia
Copy link

I have avoided this problem by modifying the process and triggering an additional submission through the API. This method may only be regarded as a temporary solution, for your reference only.

Hey there, I'm hoping you could give some more information about your temporary solution

@Unkn0wnHunt
Copy link

I have avoided this problem by modifying the process and triggering an additional submission through the API. This method may only be regarded as a temporary solution, for your reference only.

I seconded, may we please know what is this? Up to now the issue is still persisting.

@ajinabraham ajinabraham added static analyzer Static Analyzer related android sca Android Static Code Analysis related labels Dec 10, 2023
@kieranlee130
Copy link

Hi, I'm having the same issue albeit with a few extra steps to reproduce.

Environment:
Ubuntu 22.04.2 LTS (Jammy Jellyfish)
MobSF 3.8.6 Beta

Steps to reproduce:

  1. ./run.sh
  2. Use the static analyzer on an Android apk
  3. Run the dynamic analyzer and inject any Frida scripts
  4. Attempt to use the static analyzer on a different Android apk
  5. Stuck on code analysis

I can fix this temporarily by restarting the MobSF instance.
I was wondering, if am I using the tool incorrectly and if are there any steps that I have to do after running the Frida scripts in the dynamic analysis before I can use the static analyzer on a separate file.

@ajinabraham
Copy link
Member

This is unrelated. The code analysis being stuck is probably due to a regex dos/catastrophic backtracking from one of the SAST rules.

@ajinabraham
Copy link
Member

Can folks share problematic APKs here so that we can take a look at the files and the rules causing the issue?

@luk0y
Copy link

luk0y commented Dec 18, 2023
edited

Got the same issue while doing the static analysis. I uploaded myjio apk version 7.0.55 and got stuck at the same point

(Downloaded the apk from apkmirror)

I’m currently on Mobsf v3.7.6

Tried on docker(It Took a lot of time on docker for jadx and jadx timeout error thrown) and got stuck at Code Analysis Started on - java_source

Tried on bare metal (windows 11 home). It’s also got stuck (but no jadx timeout error thrown)

@ajinabraham ajinabraham removed this from To do in MobSF 2023 Development Dec 19, 2023
@EvilWatermelon
Copy link

EvilWatermelon commented Jan 11, 2024
edited

It worked on the latest Signal APK on v3.9.2 Beta on Docker. Downloaded the APK from apkpure.net

@HackJJ
Copy link
Contributor

HackJJ commented Jan 16, 2024

Make sure the apk is all lowercase and alphanumeric characters, maybe even just 3 letters e.g. app.apk and test. I found when it didn't work, renaming it fixed it 99.99% of the time

@2008shivamjha
Copy link

2008shivamjha commented Mar 12, 2024
edited

My whole system got stuck when i tried to upload a large size apk for static analysis , Please! Provide me some solution for the same

@ajinabraham
Copy link
Member

Probably unavoidable, will consider adding a timeout by default.

@ohyeah521
Copy link
Contributor

I tested it, and it has something to do with the machine configuration. If the memory is 128G or more, there will be no problem. Most of the freezes are because the memory is exhausted.

@ohyeah521
Copy link
Contributor

Another situation is that the java code generated by some apk decompilation is in the same file, resulting in a single java code file size of 2-10M, so it will get stuck in it during regular matching.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
android sca Android Static Code Analysis related bug MobSF bugs investigating MobSF collaborators are investigating this issue static analyzer Static Analyzer related
Projects
MobSF 2024 Development
To do
Milestone
No milestone
Development

No branches or pull requests