v4.3.0 Changelog
-
Features or Enhancements
- Added django-q2-based asynchronous scans for Android and iOS binaries and source code
- Async analysis REST API support & Docs
- Unified async scan timeout
- Allow incomplete scan delete after async scan timeout duration
- Added support for Android SBOM analysis
- Added Anti-analysis bypasses
- Handle packed APKs, refactor unzip to handle malformed APK files
- Handle reserved filename conflict during ZIP extraction
- Fixed permissions of extracted files to counter anti-analysis techniques
- JADX fallback to DEX files on APK decompilation failure
- apktool fallback to androguard for AndroidManifest.xml extraction
- Resolved APK parsing errors in androguard
- apksigner.jar fallback to apksigtool/androguard for signature version extraction
- Added explicit timeout for all HTTP requests
- Support proxy for all HTTPS calls
- Optimize jadx download, support system proxy
- Replaced Quark with Behaviour Analysis using ported quark rules
- Add support for pulling split apks from Android Dynamic Analyzer
- Add support for sample download in recent scans.
- Support custom home directory from environment variables
- Reduce iOS binary findings severity to warning from high
- QA on docker-compose, added example nginx config
- Added docker-compose_swarm.yml and docker secrets support by @antonkap
- IPA PNG Uncrush support for Windows and Linux
- Automatically handle https upgrade for http urls in Android Assetlinks check
- APKID QA.
- Bash and Batch file script QA.
- Android Report template optimizations on how exported components are displayed.
- Clickable Android Activities, Services, Providers, and Recievers
- Updated Android version support to 11.0 for Android Studio AVD
- Created helper scripts for AVDs
scripts/start_avd.shandscripts/start_avd.ps1 - Added malware lookup using SHA2 with VirusTotal, Triage, Hybrid Analysis, and MetaDefender
- Optimized APK ZIP analysis for improved performance
- Fixed untar permission errors in dynamic analysis
- Added bypass for SSL pinning in Boye's AbstractVerifier
- Updated bypass for SSL pinning in Appmattus's CertificateTransparencyInterceptor
- Introduced SSL pinning detector script
- Improved Frida intent dumper script
- Added Frida intent tracer script
- Enabled asynchronous scans in Docker Compose setup
- Performed QA for Android and iOS SAST modules
- Added Frida script for audit-webview
- Introduced Frida script for trace-javascript-interface
- Upgraded libsast for improved file reading, multiprocessing, and multithreading
- Fixed PNG crush issues on Darwin systems
- Performed QA on the home screen UI
- Updated httptools and libsast dependencies
- Improvements in scan queue
- Added a robots.txt
- Code QA untar permissions
- Added and updated permission mapping rules
- Handle errors gracefully from get_app_name and icon_analysis
- Add new scans in tasks view without needing and explicit refresh
- Optimizing downloads, adding downloads for source code types and windows appx
- Androguard, ApkInspector code bump
- Patch Androguard AXML to log a warning on parse error reserved must be zero! instead of raise
- Fallback on get app name when androguard returns empty string
- Bump to google fork of baksmali 3.0.8
- IPA: Graceful handling of plist dump exception
- Dockerfile QA
- Add sdk-build-tools to Docker image
- Replace biplist with plistlib std lib
- Added support for APK parsing with aapt2/aapt
- Use aapt/aapt2 as a fallback for APK parsing, files listing and string extraction
- Tasks List API to return string status
- Replaced all minidom calls with defusedxml.minidom
- Code QA on android manifest data extraction and parsing
- Improved android file analysis
- Improved android manifest data extraction
- Improved android icon file extraction
- Improved android app name extraction
- Improved android appstore package details extraction
- Android string extraction to fallback on aapt2 strings
- APK analysis arguments refactor
- Explicit Zipslip handling during ZIP extraction
- Graceful files extraction on unzip failure
- Removed bail out and continue analysis
- Moved androguard parsing to the start of static analysis
- AndroidManifest.xml fallback from apktool to androguard during extraction and parsing
- Updated Tasks UI to show started at
- Save only unique intent priorities in findings
- Add files list in scorecard description
-
Bug Fixes
- Bug fix in firebase analysis
- Fixed bug in certificate analysis.
- Fix TOCTOU in delete scans view
- Bug fix in enqueue model schema
- Bug Fix in app_dict init.
- Fixed a bug in iOS pbxproj parsing
- Fixed a bug executing setup.sh script in python venv
What's Changed
- [HOTFIX] + Features by @ajinabraham in #2444
- 4.1.5 by @ajinabraham in #2445
- Add support for pulling split apks, Fixes #2271 by @ajinabraham in #2446
- docker compose QA, explict requests timeout by @ajinabraham in #2447
- 4.1.8 by @ajinabraham in #2448
- 4.1.9 by @ajinabraham in #2449
- 4.2.0 by @ajinabraham in #2450
- 4.2.1 by @ajinabraham in #2451
- 4.2.2 by @ajinabraham in #2452
- [4.2.3] Update status on task timeout by @ajinabraham in #2454
- [4.2.4] Async analysis REST API support, fix timeout handle function, Qa by @ajinabraham in #2456
- 4.2.5 by @ajinabraham in #2457
- 4.2.6 by @ajinabraham in #2459
- [4.2.7] Androguard & ApkInspector Bump + Patch AXMLParsing by @ajinabraham in #2461
- [4.2.7] Updates by @ajinabraham in #2462
- [4.2.8] Multiple APK Analysis improvements, general Code QA & bug fixes by @ajinabraham in #2470
- Save only unique intent priorities in findings by @dmarushkin in #2474
- Add files list in scorecard desc by @dmarushkin in #2473
- Byte snipers patch 2 by @ajinabraham in #2477
- Nick lupien nick lupien/fix fps manifest analysis by @ajinabraham in #2484
New Contributors
- @dmarushkin made their first contribution in #2474
- @nick-lupien made contribution in #2484
- @ByteSnipers made contribution in #2477
Full Changelog: v4.1.3...v4.3.0