--- title: "How to find Bugs in Android application Using Semgrep" date: 2019-09-03 pubtype: "Blog" featured: true description: "In this Blog I will tell explain you how to find the Security Flaws in Android Application " tags: ["Semgrep","Mobile","Automation"] weight: 400 sitemap: priority : 0.8 --- Hello, Friends Hope you are all staying safe and Happy. Its been a long time I wrote the blog Finally I am able to kick my lazy ass and sit down to write the blog So I am a big fan of Android Security In my free time I used to read and do Some research around Android Security Even my first Blog is about [Android-Security](https://www.joshuajebaraj.com/publications/how-do-i-automate-the-enviroment-setup-for-android-pentesting-using-simple-bash-scripts/) But I want to automate the Security Scanner that able to pick up the most common Security Flaws So I ended up having two choices - Use the Pre-made Tool like [Mobsf](https://github.com/MobSF/Mobile-Security-Framework-MobSF) which is a great tool which I suggest must checkout - Create your own tool So I ended Selecting the Second option So the biggest problem is writing a custom Scanner for Black Box Testing in Android is You will not get the same source code as written due to obfuscation Let's see the example What I meant So you wrote the pattern to match the code ``` java WebView.setWebContentsDebuggingEnabled(true); ``` You write the rule in any other existing tool or use the grep to find the above code it will able to find the code but the problem is due to obfuscation the code will not be the same as above this could be changed like ``` java ew.setWebContentsDebuggingEnabled(true); ``` Now When we try to run the tool again or grep again the tool couldn't able to find the code due to obfuscation  Here Comes the [Semgrep](https://github.com/returntocorp/semgrep) into play Before gets into the detail lets see a quick glance about the `Semgrep` According to the Official Docs ``` Lightweight static analysis for many languages. Find and block bug variants with rules that look like source code. ``` Here are the few ways that Semgrep more has an advantage over another too - Easy to Install All you need is `pip3` installed in your System You can Install Semgrep by typing the below command ``` bash pip3 install semgrep ``` - Supports Multiple Language like Python, JavaScript, Java,Go - Can be easily Integrate into CI/CD pipeline - Has Registry with Predefined Rules So Without Getting the time wasted let's get started For the hands-on part, I am going to use the [Semgrep-Live-editor](https://semgrep.dev/editor) which allow me to write the rules on the fly You can either test your rules here like I do or you could test locally with the **semgrep-cli** tool that Installed using pip Let's try to understand the various components in creating the rules Below is the rules look like in the semgrep This rule looks for the `System.out.println("Hello")` in the hello world-program ``` yaml rules: - id: Hello-world metadata: author: Joshua message: | System.out.println Found patterns: - pattern: System.out.println("Hello"); severity: WARNING languages: - java ``` lets try to understand the above yaml - id - Here we specify the id of the rule - metadata - Here we can specify the additionalInformation - message - Here we specify the message to be shown on pattern match - pattern - Here we specify the pattern to be matched - severity - Here we specify the severity - languages - Here we specify the language Copy and paste the above YAML in the `semgrep-rule` field and put the hello-world code in the `Test-code` Field and click **RUN**  Ya we have successfully wrote our first rule So let's get started To give a quick heads up this blog is more focused on the tool rather than the vulnerabilities So I will not be covering explaining the vulnerability The First vulnerability that we are going to find is Debug mode was enabled in the web view of the Android application This is What the Code look like in the plain java for the above vulnerability ``` java WebView.setWebContentsDebuggingEnabled(true); ``` The problem here is on reversing the android application the the `Webview` can become obfuscated Let's see how we can solve with semgrep We are going to use one of the feature of Semgrep called **Metavarialble** . Metavariable is the variable which is replaced by any variable in the runtime Below is the semgrep pattern that we are going to use ``` $RUNTIME.setWebContentsDebuggingEnabled(true); ```  You could See the Semgrep could able to find the matching pattern Lets try to replace the Webview with another value  You could See Its successfully able to find out that right Lets See What are the other thing that Semgrep Got us to offer The next vulnerability that we are going to cover was Insecure Logging This is What the Code look like in the plain java ``` java Log.e("Hello") ``` ``` java Log.e("Tag","Hello From Tag") ``` The Problem with this code is the Tag parameter is optional so there may be code with or without tag This is where ellipsis operator comes into play ellipsis operator allow us to match 0 or more argument Below is the semgrep pattern that we are going to use ``` yaml Log.e(...) ``` Lets try to match the code without tag  You could see its successfully able to find the pattern Lets try with log function with tag flag  By default, Semgrep uses **and** operator but in a certain situation, we want to perform **or** operation that matches either one of the pattern To achieve that semgrep provide `pattern-either` option where the semgrep will perform or operation let's take the example you want to find the hardcoded-secret the variable name could be pass or password The Semgrep should match any one of the variables > Note to follow the further exercises you have to switch to the `Advanced` tab in the website  It could able to find the pattern Lets try to replace the variable name with pass  Sometimes you want to filter out the patterns that you are not looking in that situation you can use **pattern-not** Let's take the first example Instead of matching all Log message you want to match the log message which is not info log (Note: we are assuming here the Log.info doesn't have any sensitive info In real-world It may vary) ``` java Log.e("Hello"); // this should be matched Log.i("Hello Info); // this shouldn't be matched ``` Let's try to create the pattern with less **pattern-not** flag ``` yaml rules: - id: Log Message patterns: - pattern: | Log.$RUNTIME(...); - pattern-not: | Log.i(...); message: | Semgrep found a match severity: WARNING ```  You could see its matching all other patterns than `Log.i` .This way you could write the rules to find the bugs in the Android application There are many features that Semgrep offers In my blog I cover few features If you are interested more I high Recommend you to check out the resources in the reference section and I highly recommend you to join the Official Slack Channel [here](http://r2c.dev/slack) If you have any questions or feedback feel free to reach out to me on [Twitter](https://twitter.com/joshva_jebaraj?lang=en) Thanks for reading Have a nice day ## References - [Semgrep-Docs](https://semgrep.dev/) - [Semgrep A Practical Introduction](https://notsosecure.com/semgrep-a-practical-introduction/) - [Semgrep presentation by r2c at Bay Area OWASP Meetup](https://www.youtube.com/watch?v=pul1bRIOYc8) - [Mobsf-rules](https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/master/StaticAnalyzer/views/android/rules/android_rules.yaml) - [Semgrep-Learning](https://semgrep.dev/learn)