MobSF static analysis

[francopettinari]

Android application type

Classic Xamarin.Android (MonoAndroid12.0, etc.)

Affected platform version

VS Professional 2022 Version 17.6.4 Xamarin 17.6.0.251 Xamarin.Adroid 13.2.0.6

Description

We received a Security Report by one of our customers where some vulnerabilities are detected.
I already found a similar issue #6258
but executing the command I now receive a different result:

$ readelf -S libxamarin-app.so
There are 17 section headers, starting at offset 0x12cb4:

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .note.gnu.bu[...] NOTE            00000174 000174 000018 00   A  0   0  4
  [ 2] .dynsym           DYNSYM          0000018c 00018c 0001b0 10   A  5   1  4
  [ 3] .gnu.hash         GNU_HASH        0000033c 00033c 0000d0 00   A  2   0  4
  [ 4] .hash             HASH            0000040c 00040c 0000e0 04   A  2   0  4
  [ 5] .dynstr           STRTAB          000004ec 0004ec 000232 00   A  0   0  1
  [ 6] .rel.dyn          REL             00000720 000720 0020f8 08   A  2   0  4
  [ 7] .ARM.exidx        ARM_EXIDX       00002818 002818 000010 00  AL  9   0  4
  [ 8] .rodata           PROGBITS        00002828 002828 00ebc8 00   A  0   0  8
  [ 9] .text             PROGBITS        000213f0 0113f0 00000c 00  AX  0   0  4
  [10] .data.rel.ro      PROGBITS        00031400 011400 000ee8 00  WA  0   0  8
  [11] .dynamic          DYNAMIC         000322e8 0122e8 000060 08  WA  5   0  4
  [12] .data             PROGBITS        00042348 012348 000830 00  WA  0   0  8
  [13] .bss              NOBITS          00042b78 012b78 17123dc 00  WA  0   0  4
  [14] .comment          PROGBITS        00000000 012b78 000064 01  MS  0   0  1
  [15] .ARM.attributes   ARM_ATTRIBUTES  00000000 012bdc 00003c 00      0   0  1
  [16] .shstrtab         STRTAB          00000000 012c18 00009a 00      0   0  1

in this case I have a text sectin marked with an X flag.

How should I handle this report?
Is the tool still reporting false positive?
Can you help me in giving back an answer ?

Thanks in advance,
Frank

Steps to Reproduce

execute static analysis

Did you find any workaround?

No response

Relevant log output

No response

[grendello]

@francopettinari The answer from #6258 still stands, the .text section is there but it doesn't have any code we call at this point. Out of curiosity, could you share the report you got?

[francopettinari]

@grendello Here is the report.
I edited and cutted off the not relevant parts and left only the shared libraries part.

mobsf_report_cut.pdf

[francopettinari]

@grendello I'm not an expert of this argument, so I just ask confirmation: readelf is reporting that text section is executable, but no calls to this point exists. Do this means that it is not a vulnerability because no malitious executable code can land in that part of memory?

[grendello]

@francopettinari I've just taken a look at the report and, alas, it's incorrect again. The checks from that tool are a bit simplified and they don't analyze the binary sufficiently. For instance, the flag about the code not being fortified is, essentially, incorect as we do compile all and any code with fortification enabled, but not all functions will get (or need) it. So it's entirely possible that code in a binary has no stack fortification markers and is yet perfectly fine. This is the case with the current version of libxamarin-app.so.

To answer your question above: yes, it's safe and not a danger in any shape or form. Also, please note that the .text section must be executable, or otherwise the CPU wouldn't be allowed to call any code in it. So the X bit in there is expected and, in and of itself, not a danger whatsoever.

[jpobst]

With support for Classic Xamarin.Android ended May 1st, 2024, this issue is likely no longer relevant.

If this still persists in .NET 8+, please open a new issue with updated information based on net8.0-android or greater. Please include a link to this issue for context.