[ ] pending · [~] in progress · [x] completed
- GitHub Search with token — the current HTML scraping fails without login. Read
GITHUB_TOKENfrom the environment and use the REST code search API; fall back to scraping as a fallback. - BuildConfig secrets in the PDF — extracted internally but not shown in the report. Add a subsection in
_osint_section.
- iOS / IPA support — download with
ipatool, static Mach-O analysis withjtool2/class-dump, secrets in.plist/.strings,Info.plistanalysis (permissions, ATS), jailbreak check detection. MVP static only; dynamic requires jailbreak.
- Differentiate runtime bypass vs DEX extraction in reports — The current verdict only distinguishes
PROTECTEDfromPROTECTION BROKEN, wherePROTECTION BROKENrequires a successful in-memory DEX dump (dex_count > 0). This is misleading: the FridaAgent can bypass all anti-root protections and run the app on a rooted device without ever dumping DEX (e.g. apps with aggressive native anti-root that kill the process before FART hooks run). Proposed fix — two independent verdicts:- Static protection (
PROTECTED/UNPROTECTED): driven by the existing static detectors. - Dynamic analysis (
BYPASS CONFIRMED/DEX EXTRACTED/NOT ATTEMPTED): fed by the FridaAgent result (report_success) and the FART/dexdump pipeline respectively. Implementation touch-points:
- Add
aipwn_bypass_confirmed: boolfield toAnalysisResult(set byaipwn.pyafterreport_success). - Change
build_masvs_report()inmasvs.py: replacebypass_confirmed = analysis.protection_brokenwithbypass_confirmed = analysis.protection_broken or analysis.aipwn_bypass_confirmed. This makesMASVS-RESILIENCE-*controls flip tobypassstatus and apply the_BYPASS_PENALTYeven when DEX extraction failed. - Update
reporter.pyto show a separate dynamic analysis banner alongside the static verdict. - Update the PDF report with a new dynamic analysis section.
- Static protection (
- Split
vuln_scanner.py— 1400+ lines with three responsibilities. Split intoscan_types.py(dataclasses),vuln_scanner.py(regex + semgrep) andleak_scanner.py(apkleaks, gitleaks). Do this before adding new leak sources or porting to Go. - Port secret scanner to Go —
string_extractor.pyand the HC* rules are the slowest steps. Go binarynutcracker-stringsthat takes a directory and patterns and returns JSON. Python invokes it as a subprocess, the same way it does semgrep. Prerequisite: split modules first.