Added mastf files

+ docker compose services
+ certificate for HTTPS is missing

.env

@@ -0,0 +1,93 @@
+# This environment file will store all necessary information to
+# be able run the web instance. Note that this file may contain
+# the secret key for Django and locations for SSL certificates.
+#
+# If you're running PostgreSQL, make sure to include necessary
+# environment variables to access the database.
+
+# For more information about environment variables with docker, visit
+# https://docs.docker.com/compose/environment-variables/env-file/
+
+# -- Django-Configuration ----------------------------------------------------
+# Control whether the web instance should be running in debug mode to provide
+# detailed exception description.
+DJANGO_DEBUG=1
+
+# Specify your django secret key here.
+DJANGO_SECRET_KEY="%PUT YOUR OWN KEY HERE%"
+
+# Make sure to edit the allowed host variable to specify which host should be
+# able to connect to your web instance. Sperate them with : to add multiple
+# hosts.
+DJANGO_ALLOWED_HOSTS=*
+
+# IMPORTANT: Configure the trusted hosts if you are using a reverse proxy
+# like nginx. Replace hostnames of the given URLs to match your own ones.
+DJANGO_CSRF_TRUSTED_ORIGINS=https://localhost:8443|https://127.0.0.1:8443
+
+# Use this configuration to control whether django should remove active sessions
+# when the browser is closed.
+DJANGO_SESSION_EXPIRE_AT_BROWSER_CLOSE=1
+
+# Control the TTL of a session cookie default will be 3600s = 1h
+DJANGO_SESSION_COOKIE_AGE=3600
+
+# Control whether you want to start your instance with HTTPS
+DJANGO_HTTPS=True
+
+# The storage URL where all project data should be saved separately. Note the
+# trailing ``/`` that is needed by Django. Remove this connfiguration if you work locally.
+DJANGO_STORAGE_URL="/app_storage/"
+
+# Same as described in DJANGO_STORAGE_URL without traling slash.
+DJANGO_STORAGE_ROOT="/app_storage"
+
+# The port django should be served on.
+DJANGO_PORT=8000
+
+# -- Database-Configuration --------------------------------------------------
+# Configure database connection variables. Note that you can remove the
+# following lines to use a local SQLite database.
+DB_ENGINE=django.db.backends.postgresql
+DB_DATABASE=mastf_backend_db
+DB_USER=mastf_django
+DB_PASSWORD=supersecretpassword
+
+POSTGRES_USER=${DB_USER}
+POSTGRES_PASSWORD=${DB_PASSWORD}
+POSTGRES_DB=${DB_DATABASE}
+
+# Important configuration that is used to connect to the database. Insert
+# your database backend hostname here.
+DB_HOST=backend-db
+DB_PORT=5432
+
+# -- Celery-Configuration ----------------------------------------------------
+# TODO: SSL config for Redis
+CELERY_BROKER_URL="redis://redis:6379/0"
+CELERY_RESULT_BACKEND="redis://redis:6379/0"
+CELERY_DEBUG_LEVEL=DEBUG
+
+# -- MASTF-Configuration ----------------------------------------------------
+MASTF_API_ONLY=0
+
+# -- YARA-Configuration ----------------------------------------------------
+YARA_BASE_DIR="/yss"
+YARA_RULES_DIR="/app/yara/rules"
+
+YSS_LOGGING_CONFIG="/app/yara/logging.ini"
+
+# -- Nginx-Configuration ----------------------------------------------------
+NGINX_HTTP_PORT=8080
+NGINX_HTTPS_PORT=8443
+
+# -- Tools-Configuration ----------------------------------------------------
+APKTOOL_VERSION="2.5.0"
+DEX2JAR_VERSION="1.2"
+
+LIBSCOUT_PROFILES_DIR="/app/profiles"
+LIBSCOUT_ANDROID_JAR="/app/plugins/android.jar"
+
+# -- Swift-Configuration ----------------------------------------------------
+SWIFTSRV_HOST="0.0.0.0"
+SWIFTSRV_PORT=1289

README.md

@@ -0,0 +1,67 @@
+# Mobile Application Security Testing Framework (MAST-F) for iOS and Android
+
+[![python](https://img.shields.io/badge/python-3.12+-blue.svg?logo=python&labelColor=grey)](https://www.python.org/downloads/)
+![Version](https://img.shields.io:/static/v1?label=Version&message=2024.1+(0.0.2-a0)&color=teal)
+![Status](https://img.shields.io:/static/v1?label=Status&message=Alpha&color=lightgrey)
+![Platform](https://img.shields.io:/static/v1?label=Docker&message=v23.0.5&color=blue&logo=docker)
+![Codestyle](https://img.shields.io:/static/v1?label=Codestyle&message=black&color=black)
+![License](https://img.shields.io:/static/v1?label=License&message=GNU-GPLv3&color=blue)
+[![pages-build-deployment](https://github.com/MASTFramework/mastf/actions/workflows/pages/pages-build-deployment/badge.svg)](https://mast-framework.github.io/MAST-F/)
+
+<a href="https://github.com/MASTFramework">
+<img src="https://github.com/MASTFramework/.github/blob/master/profile/logo.svg" alt="" height="180px" align="right" />
+</a>
+
+MAST-F is a comprehensive Mobile Application Security Testing Framework designed to test the security of iOS and Android mobile applications. It provides a wide range of tools and features to identify vulnerabilities and weaknesses in mobile apps, helping developers and security professionals ensure the robustness and integrity of their applications.
+
+> **This software is in *alpha* status and is NOT stable. It is intended for testing purposes only. Please use with caution and expect bugs and frequent changes.**
+
+## Documentation & Help
+
+The documentation for MAST-F is available on [Github-Pages](https://mast-framework.github.io/MAST-F/). It contains detailed information about the framework, its usage, configuration options, and various testing techniques. We highly recommend referring to the documentation to get started with MAST-F. Please visit the [Discussions](https://github.com/orgs/MAST-Framework/discussions) tab to ask questions or get help.
+
+## Key Features
+
++ **User Management**: MAST-F provides user management functionality with different roles. This allows for secure access and control over the framework's features and capabilities based on user privileges.
+
+    ![User-Management-Preview](/docs/source/intro/images/user-management.png)
+
++ **Distributed Scan Tasks**: The framework supports the distribution of scan tasks across multiple machines or devices. This allows for efficient and faster scanning of mobile applications, reducing the overall testing time.
+
++ **Multiple Scans at a Time**: MAST-F enables the execution of multiple scans simultaneously using the [Celery](https://docs.celeryq.dev/en/stable/getting-started/introduction.html) framework. This feature enhances productivity by allowing users to test multiple mobile applications concurrently.
+
+    ![Scan-Preview](docs/source/intro/images/scan-preview.png)
+
++ **Analysis for Android and** `[proposed]` **iOS Apps**: The framework supports comprehensive security analysis for both Android and iOS applications. It includes a range of techniques and tools specific to each platform, ensuring thorough testing and identification of vulnerabilities.
+
++ `[proposed]` **Export to PDF using Pre-defined Templates**: MAST-F offers the ability to export scan reports to PDF format. It provides pre-defined templates based on Word or HTML, allowing users to generate professional and standardized reports for their security assessments.
+
++ **Visual Comfort**: With DarkMode support, MAST-F transforms its interface into a visually soothing dark theme, reducing the glare emitted by traditional light interfaces.
+
+    ![DarkMode-Preview](docs/source/intro/images/darkmode-preview.png)
+
++ **Support for Project Bundling**: The framework includes support for bundling multiple projects together. This feature enables users to create a bundle of related projects, providing a centralized view for more in-depth analytics and reporting.
+
+These key features make MAST-F a versatile and powerful Mobile Application Security Testing Framework, facilitating effective testing, analysis, and reporting of security vulnerabilities in iOS and Android applications.
+
+## Project Architecture
+
+![Project Architecture](docs/source/_static/arch.png)
+
+The above diagram provides an overview of the MAST-F project architecture. It showcases the different components and their interactions within the framework.
+
+## Setup
+
+To set up MAST-F, please follow the instructions provided in the documentation on [Github Pages](https://mast-framework.github.io/MAST-F/). The setup process involves configuring the required dependencies and performing necessary configurations before running the containers. You can find the setup commands and detailed guidelines on the documentation page.
+
+## Contributing and Questions
+
+We welcome contributions from the community to improve MAST-F. If you have any questions, suggestions, or bug reports, please visit the [Discussion](https://github.com/orgs/MAST-Framework/discussions) tab in the repository. Feel free to engage in discussions, ask questions, and share your experiences with the framework.
+
+## Reporting Security Issues
+
+If you discover any security vulnerabilities or issues in MAST-F, please report them to us immediately. You can submit security-related concerns or vulnerabilities by sending an email to [security-mastf[at]proton.me](mailto:security[at]mast-framework.com). We appreciate your responsible disclosure and will address the issues as quickly as possible.
+
+## License
+
+MAST-F is licensed under the GNU General Public License version 3 (GNU GPLv3). For more details, please refer to the [LICENSE](LICENSE) file in this repository.

compose/local/django/Dockerfile

@@ -0,0 +1,47 @@
+FROM python:3.12.2-slim
+
+# Ensures the python output i.e. the stdout and stderr streams are sent to
+# terminal without being first buffered and that you can see the output of
+# this application (e.g. django logs) in real time.
+ENV PYTHONUNBUFFERED 1
+
+# If this is set to a non-empty string, Python won’t try to write .pyc files
+# on the import of source modules.
+ENV PYTHONDONTWRITEBYTECODE 1
+
+# Update the container and install all necessary dependencies
+RUN apt-get update \
+    # dependencies for building and installing Python packages
+    && apt-get install -y build-essential git \
+    # postgresql dependencies - comment out if you don't use postgresql
+    && apt-get install -y libpq-dev libssl-dev \
+    # cleanup unused files
+    && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+    && rm -rf /var/lib/apt/lists/*
+
+
+# Ensure all project dependencies are installed correctly
+COPY ./requirements.txt /requirements.txt
+RUN pip install --upgrade pip && pip install -r /requirements.txt
+
+COPY ./compose/local/django/entrypoint /django_entrypoint
+# Note that we have to convert Windows line endings to UNIX line endings
+RUN sed -i 's/\r$//g' /django_entrypoint
+RUN chmod +x /django_entrypoint
+
+# Copy and setup the web instance start script
+COPY ./compose/local/django/start /start
+RUN sed -i 's/\r$//g' /start
+RUN chmod +x /start
+
+# TODO: add file exclusion rules
+COPY ./mastf /app/mastf
+COPY ./yara /app/yara
+COPY ./docs /app/docs
+COPY ./manage.py /app
+# COPY . /app
+
+# Specify the working directory where we access our files at runtime
+WORKDIR /app
+
+ENTRYPOINT [ "/django_entrypoint" ]

compose/local/django/celery/Dockerfile

@@ -0,0 +1,83 @@
+FROM python:3.12.2-slim
+
+# Ensures the python output i.e. the stdout and stderr streams are sent to
+# terminal without being first buffered and that you can see the output of
+# this application (e.g. django logs) in real time.
+ENV PYTHONUNBUFFERED 1
+
+# If this is set to a non-empty string, Python won’t try to write .pyc files
+# on the import of source modules.
+ENV PYTHONDONTWRITEBYTECODE 1
+
+# Update the container and install all necessary dependencies
+RUN apt-get update \
+    && apt-get install -y file git \
+    # dependencies for building and installing Python packages
+    && apt-get install -y build-essential \
+    # postgresql dependencies - comment out if you don't use postgresql
+    && apt-get install -y libpq-dev libssl-dev \
+    # Install Java
+    && apt-get install -y default-jre-headless unzip wget \
+    && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+    && rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*
+
+
+# Download and install Dex2jar
+ENV DEX2JAR_VERSION="2.1"
+RUN wget https://github.com/pxb1988/dex2jar/releases/download/v${DEX2JAR_VERSION}/dex2jar-${DEX2JAR_VERSION}.zip \
+    && unzip dex2jar-${DEX2JAR_VERSION}.zip -d /opt \
+    && chmod +x /opt/dex-tools-${DEX2JAR_VERSION}/d2j-* \
+    && rm dex2jar-${DEX2JAR_VERSION}.zip
+
+# Download and install Apktool
+ENV APKTOOL_VERSION="2.9.3"
+RUN wget https://github.com/iBotPeaches/Apktool/releases/download/v${APKTOOL_VERSION}/apktool_${APKTOOL_VERSION}.jar -O /usr/local/bin/apktool.jar \
+    && wget https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool -O /usr/local/bin/apktool \
+    && chmod +x /usr/local/bin/apktool \
+    && chmod +x /usr/local/bin/apktool.jar
+
+ENV JADX_VERSION="1.4.7"
+RUN wget -O jadx.zip https://github.com/skylot/jadx/releases/download/v${JADX_VERSION}/jadx-${JADX_VERSION}.zip \
+    && unzip jadx.zip -d "/opt/jadx-${JADX_VERSION}" \
+    && chmod +x "/opt/jadx-${JADX_VERSION}/bin/jadx" \
+    && rm jadx.zip
+
+# Set environment variables
+ENV PATH="/opt/dex-tools-${DEX2JAR_VERSION}:/opt/jadx-${JADX_VERSION}/bin:${PATH}"
+
+# Ensure all project dependencies are installed correctly
+COPY ./requirements.txt /requirements.txt
+RUN pip install --upgrade pip && pip install -r /requirements.txt
+
+COPY ./compose/local/django/entrypoint /django_entrypoint
+# Note that we have to convert Windows line endings to UNIX line endings
+RUN sed -i 's/\r$//g' /django_entrypoint
+RUN chmod +x /django_entrypoint
+
+# In order to apply this Dockerfile to our Celery worker and Celery beat
+# containers, we have to setup their startup script:
+COPY ./compose/local/django/celery/worker/start /start_celery_worker
+RUN sed -i 's/\r$//g' /start_celery_worker
+RUN chmod +x /start_celery_worker
+
+COPY ./compose/local/django/celery/beat/start /start_celery_beat
+RUN sed -i 's/\r$//g' /start_celery_beat
+RUN chmod +x /start_celery_beat
+
+# Setup semgrep rules for iOS and Android
+RUN mkdir /semgrep
+RUN pip install semgrep
+RUN git clone https://github.com/mindedsecurity/semgrep-rules-android-security /semgrep/android \
+    && cd /semgrep/android && git checkout ${ANDROID_SEMGREP_COMMIT_SHA}
+
+# TODO: add file exclusion rules
+COPY ./mastf /app/mastf
+COPY ./yara /app/yara
+COPY ./docs /app/docs
+COPY ./manage.py /app
+COPY ./plugins /app/plugins
+
+# Specify the working directory where we access our files at runtime
+WORKDIR /app
+
+ENTRYPOINT [ "/django_entrypoint" ]

compose/local/django/celery/beat/start

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# same configuration as applied in compose/django/local/entrypoint
+set -o errexit
+set -o nounset
+
+# Remove old process information
+rm -f './celerybeat.pid'
+celery -A mastf.MASTF beat -l "${CELERY_DEBUG_LEVEL}"

compose/local/django/celery/worker/start

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# same configuration as applied in compose/django/local/entrypoint
+set -o errexit
+set -o nounset
+
+
+
+if [ ! -d "${YARA_BASE_DIR}" ]; then
+    mkdir "${YARA_BASE_DIR}"
+fi
+
+if [ -f "${YARA_BASE_DIR}/.yss.pid" ] || [ -f "${YARA_BASE_DIR}.yss.pid" ]; then
+    echo "[Startup] Running YSS detected - Stopping server..."
+    yss --kill --base-dir "${YARA_BASE_DIR}"
+fi
+
+echo "[Startup] Starting YSS: dir=${YARA_BASE_DIR}, rules=${YARA_RULES_DIR}"
+yss --base-dir "${YARA_BASE_DIR}" -L "${YSS_LOGGING_CONFIG}" --signature-dir "${YARA_RULES_DIR}" --background
+
+cd /app
+# then start celery
+celery -A mastf.MASTF worker -l "${CELERY_DEBUG_LEVEL}"

compose/local/django/entrypoint

@@ -0,0 +1,51 @@
+#! /bin/bash
+
+# Make the container fail to start if we can't establish a connection
+# to our database.
+set -o errexit
+
+# Same applies to our pipes - if one of them fail, this script will
+# fail too
+set -o pipefail
+
+# exits if any of your variables is not set
+set -o nounset
+
+# Okay, that's dirty -> TODO: move to health check in docker compose file
+database_ready() {
+    python << END
+
+import sys
+
+if "${DB_ENGINE}" == "django.db.backends.sqlite3":
+    # Exit this script, because the connection is used locally
+    sys.exit(0);
+
+import psycopg2
+try:
+    psycopg2.connect(
+        dbname="${DB_DATABASE}",
+        user="${DB_USER}",
+        password="${DB_PASSWORD}",
+        host="${DB_HOST}",
+        port="${DB_PORT}",
+    )
+except psycopg2.OperationalError:
+    sys.exit(-1)
+
+sys.exit(0)
+END
+
+}
+
+until database_ready; do
+    # Redirect output to stderr instead of stdout
+    >&2 echo "Waiting for database to become available..."
+    sleep 2
+done
+
+>&2 echo "Database is available - starting container..."
+
+# Used to make the entrypoint a pass through to ensure that Docker runs
+# the command the user passes in
+exec "$@"