ProjectMeta - HackMD

# ProjectMeta - Sample APKs - Created [malicious app](./sample_apks/Ahmyth-aligned-debugSigned.apk) via [Ahmyth RAT](https://github.com/AhMyth/AhMyth-Android-RAT) **<a href="https://i.imgur.com/KhHgs6K.png">Report Template Image</a>** ## Metod. stag. | | | | | | ## Results | | | | | | | | ### Tool selection #### Static analysis Tools avaliable in the state of the art | Static Tool | Language | Analyzing | Reporting Desc. | Reporting Severity CLASS | Vulnerability CLASS | Reporting confidence of findings | | -------- | -------- | -------- |:--------: |:--------: |:--------: |:--------: | | Quark-Engine | Python | Source Code | ✅ | ✅ | CWE |✅ | | Mobsfscan | JAVA/Python| Direct APK | ✅ | ✅ | CWE |✅ | | Trueseeing | Python | Direct APK | ✅ | ✅ | OWASP TOP 10M |✅ | | QARK | Python | Direct APK | ✅ | :negative_squared_cross_mark: | :negative_squared_cross_mark: |:negative_squared_cross_mark: | | AndroBugs | Python | Direct APK | ✅ | :negative_squared_cross_mark: | :negative_squared_cross_mark: |:negative_squared_cross_mark: | | Argus-Saf(Amandroid) | JAVA | Direct APK | ✅ | :negative_squared_cross_mark: | :negative_squared_cross_mark: |:negative_squared_cross_mark: | | Marvin Static Analyzer | Python | Direct APK | ✅ | :negative_squared_cross_mark: | :negative_squared_cross_mark: |:negative_squared_cross_mark: | | FlowDroid | JAVA | Direct APK | ✅ | :negative_squared_cross_mark: | :negative_squared_cross_mark: |:negative_squared_cross_mark: | ### Static analysis Tools to use in META Project 1. **Quark-Engine**  2. **Mobsfscan**  3. **Trueseeing**  ### META TOOL XXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXX X X X XQ  # Static Analysis Tools ##   1.Mobsfscan [mobsfscan](https://github.com/MobSF/mobsfscan) is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. We need to extract apk to use mobsfscan. In addition, Mobsfscan can report CWEs it finds. ### Installation & Usage ``` $ pip install mobsfscan $ mobsfscan /path/to/java_source_code ``` ### Limitations - Requires Python 3.7+ ### Report Types I used this tool by examining the source code I had already extracted with QARK (QARK uses dex2jar to extract). - json - html - sarif (Static Analysis Results Interchange Format) - sonarqube format ### Report sample ![](https://i.imgur.com/dneXwpy.png) Found CWE's in Ahmyth RAT ``` CWE-295: Improper Certificate Validation CWE-295: Improper Certificate Validation CWE-200: Information Exposure CWE-532: Insertion of Sensitive Information into Log File CWE-200: Information Exposure CWE-919: Weaknesses in Mobile Applications CWE-353: Missing Support for Integrity Check CWE-798: Use of Hard-coded Credentials CWE-798: Use of Hard-coded Credentials CWE-798: Use of Hard-coded Credentials CWE-330: Use of Insufficiently Random Values ``` ### Research - I used mobsfscan before for android application reversing so I thought I can check documentation again to use in META Tool. - I github repo for example usage. I downloaded it to see the report type with `pip install mobsfscan` - I give the path source code's root folder of Ahmyth RAT which already extracted with QARK - I used to my python script to get CWE's from report ##   2.Quark-Engine The goal of [Quark Script](https://github.com/quark-engine/quark-engine) aims to provide an innovative way for mobile security researchers to analyze or pentest the targets. In Quark script, the developers integrate not only static analysis tools (e.g. Quark itself) but also dynamic analysis tools (e.g. [objection](https://github.com/sensepost/objection)). ### Installation & Usage ```bash $ pip3 install quark-engine $ freshquark $ quark -a sample.apk -s -w quark_report.html ``` I used kali linux repo to install this tool with `sudo apt-get install qark-engine`. ### Limitations - Python 3.8+ - Need some additional libs (graphviz / click >= 8.0.1) ### Report Types - JSON - HTML ### Report Sample In github page developers added some CWE's which Quark can identify. ``` 2022 CWE Top 25 Showcases CWE-798 CWE-94 CWE-921 CWE-312 CWE-89 ``` ![](https://i.imgur.com/F34vncY.png) <details> <summary>Found Crimes</summary> <ul> <li>Weight:1.0, Crime: Method reflection</li> <li>Weight:1.0, Crime: Monitor the general action to be performed</li> <li>Weight:1.0, Crime: Get messages in the SMS inbox</li> <li>Weight:1.0, Crime: Query data from the contact list</li> <li>Weight:1.0, Crime: Get messages in the SMS inbox</li> <li>Weight:1.0, Crime: Put a phone number into an intent</li> <li>Weight:1.0, Crime: Control camera to take picture</li> <li>Weight:1.0, Crime: Send a SMS message</li> <li>Weight:1.0, Crime: Read data and put it into a buffer stream</li> <li>Weight:1.0, Crime: Implicit intent(view a web page, make a phone call, etc.) via setData</li> <li>Weight:1.0, Crime: Check if successfully sending out SMS</li> <li>Weight:1.0, Crime: Initialize bitmap object and compress data (e.g. JPEG) into bitmap object</li> <li>Weight:1.0, Crime: Find a method from given class name, usually for reflection</li> <li>Weight:1.0, Crime: Get last known location of the device</li> <li>Weight:1.0, Crime: Read file and put it into a stream</li> <li>Weight:1.0, Crime: Retrieve data from broadcast</li> <li>Weight:1.0, Crime: Implicit intent(view a web page, make a phone call, etc.)</li> <li>Weight:1.0, Crime: Set camera preview texture</li> <li>Weight:1.0, Crime: Query a URI and check the result</li> <li>Weight:1.0, Crime: Set the recorded file format and output path</li> <li>Weight:1.0, Crime: Get filename and put it to JSON object</li> <li>Weight:1.0, Crime: Read sensitive data(SMS, CALLLOG) and put it into JSON object</li> <li>Weight:1.0, Crime: Set the audio source (MIC) and recorded file format</li> <li>Weight:1.0, Crime: Get current camera paremeters and change the setting.</li> <li>Weight:1.0, Crime: Make a phone call</li> <li>Weight:1.0, Crime: Start capturing camera preview frames to the screen</li> <li>Weight:1.0, Crime: Set the output path of the recorded file</li> <li>Weight:1.0, Crime: Read the input stream from given URL</li> <li>Weight:1.0, Crime: Use absolute path of directory for the output media file path</li> <li>Weight:1.0, Crime: Get declared method from given method name</li> <li>Weight:1.0, Crime: Query data from URI (SMS, CALLLOGS)</li> <li>Weight:1.0, Crime: Hide the current app's icon</li> <li>Weight:1.0, Crime: Instantiate new object using reflection, possibly used for dexClassLoader </li> <li>Weight:1.0, Crime: Initialize the recorder and start recording</li> <li>Weight:1.0, Crime: Method reflection</li> <li>Weight:1.0, Crime: Open camera.</li> <li>Weight:1.0, Crime: Get absolute path of file and put it to JSON object</li> <li>Weight:1.0, Crime: Put data in cursor to JSON object</li> <li>Weight:1.0, Crime: Get Location of the device and append this info to a string</li> <li>Weight:1.0, Crime: Read sensitive data(SMS, CALLLOG, etc)</li> <li>Weight:1.0, Crime: Set the audio encoder and initialize the recorder</li> <li>Weight:1.0, Crime: Initialize class object dynamically</li> <li>Weight:1.0, Crime: Query data from the call log</li> <li>Weight:1.0, Crime: Get the content of a SMS message</li> <li>Weight:1.0, Crime: Connect to a URL and set request method</li> <li>Weight:1.0, Crime: Get the address of a SMS message</li> <li>Weight:0.5, Crime: Get location of the device</li> <li>Weight:0.5, Crime: Stop recording and release recording resources</li> <li>Weight:0.5, Crime: Scheduling recording task</li> <li>Weight:0.5, Crime: Get location info of the device and put it to JSON object</li> <li>Weight:0.5, Crime: Put buffer stream (data) to JSON object</li> <li>Weight:0.5, Crime: Open the camera and take picture</li> <li>Weight:0.5, Crime: Read file into a stream and put it into a JSON object</li> <li>Weight:0.5, Crime: Put the compressed bitmap data into JSON object</li> <li>Weight:0.25, Crime: Get specific method from other Dex files</li> <li>Weight:0.25, Crime: Create a secure socket connection to the given host address</li> <li>Weight:0.25, Crime: Get absolute path of the file and store in string</li> <li>Weight:0.25, Crime: Get notification manager and cancel notifications </li> <li>Weight:0.25, Crime: Create a directory</li> <li>Weight:0.25, Crime: Check if permission is granted and request it</li> <li>Weight:0.25, Crime: Set recroded audio/video file format</li> <li>Weight:0.25, Crime: Check if the resource name of the view contains the given string</li> <li>Weight:0.25, Crime: Get data from HTTP and send SMS</li> <li>Weight:0.25, Crime: Perfom accessibility service action on accessibility node info</li> <li>Weight:0.25, Crime: Open a file from given absolute path of the file</li> <li>Weight:0.25, Crime: Create a socket connection to the proxy address</li> <li>Weight:0.25, Crime: Get JSON object prepared and fill in location info</li> <li>Weight:0.25, Crime: Query a URI and append the result into a string</li> <li>Weight:0.25, Crime: Connect to a URL and send sensitive data got from resolver</li> <li>Weight:0.25, Crime: Check the active network type</li> <li>Weight:0.25, Crime: Load additional DEX files dynamically</li> <li>Weight:0.25, Crime: Connect to a URL and get the response code</li> <li>Weight:0.25, Crime: Use accessibility service to perform action getting node info by View Id</li> <li>Weight:0.25, Crime: Create a secure socket connection to the proxy address</li> <li>Weight:0.25, Crime: Stop recording</li> <li>Weight:0.25, Crime: Initialize recorder</li> <li>Weight:0.25, Crime: Get location and put it into JSON</li> <li>Weight:0.25, Crime: Get external class from given path or file name</li> <li>Weight:0.25, Crime: Create a socket connection to the given host address</li> <li>Weight:0.25, Crime: Get bounds in screen of an AccessibilityNodeInfo and perform action</li> <li>Weight:0.25, Crime: Send binary data over HTTP</li> <li>Weight:0.25, Crime: Get resource file from res/raw directory</li> <li>Weight:0.25, Crime: Check the current network type</li> <li>Weight:0.25, Crime: Save recorded audio/video to a file</li> <li>Weight:0.25, Crime: Write HTTP input stream into a file</li> <li>Weight:0.25, Crime: Connect to a URL and read data from it</li> <li>Weight:0.25, Crime: Connect to a URL and receive input stream from the server</li> <li>Weight:0.25, Crime: Set the audio source (MIC)</li> <li>Weight:0.25, Crime: Load external class</li> <li>Weight:0.25, Crime: Use accessibility service to perform action getting node info by text</li> <li>Weight:0.25, Crime: Check if the given path is directory</li> <li>Weight:0.25, Crime: Check if the given file path exist</li> <li>Weight:0.25, Crime: Load class from given class name</li> <li>Weight:0.25, Crime: Check if the text of the view contains the given string</li> <li>Weight:0.25, Crime: Start recording</li> <li>Weight:0.125, Crime: Get the country code of the SIM card provider</li> <li>Weight:0.125, Crime: Get the current WiFi MAC address and put it into JSON</li> <li>Weight:0.125, Crime: Get sender's address and send SMS</li> <li>Weight:0.125, Crime: Monitor incoming call status</li> <li>Weight:0.125, Crime: Query the SIM card status</li> <li>Weight:0.125, Crime: Acquire lock on Power Manager </li> <li>Weight:0.125, Crime: Send Location via SMS</li> <li>Weight:0.125, Crime: Get SMS address and send it through http</li> <li>Weight:0.125, Crime: Append the sender's address to the string</li> <li>Weight:0.125, Crime: Get location of the current GSM and put it into JSON</li> <li>Weight:0.125, Crime: Get calendar information</li> <li>Weight:0.125, Crime: Check if the network is connected</li> <li>Weight:0.125, Crime: Get the ISO country code and put it into JSON</li> <li>Weight:0.125, Crime: Get all accounts by type and put them in a JSON object</li> <li>Weight:0.125, Crime: Return dynamic information about the current Wi-Fi connection</li> <li>Weight:0.125, Crime: Check the list of currently running applications</li> <li>Weight:0.125, Crime: Get the current WiFi id</li> <li>Weight:0.125, Crime: Use accessibility service to perform action getting root in active window</li> <li>Weight:0.125, Crime: Send sms to a contact of contact list</li> <li>Weight:0.125, Crime: Get the content of SMS and forward it to others via SMS</li> <li>Weight:0.125, Crime: Save the response to JSON after connecting to the remote server</li> <li>Weight:0.125, Crime: Connect to the remote server through the given URL</li> <li>Weight:0.125, Crime: Get the current WIFI information</li> <li>Weight:0.125, Crime: Query The ISO country code</li> <li>Weight:0.125, Crime: Append the sender's address to the string</li> <li>Weight:0.125, Crime: Send notification</li> <li>Weight:0.125, Crime: Get the time of current location</li> <li>Weight:0.125, Crime: Compare network operator with a string</li> <li>Weight:0.125, Crime: Get location of the current GSM and put it into JSON</li> <li>Weight:0.125, Crime: Check if the device is in data roaming mode</li> <li>Weight:0.125, Crime: Get the date of the calendar event</li> <li>Weight:0.125, Crime: Check if the sender address of SMS contains the given string</li> <li>Weight:0.125, Crime: Monitor the broadcast action events (BOOT_COMPLETED, etc)</li> <li>Weight:0.125, Crime: Get last known location of the device</li> <li>Weight:0.125, Crime: Query the current data network type</li> <li>Weight:0.125, Crime: Query the local IP address</li> <li>Weight:0.125, Crime: Use accessibility service to perform global action getting node info by View Id</li> <li>Weight:0.125, Crime: Get the current WiFi information and put it into JSON</li> <li>Weight:0.125, Crime: Query the IMEI number</li> <li>Weight:0.125, Crime: Get the network operator name</li> <li>Weight:0.125, Crime: Check the current active network type</li> <li>Weight:0.125, Crime: Deletes media specified by a content URI(SMS, CALL_LOG, File, etc.)</li> <li>Weight:0.125, Crime: Send phone number over Internet</li> <li>Weight:0.125, Crime: Use accessibility service to perform global action getting node info by text</li> <li>Weight:0.125, Crime: Read file from assets directory</li> <li>Weight:0.125, Crime: Query the list of the installed packages</li> <li>Weight:0.125, Crime: Start another application from current application</li> <li>Weight:0.125, Crime: Get the current WiFi id and put it into JSON.</li> <li>Weight:0.125, Crime: Query the network operator name</li> <li>Weight:0.125, Crime: Return the DHCP-assigned addresses from the last successful DHCP request</li> <li>Weight:0.125, Crime: Send broadcast</li> <li>Weight:0.125, Crime: Query the IMSI number</li> <li>Weight:0.125, Crime: Read sensitive data(SMS, CALLLOG, etc)</li> <li>Weight:0.125, Crime: Get the current WiFi IP address</li> <li>Weight:0.125, Crime: Get the current WiFi MAC address</li> <li>Weight:0.125, Crime: Set the phone speaker on</li> <li>Weight:0.125, Crime: Check if the content of SMS contains given string</li> <li>Weight:0.125, Crime: Query the phone number</li> <li>Weight:0.125, Crime: Query the IMEI number</li> <li>Weight:0.125, Crime: Get the sender address of the SMS and put it into JSON</li> <li>Weight:0.125, Crime: Send IMSI over Internet</li> <li>Weight:0.125, Crime: Check the network capabilities</li> <li>Weight:0.125, Crime: Get SMS message body and send it through http</li> <li>Weight:0.125, Crime: Monitor data identified by a given content URI changes(SMS, MMS, etc.)</li> <li>Weight:0.125, Crime: Query the ICCID number</li> <li>Weight:0.125, Crime: Save recorded audio/video to file</li> <li>Weight:0.0625, Crime: Get the sender address of the SMS</li> <li>Weight:0.0625, Crime: Get the currently formatted WiFi IP address</li> <li>Weight:0.0625, Crime: Write the SIM card information into a file</li> <li>Weight:0.0625, Crime: Calculate WiFi signal strength</li> <li>Weight:0.0625, Crime: Query WiFi information and WiFi Mac Address</li> <li>Weight:0.0625, Crime: Query the last time this package's activity was used</li> <li>Weight:0.0625, Crime: Query the SMS service centre timestamp</li> <li>Weight:0.0625, Crime: Get the default ringtone</li> <li>Weight:0.0625, Crime: Get the network operator name and IMSI</li> <li>Weight:0.0625, Crime: Open an URL in Wevbiew</li> <li>Weight:0.0625, Crime: Write file after Base64 decoding</li> <li>Weight:0.0625, Crime: Start a web server</li> <li>Weight:0.0625, Crime: Unpack an asset, possibly decrypt it and load it as DEX</li> <li>Weight:0.0625, Crime: Execute Linux commands via ProcessBuilder</li> <li>Weight:0.0625, Crime: Get the content of SMS</li> <li>Weight:0.0625, Crime: Connect to the specific WIFI network</li> <li>Weight:0.0625, Crime: Query the name of currently running application</li> <li>Weight:0.0625, Crime: Run shell script programmably</li> <li>Weight:0.0625, Crime: Executes the specified string Linux command</li> <li>Weight:0.0625, Crime: Query the SMS contents</li> <li>Weight:0.0625, Crime: Write the phone number into a file</li> <li>Weight:0.0625, Crime: Load native libraries(.so) via System.loadLibrary (60% means caught)</li> <li>Weight:0.0625, Crime: Query the ICCID number</li> <li>Weight:0.0625, Crime: Get installed applications and put the list in shared preferences</li> <li>Weight:0.0625, Crime: Install other APKs from file</li> <li>Weight:0.0625, Crime: Query WiFi BSSID and scan results</li> <li>Weight:0.0625, Crime: Query the SMS content and the source of the phone number</li> <li>Weight:0.0625, Crime: Write SIM card serial number into a file</li> <li>Weight:0.0625, Crime: Modify voice volume</li> <li>Weight:0.0625, Crime: Copy pixels from the latest rendered image into a Bitmap</li> <li>Weight:0.0625, Crime: Execute commands on shell using DataOutputStream object</li> <li>Weight:0.0625, Crime: Capture the contents of the device screen</li> <li>Weight:0.0625, Crime: Write the ISO country code of the current network operator into a file</li> <li>Weight:0.0625, Crime: Get IMSI and the ISO country code</li> <li>Weight:0.0625, Crime: Write the IMEI number into a file</li> <li>Weight:0.0625, Crime: Get SMS message body and retrieve a string from it (possibly PIN / mTAN)</li> <li>Weight:0.0625, Crime: Get pixels from the latest rendered image</li> <li>Weight:0.0625, Crime: Get the ISO country code and IMSI</li> <li>Weight:0.0625, Crime: Get the IMSI and network operator name</li> <li>Weight:0.0625, Crime: Send SMS</li> <li>Weight:0.0625, Crime: Write the ICCID of device into a file</li> <li>Weight:0.0625, Crime: Connect hostname to TCP or UDP socket using KryoNet</li> <li>Weight:0.0625, Crime: Create new Socket and connecting to it</li> <li>Weight:0.0625, Crime: Write the IMSI number into a file</li> <li>Weight:0.0625, Crime: Query the phone number from SMS sender</li> <li>Weight:0.0625, Crime: Create InetSocketAddress object and connecting to it</li> <li>Weight:0.0625, Crime: Query user account information</li> <li>Weight:0.0625, Crime: Simulate a touch gesture on the device screen</li> <li>Weight:0.0625, Crime: Load native libraries(.so) via System.load (60% means caught)</li> <li>Weight:0, Crime: Check Admin permissions to (probably) get them</li> </ul> </details> <details> <summary>HTML</summary> <img src="https://i.imgur.com/DxQqjjM.png"> </details> <details> <summary>HTML Full Page</summary> <img src="https://i.imgur.com/zkDQTAK.jpg"> </details> ### Research 1. While researching on qark I type qark cwe on google first link was quark-engine repo I installed to try. 2. I used to see reports both json and html and I process json report to see "crimes" and sort "crimes" with my python script ##   3.Trueseeing [Trueseeing](https://github.com/alterakey/trueseeing) is a fast, accurate and resillient vulnerabilities scanner for Android apps. It operates on Android Packaging File (APK) and outputs a comprehensive report in HTML, JSON or a CI-friendly format. It doesn't matter if the APK is obfuscated or not. ### Installation & Usage ``` $ pip3 install trueseeing $ trueseeing --format=json -o report.json /path/to/target.apk ```  ### Report Types - HTML - JSON ### Report sample ```json { "app": { "package": "ahmyth.mine.king.ahmyth", "issues": 14 }, "issues": [ { "no": 0, "detector": "manifest-manip-backup", "summary": "Manipulatable Backups", "synopsis": "Application data can be backed up and restored with the Full Backup feature.", "description": "Application data can be backed up and restored with the Full Backup feature, thusly making it subjectible to the backup attack.", "seealso": null, "solution": "Review them and opt-out from the Full Backup feature if necessary. To opt-out, define the following attribute to the <application> tag in the manifest:\n\nandroid:allowBackup=\"false\"\n", "cvss3_score": 8.0, "cvss3_vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/RC:C/", "severity": "High", "instances": [ { "info": "", "source": "AndroidManifest.xml", "row": null, "col": null } ] }, { "no": 1, . . . } ]} ``` Trueseeing can find some type of vulnerabilities from [OWASP TOP 10 M(mobile) list](https://owasp.org/www-project-mobile-top-10/). ``` M1:Improper Platform Usage M2:Insecure Data M3:Insecure Commnications M5:Insufficient Cryptography M7:Client Code Quality Issues M8:Code Tampering M9:Reverse Engineering ``` ##   4.QARK (Quick Android Review Kit) [QARK](https://github.com/linkedin/qark) is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs. The tool is also capable of creating "Proof-of-Concept" deployable APKs and/or ADB commands, capable of exploiting many of the vulnerabilities it finds. There is no need to root the test device, as this tool focuses on vulnerabilities that can be exploited under otherwise secure conditions. ### Installation & Usage ``` $ pip install qark $ qark --apk path/to/my.apk --report-type json ``` ### Limitations 1. The warning counts is so high. It will take time to analyze all warnings and report feature is not detailed. 2. Personally I couldn't install with python 3.6 ### Report Types - json(most detailed) - html - csv ### Report Sample - Test results of Ahmyth Android RAT: - Warning Count: **440** - Info Count: 9 ```json [ { "category": "file", "line_number": [ 70, 13 ], "severity": "WARNING", "file_object": "/home/adigeefe/UNISA/ProjectMeta/apks/build/qark/cfr/android/support/v4/view/ViewConfigurationCompat.java", "apk_exploit_dict": null, "name": "Logging found", "description": "Logs are detected. This may allow potential leakage of information from Android applications. Logs should never be compiled into an application except during development. Reference: https://developer.android.com/reference/android/util/Log.html" }, { "category": "file", "line_number": [ 22, 0 ], "severity": "INFO", "file_object": "/home/adigeefe/UNISA/ProjectMeta/apks/build/qark/fernflower/ahmyth/mine/king/ahmyth/IOSocket.java", "apk_exploit_dict": null, "name": "Hardcoded HTTP url found", "description": "Application contains hardcoded HTTP url: http://adigeluna-29815.portmap.host:29815?model=, unless HSTS is implemented, this request can be intercepted and modified by a man-in-the-middle attack." } ] ``` ### Research 1. Searching "Android Vulnerability Detection Tools" in google scholar. There is a research titled "Open Source Android Vulnerability Detection Tools: A Survey" from The University of Toledo who wrote Keyur Kulkarni Student, EECS Dept. and Ahmad Y Javaid Assistant Professor, EECS Dept, I found a list from Table 2, Page 5 2. I googled QARK and found QARK's repository from github. Cloned repository and tested in sample apk (sample apk created with RAT tool which is from AhMyth-Android-RAT repository) after reading documentation 3. I analyzed QARK's report with my own python JSON parser script to get WARNING and INFO counts. ##   5.AndroBugs Framework [AndroBugs Framework](https://github.com/androbugs2/androbugs2) is an Android vulnerability analysis system that helps developers or hackers find potential security vulnerabilities in Android applications. No splendid GUI interface, but the most efficient (less than 2 minutes per scan in average) and more accurate. ### Installation & Usage ``` - Clone the repository to a local folder. $ git clone https://github.com/androbugs2/androbugs2.git && cd androbugs2 - Create a virtual environment: $ python3 -m venv venv and activate the virtual environment: $ source venv/bin/activate - Install the required packages by running $ pip -r requirements.txt $ python androbugs.py -f [APK file] -d [Vector Name] - For example, you could replace [Vector Name] with STRANDHOGG_2 to only scan the application for the Strandhogg 2.0 vulnerability. ``` ### Limitations - There is just TXT output as report type if we want CSV out we need to use massive scan and export csv from MongoDB - We need to install MongoDB for massive scan ### Report Types - TXT ### Report Sample ``` Platform: Android Package Name: ahmyth.mine.king.ahmyth Package Version Name: 1.0 Package Version Code: 1 Min Sdk: 16 Target Sdk: 22 MD5 : 5e84dcbc27e3995e9827b7c477e0024d SHA1 : 83f157a6f90e41d8a454d6113b715deb07660af7 SHA256: 9fb1056e2fcb7c86ddacea62a74d93b1c5f4e0d53798ba5a6fb94716cf5f4edc SHA512: 8513a94fef9f75dabf60f6528f3b15d00c2c85954892f33ed043c32f3065828e42884335503bc5d05e4c0e51a9735b9650b5dcccf5ca5821e5a1ad188b055760 Analyze Signature: 6be47f398581157b1965567679c691258dd6d8ae11318745aa520685e0a61b91e69affee2743d8368b89479cd9226ae8516ed25d6c416bcde1e30233c8624501 ------------------------------------------------------------------------------------------------ [Critical] <Debug> Android Debug Certificate Checking: App is signed with debug certificate, indicating that debug mode may be enabled. This could potentially be dangerous if used in production environments. [Critical] <SSL_Security> SSL Connection Checking: URLs that are NOT under SSL (Total: 1): http://<REDACTED>?model= ->From class: Lahmyth/mine/king/ahmyth/IOSocket;-><init>()V [Critical] AndroidManifest System Use Permission Checking: This app should only be released and signed by device manufacturer or Google and put under '/system/app'. If not, it may be a malicious app. System use-permission found: "android.permission.WRITE_SECURE_SETTINGS" [Warning] <Sensitive_Information> Getting ANDROID_ID: This app has code getting the 64-bit number "Settings.Secure.ANDROID_ID". ANDROID_ID seems a good choice for a unique device identifier. There are downsides: First, it is not 100% reliable on releases of Android prior to 2.2 (Froyo). Also, there has been at least one widely-observed bug in a popular handset from a major manufacturer, where every instance has the same ANDROID_ID. If you want to get an unique id for the device, we suggest you use "Installation" framework in the following article. Please check the reference: http://android-developers.blogspot.tw/2011/03/identifying-app-installations.html => Lahmyth/mine/king/ahmyth/IOSocket;-><init>()V (0x1a) ---> Landroid/provider/Settings$Secure;->getString(Landroid/content/ContentResolver; Ljava/lang/String;)Ljava/lang/String; [Warning] Codes for Sending SMS: This app has code for sending SMS messages (sendDataMessage, sendMultipartTextMessage or sendTextMessage): => Lahmyth/mine/king/ahmyth/SMSManager;->sendSMS(Ljava/lang/String; Ljava/lang/String;)Z (0x12) ---> Landroid/telephony/SmsManager;->sendTextMessage(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Landroid/app/PendingIntent; Landroid/app/PendingIntent;)V [Notice] AndroidManifest Adb Backup Checking: ADB Backup is ENABLED for this app (default: ENABLED). ADB Backup is a good tool for backing up all of your files. If it's open for this app, people who have your phone can copy all of the sensitive data for this app in your phone (Prerequisite: 1.Unlock phone's screen 2.Open the developer mode). The sensitive data may include lifetime access token, username or password, etc. Security case related to ADB Backup: 1.http://www.securityfocus.com/archive/1/530288/30/0/threaded 2.http://blog.c22.cc/advisories/cve-2013-5112-evernote-android-insecure-storage-of-pin-data-bypass-of-pin-protection/ 3.http://nelenkov.blogspot.co.uk/2012/06/unpacking-android-backups.html Reference: http://developer.android.com/guide/topics/manifest/application-element.html#allowbackup [Notice] File Unsafe Delete Checking: Everything you delete may be recovered by any user or attacker, especially rooted devices. Please make sure do not use "file.delete()" to delete essential files. Check this video: https://www.youtube.com/watch?v=tGw1fxUD-uY => Lahmyth/mine/king/ahmyth/MicManager$1;->run()V (0x22) ---> Ljava/io/File;->delete()Z => Lokhttp3/internal/io/FileSystem$1;->deleteContents(Ljava/io/File;)V (0x2a) ---> Ljava/io/File;->delete()Z => Lokhttp3/internal/io/FileSystem$1;->delete(Ljava/io/File;)V (0x0) ---> Ljava/io/File;->delete()Z [Notice] AndroidManifest Exported Components Checking 2: Found "exported" components(except for Launcher) for receiving Google's "Android" actions (AndroidManifest.xml): receiver => ahmyth.mine.king.ahmyth.MyReceiver [Info] <Command> Runtime Command Checking: This app is not using critical function 'Runtime.getRuntime().exec("...")'. [Info] <Command> Executing "root" or System Privilege Checking: Did not find codes checking "root" permission(su) or getting system permission (It's still possible we did not find out). . . . ```  ##   6.Argus-SAF (Amandroid) [Argus-SAF](https://github.com/arguslab/Argus-SAF) is also known as Amandroid, first published at [CCS’14](https://www.sigsac.org/ccs/CCS2014/) [[pdf](http://www.fengguow.com/resources/papers/AmandroidCCS14.pdf)]. ```! We observe that a large portion of those security issues can be resolved by addressing one underlying core problem – capturing semantic behaviors of the app such as object points-to and control-/data-flow information. Thus, we designed a new approach to conducting static analysis for vetting Android apps, and built a generic framework, called Amandroid, which builds upon Argus-Jawa and does flow- and context-sensitive data flow analysis in an inter-component way. ``` >   Amandroid is a static analysis framework for Android apps. ![](https://i.imgur.com/eqQwVQz.png) ### Installation & Usage Requirement: Java 10 Download argus-saf_\*\*\*-version-assembly.jar from github page ``` $ java -jar argus-saf_***-version-assembly.jar ``` ### Limitations - Our focus on malware analysis tools and this tool will be very complicated to integrate because of analyze technique. ``` On top of Amandroid we performed certain specific security analyses, for instance 1. Sensitive data flow tracking 2. Data injection detection 3. API misuse checking ``` ### Analyze options - Communication leakage - Oauth token tracking - Password tracking - Intent injection - Data leakage ### Sample results of data leakage analysis ``` Application Name: Ahmyth-aligned-debugSigned.apk Uses Permissions: android.permission.CAMERA, android.permission.RECEIVE_SMS, android.permission.SEND_SMS, android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_FINE_LOCATION, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.READ_SMS, android.permission.WRITE_SMS, android.permission.WRITE_SETTINGS, android.permission.READ_CONTACTS, android.permission.ACCESS_BACKGROUND_LOCATION, android.permission.RECORD_AUDIO, android.permission.READ_PHONE_STATE, android.permission.MANAGE_EXTERNAL_STORAGE, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.READ_CALL_LOG, android.permission.WRITE_SECURE_SETTINGS, android.permission.ACCESS_COARSE_LOCATION, android.permission.WAKE_LOCK, android.permission.INSTALL_PACKAGE, android.permission.INTERNET, android.permission.READ_EXTERNAL_STORAGE, android.permission.PROCESS_OUTGOING_CALLS, android.permission.MODIFY_AUDIO_SETTINGS Component ahmyth.mine.king.ahmyth.MyReceiver Component type: receiver Exported: true Dynamic Registered: false Required Permission: IntentFilters: IntentFilter:(Actions:["android.provider.Telephony.SMS_RECEIVED"]) IntentFilter:(Actions:["android.intent.action.QUICKBOOT_POWERON","android.intent.action.BOOT_COMPLETED"],Categories:["android.intent.category.DEFAULT"]) Inter-component communication (ICC) Result: Component ahmyth.mine.king.ahmyth.AdminReceiver Component type: receiver Exported: true Dynamic Registered: false Required Permission: android.permission.BIND_DEVICE_ADMIN IntentFilters: IntentFilter:(Actions:["android.app.action.DEVICE_ADMIN_ENABLED"]) Inter-component communication (ICC) Result: Component ahmyth.mine.king.ahmyth.MainActivity Component type: activity Exported: true Dynamic Registered: false Required Permission: IntentFilters: IntentFilter:(Actions:["android.intent.action.MAIN"],Categories:["android.intent.category.LAUNCHER"]) Inter-component communication (ICC) Result: Component ahmyth.mine.king.ahmyth.MainService Component type: service Exported: false Dynamic Registered: false Required Permission: IntentFilters: Inter-component communication (ICC) Result: Taint analysis result: Sources found: Sinks found: Discovered taint paths are listed below: ``` ##   7.Marvin Static Analyzer [Marvin static analyzer](https://github.com/programa-stic/Marvin-static-Analyzer) is an Android application vulnerability scanner. No user interface is available at the moment. The framework uses **androguard** and **[Static Android Analysis Framework](https://github.com/SAAF-Developers/saaf/)**. ### Installation & Usage ``` # Clone github repo $ chmod +x install.sh && ./install.sh ``` ### Limitations - Runnning python 2.7.x - Developers stopped developing this tool 6 years ago ### Report Types List of vulnerabilities Marvin Static Analyzer can find: ``` UNPROTECTED_EXPORTED_COMPONENT NON_SIGNATURE_PROTECTED_EXPORTED_COMPONENT JAVASCRIPTINTERFACE APPLICATION_DEBUGGABLE APPLICATION_BACKUP PHONEGAP_JS_INJECTION PHONEGAP_CVE_3500_URL PHONEGAP_CVE_3500_ERRORURL PHONEGAP_WHITELIST_BYPASS_REGEX PHONEGAP_CVE_3500_REMOTE PHONEGAP_DEBUG_LOGGING PHONEGAP_NO_WHITELIST PHONEGAP_WHITELIST_BYPASS_WILDCARD REDIS SSL_CUSTOM_TRUSTMANAGER SSL_CUSTOM_HOSTNAMEVERIFIER SSL_ALLOWALL_HOSTNAMEVERIFIER SSL_INSECURE_SOCKET_FACTORY SSL_WEBVIEW_ERROR PATH_TRAVERSAL_PROVIDER INTENT_HIJACKING (Activity/Service/Receiver) FRAGMENT_INJECTION WEBVIEW_FILE_SCHEME CRYPTOGRAPHY Use of ECB Constant encryption keys Non random IV for CBC Constant salt for PBE Fewer than 1000 iterations for PBE Hardcoded SMTP passwords Twittter OAUTH keys SecureRandom fixed seed Hardcoded Apache Auth Use of MD5 INSECURE_WORLD_STORAGE File/Database/SharedPreference UNPROTECTED_DYNAMICALLY_REGISTERED_RECEIVER STICKY_BROADCAST_INTENT AUTOCOMPLETE_PASSWORD_INPUT WEBVIEW_SAVED_PASSWORD INSECURE_RUNTIME_EXEC_COMMAND INSECURE_PATHCLASSLOADER BOLTS VUNGLE PATH_TRAVERSAL_PROVIDER HARDCODED_BAAS_SECRET_KEYS (AWS, CloudMine, Azure, Parse) SURREPTITIOUS_SHARING ```  ##   8.FlowDroid FlowDroid statically computes data flows in Android apps and Java programs. Its goal is to provide researchers and practitioners with a tool and library on which they can base their own research projects and product implementations. [Flowdroid](https://github.com/secure-software-engineering/FlowDroid) ### Limitations - Our focus on malware analysis tools and this tool focus on data flow analysis, it will be very complicated to integrate like Amandroid.