Android application penetration testing for the masses !
$ git clone git@github.com:gremwell/apkscanner.git
$ cd apkscanner
$ ./install_requirements.sh
$ virtualenv env
$ source env/bin/activate
$ pip install -r requirements.txt
python main.py sieve.apk --verbose --static-only
WARNING: No route found for IPv6 destination :: (no default route?)
||||||||||||||||||||||||||||||||||||||||||||||||||
|||||||||||||||||_||||||||||||||||_|||||||||||||||
|||||||||||||||||__||||||||||||||_||||||||||||||||
||||||||||||||||||_______________|||||||||||||||||
||||||||||||||||___________________|||||||||||||||
||||||||||||||____|||_________|||____|||||||||||||
|||||||||||||_____|||_________|||_____||||||||||||
||||||||||||___________________________|||||||||||
||||||||||||___________________________|||||||||||
||||||||||||||||||||||||||||||||||||||||||||||||||
||||_____|||____________________________|||____|||
||||_____|||____________________________||______||
||||_____|||____________________________||______||
||||_____|||____________________________||______||
||||_____|||____________________________||______||
||||_____|||____________________________||______||
||||_____|||____________________________||______||
||||______||____________________________||______||
||||_____|||____________________________||______||
|||||___||||____________________________|||___||||
||||||||||||____________________________||||||||||
||||||||||||____________________________||||||||||
||||||||||||___________________________|||||||||||
|||||||||||||||||______||||||_____||||||||||||||||
|||||||||||||||||______||||||_____||||||||||||||||
|||||||||||||||||______||||||_____||||||||||||||||
|||||||||||||||||______||||||_____||||||||||||||||
|||||||||||||||||______||||||_____||||||||||||||||
||||||||||||||||||||||||||||||||||||||||||||||||||
_ ____ _ ______
/ \ | _ \| |/ / ___| ___ __ _ _ __ _ __ ___ _ __
/ _ \ | |_) | ' /\___ \ / __/ _` | '_ \| '_ \ / _ \ '__|
/ ___ \| __/| . \ ___) | (_| (_| | | | | | | | __/ |
/_/ \_\_| |_|\_\____/ \___\__,_|_| |_|_| |_|\___|_|
[apkscanner v0.0.1, Quentin Kaiser(quentin@gremwell.com)]
~ Gremwell bvba - www.gremwell.com ~
[*] Building analysis directory ...
[*] Unzipping APK file ...
[*] Converting DEX to JAR ...
[*] Converting DEX to SMALI ...
[*] Decompiling JAR file ...
[*] Converting Application Manifest to human readable format ...
[*] Running Native code analyzer ...
encrypt [armeabi] - /apkscanner/analysis/com.mwr.example.sieve/code/orig/lib/armeabi/libencrypt.so
decrypt [armeabi] - /apkscanner/analysis/com.mwr.example.sieve/code/orig/lib/armeabi/libdecrypt.so
$ file /apkscanner/analysis/com.mwr.example.sieve/code/orig/lib/armeabi/libencrypt.so
ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, stripped
$ checksec.sh /apkscanner/analysis/com.mwr.example.sieve/code/orig/lib/armeabi/libencrypt.so
RELRO STACK CANARY NX PIE RPATH RUNPATH
Full RELRO No canary found NX enabled DSO No RPATH No RUNPATH
$ file /apkscanner/analysis/com.mwr.example.sieve/code/orig/lib/armeabi/libdecrypt.so
ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, stripped
$ checksec.sh /apkscanner/analysis/com.mwr.example.sieve/code/orig/lib/armeabi/libdecrypt.so
RELRO STACK CANARY NX PIE RPATH RUNPATH
Full RELRO No canary found NX enabled DSO No RPATH No RUNPATH
[*] Running Application's allowBackup bit verifier ...
[*] The application allow backups.
[*] Running Shared preferences analyzer ...
[*] Running Application's debuggable bit verifier ...
[*] The application is debuggable
[*] Running Activities analyzer ...
[*] Potentially vulnerable activity components.
[*] Running DEX sideloading finder ...
[*] Running String search ...
[*] Running Permissions analyzer ...
Lcom/mwr/example/sieve/SettingsActivity;
Manifest permissions:
android.permission.READ_EXTERNAL_STORAGE
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.INTERNET
App permissions:
android.permission.READ_CONTACTS
android.permission.ACCESS_NETWORK_STATE
android.permission.VIBRATE
[*] Running System services call finder ...
[*] Running Logging analyzer ...
[*] Running Webviews analyzer ...
[*] Running SQLite storage analyzer ...
[*] Running Obfuscation detector ...
[*] Lack of Code Obfuscation
[*] Running External storage usage analyzer ...
[*] Running Services analyzer ...
[*] Running Application intents receiver analyzer ...
[*] Running Application intents analyzer ...
[*] Running Application certificate validator ...
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 147528611 (0x8cb1ba3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Android, CN=Android Debug
Validity
Not Before: Dec 10 16:13:17 2012 GMT
Not After : Dec 3 16:13:17 2042 GMT
Subject: C=US, O=Android, CN=Android Debug
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:96:11:e6:27:e9:90:de:65:d4:9c:a9:7b:7c:66:
e7:e5:af:aa:78:e2:a1:0e:db:fc:11:e5:80:e4:df:
75:ca:de:19:05:c6:72:b1:23:8d:ca:ce:47:20:2e:
bd:f6:e1:71:62:58:6a:a1:c8:6c:3f:bc:41:a9:b0:
e6:f9:e9:e5:9e:1e:43:75:4a:83:e9:d1:e5:0f:74:
6d:61:eb:38:0d:18:7e:fc:65:cc:8f:b0:4a:5c:13:
32:08:68:b0:ba:be:80:74:2e:50:c2:0e:82:04:fe:
63:06:aa:38:d2:07:da:a8:92:a5:23:28:92:62:7d:
ba:92:ca:7d:be:8d:3c:5c:ce:73:21:d2:bc:94:85:
37:e7:3c:58:ac:07:f4:ba:74:1b:31:e3:b7:6f:58:
90:0f:83:cf:78:b7:e5:15:eb:0f:2e:3b:02:c4:a5:
19:d0:99:c3:35:0b:0a:d1:04:6a:c1:56:14:87:07:
ee:db:5c:25:03:a0:81:08:48:ed:16:ad:13:3f:3d:
48:97:89:12:97:83:d6:3e:a2:c1:99:90:a3:db:9e:
e6:7f:87:90:2a:74:2e:a7:84:ea:bd:e0:b4:c2:96:
06:1f:c3:bc:32:d5:02:20:b1:69:f2:87:aa:e9:dd:
2f:9e:aa:89:ae:57:34:c5:a9:76:83:92:30:bb:6d:
5b:17
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
3F:A5:51:12:C9:B1:F8:26:59:3D:9D:92:3B:2C:F5:A6:98:4E:F8:E4
Signature Algorithm: sha256WithRSAEncryption
70:62:21:c5:5e:3a:58:99:78:4d:42:a1:7f:2f:d5:ac:e2:0c:
17:01:7e:74:a6:8d:bc:44:d4:bf:d1:e4:be:6e:49:bc:bd:94:
fc:f7:b2:20:53:aa:0b:17:1e:72:f1:40:41:f7:2d:02:ff:d7:
bb:3b:40:b7:20:ee:27:f1:7b:52:4f:4b:ec:3f:41:70:23:e7:
c0:40:88:0d:9d:cd:48:da:10:fc:0f:44:c8:e5:df:f6:46:c5:
c2:2b:7b:c5:10:5f:62:03:66:e0:58:f8:a1:4d:8a:a6:a8:aa:
11:8e:37:bf:87:68:0a:09:f2:96:3f:0a:c3:08:27:45:a3:24:
2a:b6:ae:69:af:cb:b8:5a:a9:6a:c6:f0:45:fd:df:62:37:9f:
ce:7a:3a:f7:6c:97:a6:83:f2:9f:4d:94:d8:78:4f:81:57:ae:
46:d7:1b:2d:45:76:ca:1d:b9:42:d1:2a:1c:36:90:e9:8f:eb:
c3:d3:e9:d3:23:8d:89:92:0a:50:f8:b8:23:1c:67:6a:5c:00:
7f:1d:4e:a2:74:69:1b:a0:5f:2e:98:f2:6b:bd:57:ce:ac:86:
3f:52:ca:21:06:aa:36:d2:2f:79:b4:a8:a4:2c:43:c5:45:eb:
d7:65:94:72:e4:7e:30:9c:ed:1d:1d:dc:ab:00:58:2c:16:35:
9e:2b:f3:3d
[*] Debug certificate.
[*] Running Application information harvester ...
[#] 'com.mwr.example.sieve' application name does not exist on Google Play
Name:
Package: com.mwr.example.sieve
Description: 1.0
Platform:
Size: 2943088
MD5: b011baaa8aac34fbdf68691e63a96a08
SHA1: 1017a046cd963d7be05c7d6302de48c94b4c6850
[*] Running Content providers analyzer ...
[*] Exported content provider.
[*] Running Android API usage ...
[*] Searching for Geolocation calls
[*] Searching for Networking calls
[*] Searching for Crypto calls
[*] Searching for Communications calls
[*] Searching for IO calls
[*] Searching for Databases calls
[*] Running Application intents sender analyzer ...
[*] Running SQL injection vector finder ...
[*] Multiple SQL injection vectors.
[*] Running Broadcast receivers analyzer ...
Analysis done - com.mwr.example.sieve - 20150603
* Disassembled code: /apkscanner/analysis/com.mwr.example.sieve/code
* Logcat files: /apkscanner/analysis/com.mwr.example.sieve/logs
* Network capture: /apkscanner/analysis/com.mwr.example.sieve/network
* Device storage dump: /apkscanner/analysis/com.mwr.example.sieve/storage
* HTML report: /apkscanner/analysis/com.mwr.example.sieve/report.html
APKScanner disassemble the provided APK file by executing the following tasks:
- unzip the file
- convert dex to jar with dex2jar
- convert dex to smali
- disassemble jar with jd-core
- convert binary xml to human readable xml
Once the file has been disassembled, APKScanner will run each module from the modules directory in successive order.
A python library take care of the Android emulator instrumentation. This library is located in libs/android. Complete documentation of this library can be found here.
APKScanner store raw analysis results as JSON in analysis/com.your.package.json file. It also output a nice and tidy
html report that summarize all information, test log and findings.
The awesome module loading code has been inspired by the one in use at Recon-ng, written by Tim Tomes.
See LICENSE file.