Exemple #1
0
    def run(self):
        result = {
            "title": "Application Does Not Implement Jailbreak Detection",
            "details": "",
            "severity": "High",
            "report": True
        }

        Log.info("Getting application's strings")
        strs = strings(self.binary)

        Log.info("Analysing strings and class dump")
        matches = re.findall(self._regex, strs)
        evidence = pretty_grep(self._regex, self.class_dump)

        if matches:
            result.update({
                "title": "Application Implements Jailbreak Detection",
                "details": "The following strings were found:\n* {}".format(
                    "\n* ".join(sorted(set(matches))))
            })

        if evidence:
            result.update({
                "title": "Application Implements Jailbreak Detection",
                "details": "{}\nThe following was found in the class dump:\n\
{}".format(result["details"], pretty_grep_to_str(evidence, self.class_dump))
            })

        return {
            "{}_result".format(self.name()): result
        }
Exemple #2
0
    def run(self):
        result = {
            "title": "Application Uses Deprecated Ciphers",
            "details": "",
            "severity": "Low",
            "report": False
        }

        # preparing variable to run
        ciphers = {}
        ignore = [filepath.strip() for filepath in self.ignore.split(";")]

        Log.info("Identifying smali directories")
        dirs = smali_dirs(self.decompiled_apk)

        Log.info("Analysing application's smali code")
        for directory in dirs:
            smali = "{}/{}".format(self.decompiled_apk, directory)
            #ssl_socket_files = pretty_grep(self.file_regex, smali)
            ciphers.update(pretty_grep(self.regex, smali))

        if ciphers:
            result.update({
                "report":
                True,
                "details":
                pretty_grep_to_str(ciphers, self.decompiled_apk, ignore)
            })

        return {"{}_result".format(self.name()): result}
Exemple #3
0
    def run(self):
        result = {
            "title": "Application Does Not Implement Root Detection",
            "details": "",
            "severity": "High",
            "report": True
        }

        # preparing variable to run
        root_detection = {}
        ignore = [filepath.strip() for filepath in self.ignore.split(";")]

        Log.info("Identifying smali directories")
        dirs = smali_dirs(self.decompiled_apk)

        Log.info("Analysing application's smali code")
        for directory in dirs:
            smali = "{}/{}".format(self.decompiled_apk, directory)
            root_detection.update(pretty_grep(self.regex, smali))

        if root_detection:
            result = {
                "title":
                "Application Has Root Detection",
                "details":
                pretty_grep_to_str(root_detection, self.decompiled_apk,
                                   ignore),
                "severity":
                "Low",
                "report":
                True
            }

        return {"{}_result".format(self.name()): result}
Exemple #4
0
    def run(self):
        result = {
            "title": "Application's WebViews Enable JavaScript",
            "details": "",
            "severity": "Medium",
            "report": False
        }

        # preparing variable to run
        filenames = {}
        ignore = [filepath.strip() for filepath in self.ignore.split(";")]

        Log.info("Identifying smali directories")
        dirs = smali_dirs(self.decompiled_apk)

        Log.info("Analysing application's smali code")
        for directory in dirs:
            smali = "{}/{}".format(self.decompiled_apk, directory)
            filenames.update(pretty_grep(self.regex, smali))

        report = {}
        # check var setting
        for file_name in filenames:
            report[file_name] = []

            for instance in filenames[file_name]:
                var_name = instance["details"].split(
                    "}", 1)[0].split(",", 1)[-1].strip()

                var_setting = track_variable(
                    var_name, instance["line"], file_name)

                for setting_line in var_setting:
                    if "0x1" in setting_line["details"]:
                        report[file_name] += var_setting

        for file_name in report:
            filenames[file_name] += report[file_name]

        if filenames:
            result.update({
                "report": True,
                "details": pretty_grep_to_str(
                    filenames, self.decompiled_apk, ignore)
            })

        return {
            "{}_result".format(self.name()): result
        }
Exemple #5
0
    def run(self):
        result = {
            "title": "Application Communicates Over Unencrypted Channels",
            "details": "",
            "severity": "High",
            "report": False
        }

        # preparing variable to run
        pretty_result = ""
        ignore = [url.strip() for url in self.ignore.split(";")]

        Log.info("Identifying smali directories")
        dirs = smali_dirs(self.decompiled_apk)

        Log.info("Analysing application's smali code")
        for directory in dirs:
            smali = "{}/{}".format(self.decompiled_apk, directory)
            urls = pretty_grep(self.regex, smali)
            to_remove = []
            for url in urls:
                for detail in urls[url]:
                    if any(iurl in detail["details"] for iurl in ignore) or \
                    detail["details"] == "http://":
                        urls[url].remove(detail)

                    if not urls[url]:
                        to_remove += [url]

            for filename in to_remove:
                urls.pop(filename)

            pretty_result += pretty_grep_to_str(urls, smali)

        if pretty_result:
            result.update({
                "report": True,
                "details": pretty_result
            })

        return {
            "{}_result".format(self.name()): result
        }
Exemple #6
0
    def run(self):
        result = {
            "title": "Application's WebViews Implement Javascript Bridges",
            "details": "",
            "severity": "Medium",
            "report": False
        }

        # preparing variable to run
        bridges = {}
        ignore = [filepath.strip() for filepath in self.ignore.split(";")]

        Log.info("Identifying smali directories")
        dirs = smali_dirs(self.decompiled_apk)

        Log.info("Analysing application's smali code")
        for directory in dirs:
            smali = "{}/{}".format(self.decompiled_apk, directory)
            bridges.update(pretty_grep(self.js_interface_regex, smali))

        report = {}
        # check var setting
        for file_name in bridges:
            report[file_name] = []

            for instance in bridges[file_name]:
                report[file_name] += method_name(instance["line"], file_name)

        bridges = {}  # TODO: check this works
        for file_name in report:
            bridges[file_name] += report[file_name]

        if bridges:
            result.update({
                "report":
                True,
                "details":
                pretty_grep_to_str(bridges, self.decompiled_apk, ignore)
            })

        return {"{}_result".format(self.name()): result}
Exemple #7
0
    def run(self):
        result = {
            "title": "Application's WebViews Are Vulnerable To Arbitrary \
Redirection",
            "details": "",
            "severity": "Low",
            "report": False
        }

        # preparing variable to run
        webview_files = {}
        overrride_url_files = {}
        ignore = [filepath.strip() for filepath in self.ignore.split(";")]

        Log.info("Identifying smali directories")
        dirs = smali_dirs(self.decompiled_apk)

        Log.info("Analysing application's smali code")
        for directory in dirs:
            smali = "{}/{}".format(self.decompiled_apk, directory)
            webview_files.update(pretty_grep(self.use_webview_regex, smali))
            overrride_url_files.update(pretty_grep(self.regex, smali))

        Log.info("Analysing WebViews")

        for filename in overrride_url_files:
            webview_files.pop(filename)

        if webview_files:
            result.update({
                "report":
                True,
                "details":
                pretty_grep_to_str(webview_files, self.decompiled_apk, ignore)
            })

        return {"{}_result".format(self.name()): result}
Exemple #8
0
    def run(self):
        result = {
            "title": "Application Is Vulnerable To Fragment Injection",
            "details": "",
            "severity": "Medium",
            "report": False
        }

        # create yaml
        apktool_module = YamlModule()
        apktool_module.decompiled_apk = self.decompiled_apk
        apktool = apktool_module.run()
        if "print" in apktool:
            return {"print": "Could not get the apktool yaml file"}
        apktool = apktool.popitem()[1]

        # preparing variable to run
        activities = {}
        ignore = [filepath.strip() for filepath in self.ignore.split(";")]

        Log.info("Identifying smali directories")
        dirs = smali_dirs(self.decompiled_apk)

        Log.info("Analysing application's apktool yaml and smali")
        for directory in dirs:
            smali = "{}/{}".format(self.decompiled_apk, directory)
            activities.update(pretty_grep(self.regex, smali))

        if activities and int(apktool.min_sdk()) < 18:
            result.update({
                "report":
                True,
                "details":
                pretty_grep_to_str(activities, self.decompiled_apk, ignore)
            })

        return {"{}_result".format(self.name()): result}
Exemple #9
0
    def run(self):
        result = {
            "title": "Application Does Not Delete Cached Files On Exit",
            "details": "",
            "severity": "Low",
            "report": False
        }

        # preparing variable to run
        webview_files = {}
        clear_cache = {}
        ignore = [filepath.strip() for filepath in self.ignore.split(";")]

        Log.info("Identifying smali directories")
        dirs = smali_dirs(self.decompiled_apk)

        Log.info("Analysing application's smali code")
        for directory in dirs:
            smali = "{}/{}".format(self.decompiled_apk, directory)
            webview_files.update(pretty_grep(self.use_webview_regex, smali))
            clear_cache.update(pretty_grep(self.regex, smali))

        Log.info("Analysing WebViews")

        for filename in clear_cache:
            webview_files.pop(filename)

        if webview_files:
            result.update({
                "report":
                True,
                "details":
                pretty_grep_to_str(webview_files, self.decompiled_apk, ignore)
            })

        return {"{}_result".format(self.name()): result}
Exemple #10
0
    def run(self):
        result = {
            "title": "Application Does Not Detect Emulators",
            "details": "",
            "severity": "Medium",
            "report": True
        }

        # preparing variable to run
        emulator_detection = {}
        ignore = [filepath.strip() for filepath in self.ignore.split(";")]

        Log.info("Identifying smali directories")
        dirs = smali_dirs(self.decompiled_apk)

        Log.info("Analysing smali code for emulator detection mechanisms")
        for directory in dirs:
            smali = "{}/{}".format(self.decompiled_apk, directory)
            emulator_detection.update(pretty_grep(self.regex, smali))

        if emulator_detection:
            result = {
                "title":
                "Application Detects Emulators",
                "details":
                "{}\n\n{}".format(
                    result["details"],
                    pretty_grep_to_str(emulator_detection, self.decompiled_apk,
                                       ignore)),
                "severity":
                "Medium",
                "report":
                True
            }

        # dynamic testing
        Log.info("Checking requirements for dynamic testing")

        if hasattr(self, "apk") and hasattr(self, "avd") and \
        hasattr(self, "identifier") and self.identifier and \
        self.apk and self.avd:
            # get available devices before starting the emulator
            available_devices = devices()

            # start emulator
            Log.info("Starting the emulator")
            emulator_process = process("emulator -avd {}".format(self.avd))

            # wait for emulator to start
            sleep(60)

            # diff devices -> get emulator
            emulator_id = list(set(devices()) - set(available_devices))

            if len(emulator_id) != 1:
                Log.warn("Could not find the emulator in the device list")
                emulator_process.kill()
                return {
                    "{}_result".format(self.name()): result,
                    "print": "Coud not start emulator or find defined avd"
                }

            device = AndroidDevice(emulator_id)

            Log.info("Installing the apk in the device")
            device.install(self.apk)
            if device.installed(self.identifier):

                while not device.unlocked():
                    Log.info("Please unlock the emulator")
                    sleep(5)

                Log.info("Starting the application")
                device.start(identifier)
                sleep(15)

                if self.identifier not in device.processes():
                    result.update({"report": False})

            emulator_process.kill()

        return {"{}_result".format(self.name()): result}
Exemple #11
0
    def run(self):
        result = {
            "title": "Application Does Not Detect Debuggers",
            "details": "",
            "severity": "Medium",
            "report": False
        }

        ignore = [filepath.strip() for filepath in self.ignore.split(";")]

        Log.info("Identifying smali directories")
        dirs = smali_dirs(self.decompiled_apk)

        Log.info("Looking for evidence in smali code")
        debug_evidence = {}
        for directory in dirs:
            smali = "{}/{}".format(self.decompiled_apk, directory)
            debug_evidence.update(pretty_grep(self.debug_regex, smali))

        if debug_evidence:
            result.update({
                "title":
                "Application Destects Debuggers",
                "report":
                True,
                "details":
                "The following evidence was found in the smali \
code:\n{}".format(
                    pretty_grep_to_str(debug_evidence, self.decompiled_apk,
                                       ignore))
            })
        else:
            result.update({
                "details": "No evidence of debug detection was found in the \
smali code.",
                "report": True
            })

        if self.repackage:
            Log.info("Trying to modify the application to be debuggable")

            # make the application debuggable
            debug_module = DModule()
            debug_module.decompiled_apk = self.decompiled_apk
            debug_module.device = self.device
            debug_module.output = None  # will default to /tmp
            debug_module.install = True
            debug_module.run()

        Log.info("Starting the application and identifying the process ID")
        self.device.start(self.identifier)
        pid = self.device.pid(self.identifier)

        if pid:
            Log.info("Forwarding local ports")
            forward(54321, pid)

            Log.info("Starting JDB")
            jdb = JDB("127.0.0.1", 54321)

            if not jdb.running():
                result.update({
                    "report":
                    True,
                    "details":
                    "{}\n\nScrounger was unable to attach a debugger\
 to the application.".format(result["details"])
                })
            else:
                result.update({
                    "report":
                    True,
                    "details":
                    "{}\n\nScrounger was able to attach a debugger \
to the application:\n\n{}".format(result["details"], jdb.read())
                })

            Log.info("Removing forwarded ports and exiting jdb")
            remove_forward()
            jdb.exit()

        else:
            Log.error("The application is not running")

        return {"{}_result".format(self.name()): result}