def run(self): result = { "title": "Application Does Not Implement Jailbreak Detection", "details": "", "severity": "High", "report": True } Log.info("Getting application's strings") strs = strings(self.binary) Log.info("Analysing strings and class dump") matches = re.findall(self._regex, strs) evidence = pretty_grep(self._regex, self.class_dump) if matches: result.update({ "title": "Application Implements Jailbreak Detection", "details": "The following strings were found:\n* {}".format( "\n* ".join(sorted(set(matches)))) }) if evidence: result.update({ "title": "Application Implements Jailbreak Detection", "details": "{}\nThe following was found in the class dump:\n\ {}".format(result["details"], pretty_grep_to_str(evidence, self.class_dump)) }) return { "{}_result".format(self.name()): result }
def run(self): result = { "title": "Application Uses Deprecated Ciphers", "details": "", "severity": "Low", "report": False } # preparing variable to run ciphers = {} ignore = [filepath.strip() for filepath in self.ignore.split(";")] Log.info("Identifying smali directories") dirs = smali_dirs(self.decompiled_apk) Log.info("Analysing application's smali code") for directory in dirs: smali = "{}/{}".format(self.decompiled_apk, directory) #ssl_socket_files = pretty_grep(self.file_regex, smali) ciphers.update(pretty_grep(self.regex, smali)) if ciphers: result.update({ "report": True, "details": pretty_grep_to_str(ciphers, self.decompiled_apk, ignore) }) return {"{}_result".format(self.name()): result}
def run(self): result = { "title": "Application Does Not Implement Root Detection", "details": "", "severity": "High", "report": True } # preparing variable to run root_detection = {} ignore = [filepath.strip() for filepath in self.ignore.split(";")] Log.info("Identifying smali directories") dirs = smali_dirs(self.decompiled_apk) Log.info("Analysing application's smali code") for directory in dirs: smali = "{}/{}".format(self.decompiled_apk, directory) root_detection.update(pretty_grep(self.regex, smali)) if root_detection: result = { "title": "Application Has Root Detection", "details": pretty_grep_to_str(root_detection, self.decompiled_apk, ignore), "severity": "Low", "report": True } return {"{}_result".format(self.name()): result}
def run(self): result = { "title": "Application's WebViews Enable JavaScript", "details": "", "severity": "Medium", "report": False } # preparing variable to run filenames = {} ignore = [filepath.strip() for filepath in self.ignore.split(";")] Log.info("Identifying smali directories") dirs = smali_dirs(self.decompiled_apk) Log.info("Analysing application's smali code") for directory in dirs: smali = "{}/{}".format(self.decompiled_apk, directory) filenames.update(pretty_grep(self.regex, smali)) report = {} # check var setting for file_name in filenames: report[file_name] = [] for instance in filenames[file_name]: var_name = instance["details"].split( "}", 1)[0].split(",", 1)[-1].strip() var_setting = track_variable( var_name, instance["line"], file_name) for setting_line in var_setting: if "0x1" in setting_line["details"]: report[file_name] += var_setting for file_name in report: filenames[file_name] += report[file_name] if filenames: result.update({ "report": True, "details": pretty_grep_to_str( filenames, self.decompiled_apk, ignore) }) return { "{}_result".format(self.name()): result }
def run(self): result = { "title": "Application Communicates Over Unencrypted Channels", "details": "", "severity": "High", "report": False } # preparing variable to run pretty_result = "" ignore = [url.strip() for url in self.ignore.split(";")] Log.info("Identifying smali directories") dirs = smali_dirs(self.decompiled_apk) Log.info("Analysing application's smali code") for directory in dirs: smali = "{}/{}".format(self.decompiled_apk, directory) urls = pretty_grep(self.regex, smali) to_remove = [] for url in urls: for detail in urls[url]: if any(iurl in detail["details"] for iurl in ignore) or \ detail["details"] == "http://": urls[url].remove(detail) if not urls[url]: to_remove += [url] for filename in to_remove: urls.pop(filename) pretty_result += pretty_grep_to_str(urls, smali) if pretty_result: result.update({ "report": True, "details": pretty_result }) return { "{}_result".format(self.name()): result }
def run(self): result = { "title": "Application's WebViews Implement Javascript Bridges", "details": "", "severity": "Medium", "report": False } # preparing variable to run bridges = {} ignore = [filepath.strip() for filepath in self.ignore.split(";")] Log.info("Identifying smali directories") dirs = smali_dirs(self.decompiled_apk) Log.info("Analysing application's smali code") for directory in dirs: smali = "{}/{}".format(self.decompiled_apk, directory) bridges.update(pretty_grep(self.js_interface_regex, smali)) report = {} # check var setting for file_name in bridges: report[file_name] = [] for instance in bridges[file_name]: report[file_name] += method_name(instance["line"], file_name) bridges = {} # TODO: check this works for file_name in report: bridges[file_name] += report[file_name] if bridges: result.update({ "report": True, "details": pretty_grep_to_str(bridges, self.decompiled_apk, ignore) }) return {"{}_result".format(self.name()): result}
def run(self): result = { "title": "Application's WebViews Are Vulnerable To Arbitrary \ Redirection", "details": "", "severity": "Low", "report": False } # preparing variable to run webview_files = {} overrride_url_files = {} ignore = [filepath.strip() for filepath in self.ignore.split(";")] Log.info("Identifying smali directories") dirs = smali_dirs(self.decompiled_apk) Log.info("Analysing application's smali code") for directory in dirs: smali = "{}/{}".format(self.decompiled_apk, directory) webview_files.update(pretty_grep(self.use_webview_regex, smali)) overrride_url_files.update(pretty_grep(self.regex, smali)) Log.info("Analysing WebViews") for filename in overrride_url_files: webview_files.pop(filename) if webview_files: result.update({ "report": True, "details": pretty_grep_to_str(webview_files, self.decompiled_apk, ignore) }) return {"{}_result".format(self.name()): result}
def run(self): result = { "title": "Application Is Vulnerable To Fragment Injection", "details": "", "severity": "Medium", "report": False } # create yaml apktool_module = YamlModule() apktool_module.decompiled_apk = self.decompiled_apk apktool = apktool_module.run() if "print" in apktool: return {"print": "Could not get the apktool yaml file"} apktool = apktool.popitem()[1] # preparing variable to run activities = {} ignore = [filepath.strip() for filepath in self.ignore.split(";")] Log.info("Identifying smali directories") dirs = smali_dirs(self.decompiled_apk) Log.info("Analysing application's apktool yaml and smali") for directory in dirs: smali = "{}/{}".format(self.decompiled_apk, directory) activities.update(pretty_grep(self.regex, smali)) if activities and int(apktool.min_sdk()) < 18: result.update({ "report": True, "details": pretty_grep_to_str(activities, self.decompiled_apk, ignore) }) return {"{}_result".format(self.name()): result}
def run(self): result = { "title": "Application Does Not Delete Cached Files On Exit", "details": "", "severity": "Low", "report": False } # preparing variable to run webview_files = {} clear_cache = {} ignore = [filepath.strip() for filepath in self.ignore.split(";")] Log.info("Identifying smali directories") dirs = smali_dirs(self.decompiled_apk) Log.info("Analysing application's smali code") for directory in dirs: smali = "{}/{}".format(self.decompiled_apk, directory) webview_files.update(pretty_grep(self.use_webview_regex, smali)) clear_cache.update(pretty_grep(self.regex, smali)) Log.info("Analysing WebViews") for filename in clear_cache: webview_files.pop(filename) if webview_files: result.update({ "report": True, "details": pretty_grep_to_str(webview_files, self.decompiled_apk, ignore) }) return {"{}_result".format(self.name()): result}
def run(self): result = { "title": "Application Does Not Detect Emulators", "details": "", "severity": "Medium", "report": True } # preparing variable to run emulator_detection = {} ignore = [filepath.strip() for filepath in self.ignore.split(";")] Log.info("Identifying smali directories") dirs = smali_dirs(self.decompiled_apk) Log.info("Analysing smali code for emulator detection mechanisms") for directory in dirs: smali = "{}/{}".format(self.decompiled_apk, directory) emulator_detection.update(pretty_grep(self.regex, smali)) if emulator_detection: result = { "title": "Application Detects Emulators", "details": "{}\n\n{}".format( result["details"], pretty_grep_to_str(emulator_detection, self.decompiled_apk, ignore)), "severity": "Medium", "report": True } # dynamic testing Log.info("Checking requirements for dynamic testing") if hasattr(self, "apk") and hasattr(self, "avd") and \ hasattr(self, "identifier") and self.identifier and \ self.apk and self.avd: # get available devices before starting the emulator available_devices = devices() # start emulator Log.info("Starting the emulator") emulator_process = process("emulator -avd {}".format(self.avd)) # wait for emulator to start sleep(60) # diff devices -> get emulator emulator_id = list(set(devices()) - set(available_devices)) if len(emulator_id) != 1: Log.warn("Could not find the emulator in the device list") emulator_process.kill() return { "{}_result".format(self.name()): result, "print": "Coud not start emulator or find defined avd" } device = AndroidDevice(emulator_id) Log.info("Installing the apk in the device") device.install(self.apk) if device.installed(self.identifier): while not device.unlocked(): Log.info("Please unlock the emulator") sleep(5) Log.info("Starting the application") device.start(identifier) sleep(15) if self.identifier not in device.processes(): result.update({"report": False}) emulator_process.kill() return {"{}_result".format(self.name()): result}
def run(self): result = { "title": "Application Does Not Detect Debuggers", "details": "", "severity": "Medium", "report": False } ignore = [filepath.strip() for filepath in self.ignore.split(";")] Log.info("Identifying smali directories") dirs = smali_dirs(self.decompiled_apk) Log.info("Looking for evidence in smali code") debug_evidence = {} for directory in dirs: smali = "{}/{}".format(self.decompiled_apk, directory) debug_evidence.update(pretty_grep(self.debug_regex, smali)) if debug_evidence: result.update({ "title": "Application Destects Debuggers", "report": True, "details": "The following evidence was found in the smali \ code:\n{}".format( pretty_grep_to_str(debug_evidence, self.decompiled_apk, ignore)) }) else: result.update({ "details": "No evidence of debug detection was found in the \ smali code.", "report": True }) if self.repackage: Log.info("Trying to modify the application to be debuggable") # make the application debuggable debug_module = DModule() debug_module.decompiled_apk = self.decompiled_apk debug_module.device = self.device debug_module.output = None # will default to /tmp debug_module.install = True debug_module.run() Log.info("Starting the application and identifying the process ID") self.device.start(self.identifier) pid = self.device.pid(self.identifier) if pid: Log.info("Forwarding local ports") forward(54321, pid) Log.info("Starting JDB") jdb = JDB("127.0.0.1", 54321) if not jdb.running(): result.update({ "report": True, "details": "{}\n\nScrounger was unable to attach a debugger\ to the application.".format(result["details"]) }) else: result.update({ "report": True, "details": "{}\n\nScrounger was able to attach a debugger \ to the application:\n\n{}".format(result["details"], jdb.read()) }) Log.info("Removing forwarded ports and exiting jdb") remove_forward() jdb.exit() else: Log.error("The application is not running") return {"{}_result".format(self.name()): result}