Static Analysis Frameworks
Is a Mobile Application Reverse engineering and Analysis Framework. It is a tool that puts together commonly used mobile application reverse engineering and analysis tools, to assist in testing mobile applications against the OWASP mobile security threats. Its objective is to make this task easier and friendlier to mobile application developers and security professionals.
Features:
APK Manifest Analysis
Extract Intents
Extract exported activities
Extract receivers
Extract exported receivers
Extract Services
Extract exported services
Check if apk is debuggable
Check if apk allows backups
Check if apk allows sending of secret codes
Check if apk can receive binary SMS
Security Analysis
Source code static analysis based on OWASP Top Mobile Top 10 and the OWASP Mobile Apps Checklist.
MARA is capable of performing either single or mass analysis of apk, dex or jar files.
Is a static code analysis tool, designed to recognize potential security vulnerabilities and points of concern for Java-based Android applications. QARK was designed to be community based, available to everyone and free for use. QARK educates developers and information security personnel about potential risks related to Android application security, providing clear descriptions of issues and links to authoritative reference sources. QARK also attempts to provide dynamically generated ADB (Android Debug Bridge) commands to aid in the validation of potential vulnerabilities it detects. It will even dynamically create a custom-built testing application, in the form of a ready to use APK, designed specifically to demonstrate the potential issues it discovers, whenever possible.”
My favorite tool is Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
1. Information
Display data such as app icon, app name, size, package name etc.MD5 & SHA1 are also shown. They can be useful to detect known malicious applications.
2. Scan options
Rescan the application.
Start the dynamic analysis.
Check the java code & the manifest file.
3. Signer certificate
Display certificate info.
Determine if an application has come from its original source.
4. Permissions
Analyzes the permissions.
Determines its status concerning critically & the description of permissions.
5. Binary Analysis
It is threat assessment & vulnerability testing at the binary code level.
It can also be used to analyze third party libraries, allowing a richer analysis & better visibility into how applications will interact with libraries.
This is analysis of binary code to identify security issues. For complex systems using third party libraries for which source code is not available binary code analysis helps to identify issues.
6. Android API
You can view android API used in app like java reflection, location.
7. Browsable activities
That can be safely invoked from a browser.
8. Security analysis
Manifest analysis
Find vulnerability inside one of the components in the AndroidManifest.xml file.
Code analysis
Analysis result of java code by a static analyzer.
Identifies potential vulnerabilities, determines their severity & the files in which this type of vulnerability was found.
CVSS:
Common Vulnerability Scoring System.
Vulnerability is assigned a CVSS base score between 0.0 & 10.0.
0.0 → No risk
0.1–3.9 → Low risk
4.0–6.9 → Medium risk
7.0–8.9 → High risk
9.0–10.0 → Critical risk score
CWE:
Common Weakness Enumeration.
It is a list of software architecture, design or a code weakness.
File analysis
Shows analysis of files.
9. Malware analysis
Determine the functionality, origin & potential impact of a given malware sample such as virus.
10. Reconnaissance
URL
Display list of URLs, IP addresses & the files in which they are stores or called. Analyzes where the android app sends the data & where it stores the info.
Emails
Strings
Analyzes the text files that are in the res directory.
May contain sensitive data.
11. Components
Display a complete list of components (activity, service, content provider & receiver), imported libraries & files without defining the extension.
Last updated