• Guest
HabraHabr
  • Main
  • Users

  • Development
    • Programming
    • Information Security
    • Website development
    • JavaScript
    • Game development
    • Open source
    • Developed for Android
    • Machine learning
    • Abnormal programming
    • Java
    • Python
    • Development of mobile applications
    • Analysis and design of systems
    • .NET
    • Mathematics
    • Algorithms
    • C#
    • System Programming
    • C++
    • C
    • Go
    • PHP
    • Reverse engineering
    • Assembler
    • Development under Linux
    • Big Data
    • Rust
    • Cryptography
    • Entertaining problems
    • Testing of IT systems
    • Testing Web Services
    • HTML
    • Programming microcontrollers
    • API
    • High performance
    • Developed for iOS
    • CSS
    • Industrial Programming
    • Development under Windows
    • Image processing
    • Compilers
    • FPGA
    • Professional literature
    • OpenStreetMap
    • Google Chrome
    • Data Mining
    • PostgreSQL
    • Development of robotics
    • Visualization of data
    • Angular
    • ReactJS
    • Search technologies
    • Debugging
    • Test mobile applications
    • Browsers
    • Designing and refactoring
    • IT Standards
    • Solidity
    • Node.JS
    • Git
    • LaTeX
    • SQL
    • Haskell
    • Unreal Engine
    • Unity3D
    • Development for the Internet of things
    • Functional Programming
    • Amazon Web Services
    • Google Cloud Platform
    • Development under AR and VR
    • Assembly systems
    • Version control systems
    • Kotlin
    • R
    • CAD/CAM
    • Customer Optimization
    • Development of communication systems
    • Microsoft Azure
    • Perfect code
    • Atlassian
    • Visual Studio
    • NoSQL
    • Yii
    • Mono и Moonlight
    • Parallel Programming
    • Asterisk
    • Yandex API
    • WordPress
    • Sports programming
    • Lua
    • Microsoft SQL Server
    • Payment systems
    • TypeScript
    • Scala
    • Google API
    • Development of data transmission systems
    • XML
    • Regular expressions
    • Development under Tizen
    • Swift
    • MySQL
    • Geoinformation services
    • Global Positioning Systems
    • Qt
    • Dart
    • Django
    • Development for Office 365
    • Erlang/OTP
    • GPGPU
    • Eclipse
    • Maps API
    • Testing games
    • Browser Extensions
    • 1C-Bitrix
    • Development under e-commerce
    • Xamarin
    • Xcode
    • Development under Windows Phone
    • Semantics
    • CMS
    • VueJS
    • GitHub
    • Open data
    • Sphinx
    • Ruby on Rails
    • Ruby
    • Symfony
    • Drupal
    • Messaging Systems
    • CTF
    • SaaS / S+S
    • SharePoint
    • jQuery
    • Puppet
    • Firefox
    • Elm
    • MODX
    • Billing systems
    • Graphical shells
    • Kodobred
    • MongoDB
    • SCADA
    • Hadoop
    • Gradle
    • Clojure
    • F#
    • CoffeeScript
    • Matlab
    • Phalcon
    • Development under Sailfish OS
    • Magento
    • Elixir/Phoenix
    • Microsoft Edge
    • Layout of letters
    • Development for OS X
    • Forth
    • Smalltalk
    • Julia
    • Laravel
    • WebGL
    • Meteor.JS
    • Firebird/Interbase
    • SQLite
    • D
    • Mesh-networks
    • I2P
    • Derby.js
    • Emacs
    • Development under Bada
    • Mercurial
    • UML Design
    • Objective C
    • Fortran
    • Cocoa
    • Cobol
    • Apache Flex
    • Action Script
    • Joomla
    • IIS
    • Twitter API
    • Vkontakte API
    • Facebook API
    • Microsoft Access
    • PDF
    • Prolog
    • GTK+
    • LabVIEW
    • Brainfuck
    • Cubrid
    • Canvas
    • Doctrine ORM
    • Google App Engine
    • Twisted
    • XSLT
    • TDD
    • Small Basic
    • Kohana
    • Development for Java ME
    • LiveStreet
    • MooTools
    • Adobe Flash
    • GreaseMonkey
    • INFOLUST
    • Groovy & Grails
    • Lisp
    • Delphi
    • Zend Framework
    • ExtJS / Sencha Library
    • Internet Explorer
    • CodeIgniter
    • Silverlight
    • Google Web Toolkit
    • CakePHP
    • Safari
    • Opera
    • Microformats
    • Ajax
    • VIM
  • Administration
    • System administration
    • IT Infrastructure
    • *nix
    • Network technologies
    • DevOps
    • Server Administration
    • Cloud computing
    • Configuring Linux
    • Wireless technologies
    • Virtualization
    • Hosting
    • Data storage
    • Decentralized networks
    • Database Administration
    • Data Warehousing
    • Communication standards
    • PowerShell
    • Backup
    • Cisco
    • Nginx
    • Antivirus protection
    • DNS
    • Server Optimization
    • Data recovery
    • Apache
    • Spam and antispam
    • Data Compression
    • SAN
    • IPv6
    • Fidonet
    • IPTV
    • Shells
    • Administering domain names
  • Design
    • Interfaces
    • Web design
    • Working with sound
    • Usability
    • Graphic design
    • Design Games
    • Mobile App Design
    • Working with 3D-graphics
    • Typography
    • Working with video
    • Work with vector graphics
    • Accessibility
    • Prototyping
    • CGI (graphics)
    • Computer Animation
    • Working with icons
  • Control
    • Careers in the IT industry
    • Project management
    • Development Management
    • Personnel Management
    • Product Management
    • Start-up development
    • Managing the community
    • Service Desk
    • GTD
    • IT Terminology
    • Agile
    • Business Models
    • Legislation and IT-business
    • Sales management
    • CRM-systems
    • Product localization
    • ECM / EDS
    • Freelance
    • Venture investments
    • ERP-systems
    • Help Desk Software
    • Media management
    • Patenting
    • E-commerce management
    • Creative Commons
  • Marketing
    • Conferences
    • Promotion of games
    • Internet Marketing
    • Search Engine Optimization
    • Web Analytics
    • Monetize Web services
    • Content marketing
    • Monetization of IT systems
    • Monetize mobile apps
    • Mobile App Analytics
    • Growth Hacking
    • Branding
    • Monetize Games
    • Display ads
    • Contextual advertising
    • Increase Conversion Rate
  • Sundry
    • Reading room
    • Educational process in IT
    • Research and forecasts in IT
    • Finance in IT
    • Hakatonas
    • IT emigration
    • Education abroad
    • Lumber room
    • I'm on my way

Static analysis of mobile applications

Static analysis of mobile applications  
 
One of the stages of testing a mobile application is static analysis. Static application analysis is an application analysis without performing any application functions. The most convenient for me from open source frameworks is MobSF. Who cares, welcome under cat. link .
 
 
After installing MobSF - run the following batnichek to start the server (I wrote for myself, therefore, drive D).
 
d:
cd .MobSF
python .manage.py runserver

 
 
Next you need to go to the address http[:]//???.1:8000 and the main page opens (Fig. 1). There is not much functionality here:
 
3r366.  
file upload;
 
view reports on past scans;
 
go to API documentation;
 
transition to GitHub project.
 
 
 
Fig. 1. Homepage.
 
 
After the file has been downloaded and analyzed, a page appears with the result of the analysis (Fig. 2). On the left is a menu that allows you to navigate quickly across the entire page (the result is simply volume). What useful information is on this screenshot:
 
3r366.  
application hash sum;
 
supported OS versions of Android;
 
the number and types of components (exported or not) is important, as exported components can lead to critical vulnerabilities;
 
the ability to view and download java- and smali-files that can be analyzed by other tools or manually;
 
view the manifest file for analysis.
 
 
 
3r388.
 
Fig. 2. The result of the analysis.
 
 
We go further. In fig. 3 shows information on the certificate that signed the application.
 
 
3r399.
 
Fig. 3. Certificate Information.
 
 
The following is a description of the permissions analysis, which are described in the AndroidManifest.xml file (Fig. 4). MobSF analyzes the permissions of the application, determines its status, for criticality and the description of permissions. Here you need to understand the architecture of the Android OS for the actual criticality of the application.
 
 
3r31-10.
 
Fig. 4. Analysis of Android Permissions /
 
 
The Security Analysis -> Code Analysis tab (Figure 5) shows the result of the analysis of java-code by a static analyzer, which identifies potential vulnerabilities, determines their criticality and the files in which this type of vulnerability was found. In many ways, these results are false positive, but you need to recheck it all.
 
 
 
Fig. 5. Code analysis.
 
 
The next tab (Fig. 6) is the analysis of files on the virustotal.com service. In this case, the file was not detected as infected.
 
 
3r33132.
 
Fig. 6. File analysis.
 
 
The URLs tab (Figure 7) displays the list of URLs, IP addresses and the files in which they are stored or called. This section analyzes where the application sends the data or where it stores the information.
 
 
3r3143.
 
Fig. 7. Tabs URLs.
 
 
The “Strings” tab (Fig. 8) analyzes the text files that are in the res directory. When analyzing an application, these files may contain hard-to-find accounts and other sensitive data. Although in my memory this was not.
 
 
3r3154.
 
Fig. 8. Analysis of text files.
 
 
The “Components” tab (Fig. 9) displays a complete list of components (activity, service, content provider and receives), imported libraries and files without defining an extension.
 
 
3r3165.
 
Fig. 9. List of components.
 
 
Additionally, the source code can be analyzed using the VCG scanner static analyzer. VCG needs source code. The source code can be downloaded via the Download Java Code button (Figure 10). The file is downloaded in a zip archive. Next you need to extract the folder with the files from the archive (Fig. 11).
 
 
3r3176.
 
Fig. 10. Downloading source code.
 
 
3r3183.
 
Fig. 11. Extract the source code.
 
 
Scanning the source code is done as follows:
 
3r3192.  
In the “Settings” tab, select the “Java” item - Figure 12. 3-333201.  
In the “File” tab, select “New Target Directory” - Figure 13. 3r3-33201.  
In the “Scan” tab, select “Full scan” - figure 14.
 
 
 
3r3208.
 
Fig. 12. The choice of source code.
 
 
 
Fig. 13. Uploading the file directory.
 
 
 
Fig. 14. Start scanning.
 
 
After the scan is completed, the scanner issues the names of the vulnerability, its criticality, a brief description and place in the source code (Fig. 15). You can get a complete list of vulnerabilities and sort them by their criticality (Fig. 16).
 
 
Fig. 15. Description of vulnerabilities.
 
 
 
Fig. 16. Full list of vulnerabilities.
 
 
Conclusion
 
 
Static analysis of the application and source code provides basic concepts about the architecture of the application and the potential attack vectors. According to the methodology used in the company 3r33232. Hacken
the analysis of any applications from the client that came to Pentest begins with it.

It may be interesting

  • Comments
  • About article
  • Similar news
This publication has no comments.

weber

Author

9-11-2018, 13:20

Publication Date

Development / Information Security

Category
  • Comments: 0
  • Views: 311
Dynamic testing of Android applications
Analysis of the quality of educational
Project RealWorld: comparison of
We use PHP for the purpose of
Why embedded-developers should use
WhiteList vs BlackList: how to
Write a comment
Name:*
E-Mail:


Comments
this is really nice to read..informative post is very good to read..thanks a lot! How is the cost of house cleaning calculated?
Yesterday, 17:14

Legend SEO

It’s very informative and you are obviously very knowledgeable in this area. You have opened my eyes to varying views on this topic with interesting and solid content.

entegrasyon programları
Yesterday, 17:09

taxiseo2

I am really enjoying reading your well written articles. It looks like you spend a lot of effort and time on your blog. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work.

entegrasyon programları
Yesterday, 17:02

taxiseo2

I found so many interesting stuff in your blog especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here! keep up the good work...먹튀

Yesterday, 16:50

raymond weber

Lose Weight Market provides the best fitness tips, workout guides, keto recipes and diet plans, yoga workout routine and plans, healthy recipes, and more! Check Out: Lose Weight Market


Corvus Health provides medical training services as well as recruiting high quality health workers for you or placing our own best team in your facility. Check Out: Health Workforce Recruitment




I.T HATCH offers a wide range of IT services including remote access setup, small business servers, data storage solutions, IT strategy services, and more. Check Out: IT strategy services
Yesterday, 22:33

noorseo

Adv
Website for web developers. New scripts, best ideas, programming tips. How to write a script for you here, we have a lot of information about various programming languages. You are a webmaster or a beginner programmer, it does not matter, useful articles will help to make your favorite business faster.

Login

Registration Forgot password