This article is part of a series:
Android Security Analysis Tools, part two - DIVA app and AndroBugs
In the previous article, we began our exploration of security testing in Android applications. We started by discussing the testing problem and analyzing the first testing tools suggested by OWASP Mobile Testing Guide (MSTG). In this chapter, we will focus on the next tool for static security analysis suggested by MSTG - AndroBugs.
Before we get to the analysis tool, we should discuss one important matter - benchmarks. Having a reference point is a critical aspect of security testing. That kind of reference will introduce the testing context and provide the data that our results can be compared with. It is especially important at the reviewer’s training stage. The reference point can help to better understand the testing context and the scope of the expected results. The problem is finding a good benchmark. Such a benchmark will be a visualisation of a complex or interesting case which will make it more valuable for the testers. As an example, for mobile security testing, we can use the DIVA project.
DIVA, aka the Damn Insecure and Vulnerable App, is an Android application designed and created by Payatu. The app is designed in such way as to be extremely insecure. It was created to teach developers, QA, pentesters, students, etc. about potential vulnerabilities in Android Applications. It contains several common vulnerabilities, issues and bad coding practices covering both JAVA and native code.
The app contains several issues on different levels like:
- Insecure logging,
- Insecure data storage,
- Access control issues,
- Hardcoding issues,
- Validation issues,
- Permissions misuse,
- Manifest issues,
- ...and many more.
DIVA is published under the GNU GPL v3.0 license, so you can use it as a benchmark for your experiments or just to improve your skills. We used it to create all the examples for this series of articles. Here are some useful links related to DIVA:
- GitHub - https://github.com/payatu/diva-android
- APK file - https://payatu.com/wp-content/uploads/2016/01/diva-beta.tar.gz
- Payatu’s web page - https://payatu.com/damn-insecure-and-vulnerable-app/
AndroBugs is the second tool discussed in our series. According to the author, AndroBugs is a security testing framework for Android apps that was designed to help developers (or hackers) to find security vulnerabilities. The framework has been written in Python and published under the GNU General Public License v3.0. One very important piece of information is that AndroBugs works directly on the APK file. This means that you don’t need to have root permissions on your device to analyze an app. You don’t even need to have a device. The AndroBugs framework contains several security features:
- Security vulnerability searching,
- Best practices verification,
- Dangerous command verification,
- Massive analysis (multiple apps analysis at one time).
To run AndroBugs you need to fulfill only one requirement: having Python 2.7.x installed. There is also an additional requirement if you want to use Massive Analysis. To use this feature you need to have the PyMongo library installed. Massive Analysis is a mode of the AndroBugs framework that allows you to run an analysis for a large number of apps at the same time. The Mongo database is used to optimise analysis and save results. Later you can easily filter results in multiple ways using filtering commands.
To run the AndroBugs in basic analysis mode you can use this command:
python androbugs.py ./APKs/diva-beta.apk
For MassiveAnalysis just use this command line:
python AndroBugs_MassiveAnalysis.py -b 20181010 -t TestTag -d ~/APKs/
python AndroBugs_MassiveAnalysis.py -b [Your_Analysis_Number]
-t [Your_Analysis_Tag] -d [APKs input directory] -o [Report output directory]
Below you can find an example output file that was generated by the AndroBugs framework. As you can see, the output is split into three main sections.
The first section contains basic information about the analysed app. There, you can find data like package name, version and build name, both SDK versions (minimum and target), and fingerprints of the APK file.
Under the basic info section, you can find the main result of the analysis. The next section contains a list of detected vulnerabilities. Each of them is classified with a predefined severity level. This classification can be very useful for reviewers. It will allow them to group detected vulnerabilities and prioritize tasks related to them.
Moreover, each item contains more detailed information about the detected issue. There, you can find a description of the issue with links to articles with an elaborate description of the issue. The description can also contain a link to the part of the source code where the issue was found. Unfortunately, the links only appear for Smali code, so to find the exact method you need to manually perform decompilation.
The last section of the result file contains simple analysis statistics and analysis time. Below you can find the results of the analysis of the DIVA app.
- Elements grouped by severity: Critical, Warning, Notice, Info
- Operating on Smali code (no source code needed)
- Contains several, hardcoded vectors of vulnerabilities (searching for vectors in code)
- Optimized searching
- Searching for suspicious fragments of code and then checking the method execution context
- Massive analysis (many apps in one run)
- No root access needed
- No additional client app needed on the device
- Extensive analysis
- Not maintained
- The last commit to the repository was published over 3 years ago
- Many false positives - from tools or Google libs
- It can make review process more complex especially when the tool is used in automatized process;
- Integration is more complex in basic setup
- Basic output file is raw text,
AndroBugs is another static analysis tool suggested by OWASP MSTG for checking the security of Android apps. It is a very easy-to-use but effective tool. It is based on Python scripts and it seems to be very precise. A very important aspect is the fact that analysis is based on predefined vectors. You can also add your own vectors. Thanks to this feature you can easily extend detection capabilities. Vulnerability vectors are also the base of the optimization engine which, together with Massive Analysis mode, can significantly reduce the time of the analysis, especially when working on multiple applications at once.
Another important element is the output and the information that it holds. The most important feature of the output file is severity classification. In my opinion, it can make the work of the reviewer much easier. Unfortunately, the output file is presented as plain text. The lack of a defined structure (like in JAADAS) can significantly inhibit integration with other tools in your CI/CD stack.
However, the biggest drawback is, in my opinion, the fact that the tool is not maintained. The last commit to the repository was published almost three years ago. Four versions of Android have been released since then. This is very important due to the fact that all of these versions contain major updates related to security. In my opinion, the vector set should be updated with adjustments to new versions of the Android SDK. Unfortunately, this requires additional work. This, in turn, may disqualify AndroiBugs as a tool that can be easily and quickly integrated with your existing CI/CD stack.
Other articles from this series: