Home

Awesome

TL;DR

Sample Analysys

Installation (Tested on Kali 2017)

You have two options. Use Docker with the provided docker file or use the following instructions for manual setup:

Pre-requisites

Instructions

Usage

Config File (droidstatx.config)

[Settings] - General Settings

[CustomChecks] - Area to configure custom checks

Methodology

As stated above, this was the tool development's main driving goal. The Xmind map Methodology topic is structured following the OWASP Mobile TOP 10 2016 categories

Each category has topics that you will need to cover in the format of a checklist, to guarantee and highlight coverage. Each topic has a URL to the respective chapter in the OWASP The Mobile Security Testing Guide (MSTG) explaining the vulnerability and how to confirm its existence. I collaborated a little bit on the OWASP MSTG project and have to give a big shout out to Bernhard and Sven for creating the project and bringing a lot of people together to develop it.

The tool will automatically fill some of the topics with evidences based on the analysis, to help confirm if it is a false or a true positive.

Each time the tool runs against a package, if the xmind map already exists, a new tab will be created on the workbook. This way it’s possible to keep a history file of every new version tested and compare it against previous runs.

Information Returned

Under the Hood

Androguard toolkit from Anthony Desnos is being used to gather all the package info (properties, components, files, etc).

For the Xmind map generation, XMind SDK for python from Xmind is being used, which unfortunately stopped receiving updates 4 years ago. A project fork was required to add some features like the support for the topic structure. A pull request was made with these changes to their repo. If the request is merged, the project will start using their repo instead.

The static code analysis is being done by using apktool from Ryszard Wiśniewski and Connor Tumbleson to disassemble the Dalvik bytecode and then use grep and sed for pattern checking.

A Long Time Ago in a Galaxy Far, Far Away...

The development of Droidstat started mid 2015 and it was presented in July in Bsides Lisbon 2015 (Slides). Life got in the way and with the typical fear of releasing ugly code online, the tool was kept private at the time.

Droidstat aims to be a static/dynamic analysis framework, which does more than just flag issues (there are already several ones which do that, like Androbugs or MobSF), it allows to create a methodology and a workflow to achieve consistency.

Right now, this standalone module is being released as a quick win, but sometime during this year, it will be released the first web interfaced version of the framework.

Here Be Dragons

Based on the work started on 2015, and since I wanted to learn and improve my understanding of Dalvik Bytecode, I created all the static checks from scratch, following my own thinking/approach. Other tools’ approaches will differ.

That being said, I've tested the tool against the top 30 applications in the Play Store, around 60 other applications, including several vulnerable applications created for the effect, and manually performed the review on all of them to try and guarantee the tool’s accuracy and completeness but there may exist scenarios where the tool will not behave correctly; if you find any bugs, or incorrect or missing information, please create an Issue on the project.

References

Credits

Special thank you to @neskk for porting droidstax to support python3 and other improvements.