Home

Awesome

Android device check

A set of scripts to check Android device security configuration.

Device runtime configuration check

The check-device-props.py script checks security configuration based on system properties and some basic system commands.

Requirements

Requires ADB connection. Set ANDROID_SERIAL and/or ADB_VENDOR_KEYS if more than one device is connected to host, or if ADB authentication is required.

Major checks:

Usage

  1. Connect to target device via ADB and run the script:
./check-device-props.py
  1. Report is output to stdout, redirect as needed. WARN messages mark potential configuration issues.

System APK check

Overview

A simple script to check security configuration of system APKs for Android-based devices. Mainly targeted towards IoT-style devices, probably not that useful for phones/tablets. Not meant to be a replacement for CTS or other extensive test suites.

Checks are focused on permissions, code signing and component configuration. This script does not attempt to perform static analysis of executable code.

Assumptions

The following assumptions are made:

Major security checks

The following security configuration is tested:

Requirements

Usage

  1. Obtain system APKs to test, usually all APKs under /system/app and /system/priv-app
 $ ./download-apks.py apks/
  1. Run the check-system-apps.py script against the APK directory from 1.
   ./check-system-apps.py apks/ com.example.package
  1. Report is output to stdout, redirect as needed.