cli tool for static and dynamic analysis of android apk.
This command line utility allows you to perform static and dynamic analysis of android apk files.
Static analysis allows you to obtain the following data:
- Application name
- App package
- App version
- Version code
- APK checksum
- android_id
- advertising_id
- imei
- google_account
- wifi_ssid
- geo: (latitude, longitude)
- urls - strings that look like URLs
- domains - strings that look like domain names
- libraries - list of .so libraries from the APK
- classes - list of Java/Kotlin classes from the binary
- permissions - set of permissions from the app manifest
- activities - list of registered activities from the app manifest
Dynamic analysis allows you to obtain the following data:
- network_activity:
-
requests
- timestamp - Time from the app startup (ms)
- proto (HTTP/TLS/TCP/UDP)
- remote_ip
- tls_sni
- http_request_url
- http_request_method
- http_request_body_length
- http_response_status
- http_response_body_length
-
requested_permissions
-
git clone https://github.com/vmprog/exynex.git
cd exynex
The use of the utility is possible in two ways:
- Install all dependencies on local Linux/macOS host machine.
- Using docker image for (Linux, macOS).
Target device:
The analysis can be carried out both on a real device and on an emulator.
- Android Studio/Android Sdk is installed (tested with Version 4.1.3 for Linux 64-bit)]
-
Emulator and adb executables from Android Sdk have been added to $PATH variable
-
emulator usually located at
/home/<your_user_name>/Android/Sdk/emulator/emulator
-
adb usually located at
/home/<your_user_name>/Android/Sdk/platform-tools/adb
- You need to add these lines to .bashrc
-
export PATH=$PATH:$HOME/Android/Sdk/platform-tools
export PATH=$PATH:$HOME/Android/Sdk/emulator
export PATH=$PATH:/path/to/jre/bin
Check environment variable:
set ANDROID_SDK_ROOT=path_to_sdk
- python v3.8.8 or later
- adb
- aapt
- android-tools-adb
- mitmproxy
- iptables
- procps
- apksigner
- xxd
- jadx v1.3.1 or later
Install local python dependencies by running:
pip install -r requirements.txt
Set permission for jadx by running:
chmod 755 ./jadx/bin/jadx
- Android Studio/Android Sdk is installed
-
Emulator and adb executables from Android Sdk have been added to $PATH variable
-
emulator usually located at
/Users/<your_user_name>/Library/Android/sdk/emulator/emulator
-
adb usually located at
/Users/<your_user_name>/Library/Android/sdk/platform-tools/adb
- You need to add these lines to ~/.zprofile
-
export PATH=$PATH:$HOME/Library/Android/sdk/platform-tools
export PATH=$PATH:$HOME/Library/Android/sdk/emulator
export PATH=$PATH:$HOME/Library/Android/sdk//build-tools/30.0.3
export JAVA_HOME=/Applications/Android\ Studio.app/Contents/jre/Contents/Home/
Install local python dependencies by running:
pip install -r requirements.txt
Setup network config for transparent proxy:
- Enable IP forwarding.
sudo sysctl -w net.inet.ip.forwarding=1
- Place the following line in a file called, say, pf.conf.
rdr pass on en0 inet proto tcp to any port {80, 443} -> 127.0.0.1 port 8080
- Configure pf with the rules.
sudo pfctl -f pf.conf
- And now enable it.
sudo pfctl -e
- Configure sudoers to allow mitmproxy to access pfctl. Edit the file /etc/sudoers on your system as root. Add the following line to the end of the file:
ALL ALL=NOPASSWD: /sbin/pfctl -s state
Install local docker image by running:
sudo docker build -t python-img:5.1 .
-
Developer mode must be enabled on the emulator.
-
The emulator must be rooted.
Note: There are different approaches to getting root on the device. It depends on the android version.
To capture and decrypt traffic, you need to install mitmproxy certificates on the device System CA.
-
Install mitmproxy certificates (tested on Android 10 API 29).
- CAcert system trusted certificates
mitmproxy (exit with [q yes])
cd ~/.mitmproxy/
hashed_name=`openssl x509 -inform PEM -subject_hash_old -in mitmproxy-ca-cert.cer | head -1` && cp mitmproxy-ca-cert.cer $hashed_name.0
adb push c8750f0d.0 /sdcard (file name from the previous command)
adb shell
su
mount -o rw,remount /
cp /sdcard/c8750f0d.0 /system/etc/security/cacerts/
cd /system/etc/security/cacerts/
chmod 644 c8750f0d.0
ls -al –Z
mount -o ro,remount /
- CAcert user trusted certificates
Before using, you must change the ip address of the gateway to host ip with mitmdump.
Before using, you must disable IPv6 protocol on device/emulator.
adb shell
su
echo 0 > /proc/sys/net/ipv6/conf/wlan0/accept_ra
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
If you are using mobile internet, you should find the following setting: Access Point Names ->APN protocol and set IPv4 only.
To capture and decrypt traffic, you need to install mitmproxy certificates on the emulator System CA. The installation approaches depend on the Android version.
The script also accepts some options:
positional arguments:
analyze Command to analyze.
PATH_TO_APK Path to APK file.
device_ip IP address of the device or emulator.
su_pass Superuser password.
optional arguments:
-h, --help show this help message and exit
--output OUTPUT Path to report.
--activity_time ACTIVITY_TIME
Time to activity.
--allow_permissions Allow to any permissions requests.
--verbose Produces debugging output.
python3 -O exynex.py analyze some.apk 192.168.1.5 SUpass --allow_permissions --verbose
Starting the container:
sudo docker run -it --net=host --privileged \
-v /dev/bus/usb:/dev/bus/usb \
-v /folder/with/apk:/home/researcher/APK \
--mount src="$(pwd)",target=/home/researcher/app_src,type=bind \
--mount src="/home/mitmproxyuser/.mitmproxy",target=/home/mitmproxyuser/.mitmproxy,type=bind \
python-img:5.1 /bin/bash
Note: Where /folder/with/apk - is the folder on host where the apk file for research is located.
python3 -O exynex.py analyze ~/APK/some.apk 192.168.1.5 SUpass --allow_permissions --verbose
If you run into any problem or have a suggestion, head to this page and click on the New issue
button.