Penetration testing

Android penetration tools walkthrough series: AndroBugs framework

Greg Belding
May 27, 2018 by
Greg Belding

Android apps are arguably the most commonly used features of smartphones on the market today. Our lives are made more organized, faster, and more streamlined as a result of them. However, with all of these Android apps in use and thousands more coming every year, debugging Android apps is becoming all the more important.

To this end, AndroBugs Framework presents a solution to this ever-present need. AndroBugs Framework is an Android app security vulnerability scanner that Android developers and hackers can use to easily scan an Android app for security vulnerabilities, possible exploits and even whether the code satisfies best practices.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Yu Cheng-Lin is an Android Security Researcher based out of Taiwan and the creator of the AndroBugs Framework. His career led him to the discovery of countless security flaws in Android applications of some of the biggest tech companies in the world, including Facebook and Twitter. Yu Cheng-Lin had previously built an Android app scanner as part of his master's degree in 2014 and decided to open-source his personal Android vulnerability scanner to the public. Yu Cheng-Lin currently hosts the application on Github at https://github.com/AndroBugs/AndroBugs_Framework.

What does AndroBugs framework have to offer?

AndroBugs Framework is capable of scanning Android applications and uncovering various types of security-related vulnerabilities. AndroBugs Framework has what has been described by as "the most efficient" and most accurate Android vulnerability analysis system. What does this translate to regarding vulnerability analysis performance? Speed and simplicity of design. This translates into Android app scans of less than two minutes per scan. This valuable time-saving feature will likely be appreciated by the Android developers worldwide.

AndroBugs framework features

  • Find security vulnerabilities in an Android app, including vulnerabilities susceptible to exploitation by hackers
  • Check if the code is missing best practices
  • Check dangerous shell commands. For example – "su"
  • Collect Information from millions of apps
  • Check the app's security protection (marked as <Hacker>, designed for app repackaging hacking techniques)

What else does AndroBugs have to offer?

Although stripped down regarding its GUI, AndroBugs Framework still has a lot to offer its users aside from fast Android vulnerability analysis performance. The AndroBugs Framework team corresponds with users regarding the Android vulnerability analysis performed on their respective Android app. If the AndroBugs Framework team finds any vulnerabilities, they will give the user a complete and detailed description to help solve any potential security issues. If necessary, they will give the end developer the Proof of Concept code to show the vulnerabilities found in the Android app. AndroBugs Framework is currently on version 1.0.0.

AndroBugs framework setup for Microsoft Windows systems

AndroBugs Framework Setup on Microsoft Windows is easy:

  • There is no need to install Python 2.7 if setup is performed on a Microsoft Windows system
  • There is no need to install any 3rd-party library
  • There is no need to install AndroBugs Framework on the Microsoft Windows system itself
  • All you need to do is point AndroBugs Framework to the .apk file that you want to test

Follow the steps below to Setup AndroBugs Framework on a Microsoft Windows System:

  1. mkdir C:AndroBugs_Framework
  2. cd C:AndroBugs_Framework
  3. Unzip the latest Windows version of AndroBugs Framework from Windows releases
  4. Go to Computer->System Properties->Advanced->Environment Variables. Add "C:AndroBugs_Framework" to the "Path" variable
  5. androbugs.exe -h
  6. androbugs.exe -f [APK file]

Massive analysis tool setup for Microsoft Windows

Follow the steps detailed below to setup AndroBugs Framework Massive Analysis Tool on a Microsoft Windows System:

  • Complete the AndroBugs Framework Setup for Microsoft Windows Systems first
  • Install the Windows version of MongoDB, which can be found at https://www.mongodb.org/downloads
  • Install PyMongo library
  • Configure your own MongoDB settings: C:AndroBugs_Frameworkandrobugs-db.cfg
  • Choose your preferred MongoDB management tool which can be found at http://mongodb-tools.com/
  • AndroBugs_MassiveAnalysis.exe -h
    • Example: AndroBugs_MassiveAnalysis.exe -b 20151112 -t BlackHat -d .All_Your_Apps -o .Massive_Analysis_Reports
  • AndroBugs_ReportByVectorKey.exe -h
    • Example: AndroBugs_ReportByVectorKey.exe -v WEBVIEW_RCE -l Critical -b 20151112 -t BlackHat

AndroBugs framework usage steps for Unix/Linux systems

Microsoft Windows is not the only option for developers and hackers to setup AndroBugs Framework on. Developers and hackers can also setup AndroBugs Framework on Unix/Linux based systems.

  • How to run AndroBugs Framework on Unix/Linux Systems

python androbugs.py -f [APK file]

  • How to check AndroBugs Framework usage on Unix/Linux Systems

python androbugs.py -h

AndroBugs framework massive analysis tools usage steps for Unix/Linux

Just like setup on Microsoft Windows systems, developers and hackers who want to setup AndroBugs Framework must setup MongoDB and configure their own MongoDB settings. These settings can be found in "androbugs-db.cfg."

  • To run the AndroBugs Framework Massive Analysis Tool:

python AndroBugs_MassiveAnalysis.py -b [Your_Analysis_Number] -t [Your_Analysis_Tag] -d [APKs input directory] -o [Report output directory]

Example: python AndroBugs_MassiveAnalysis.py -b 20151112 -t BlackHat -d ~/All_Your_Apps/ -o ~/Massive_Analysis_Reports

  • To get the summary report and all the vectors of massive analysis:

python AndroBugs_ReportSummary.py -m massive -b [Your_Analysis_Number] -t [Your_Analysis_Tag]

Example: python AndroBugs_ReportSummary.py -m massive -b 20151112 -t BlackHat

  • To list the potentially vulnerable apps by Vector ID and Severity Level (Log Level):

python AndroBugs_ReportByVectorKey.py -v [Vector ID] -l [Log Level] -b [Your_Analysis_Number] -t [Your_Analysis_Tag]

Example: python AndroBugs_ReportByVectorKey.py -v WEBVIEW_RCE -l Critical -b 20151112 -t BlackHat

Unix/Linux AndroBugs framework requirements

  • Python 2.7.x (DO NOT USE Python 3.X)
  • PyMongo library (If you want to use the massive analysis tool)
  • AndroBugs Framework is under the license of GNU GPL v3.0

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

Sources

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.