Code Monkey home page Code Monkey logo

introspy-android's Introduction

Introspy-Android

Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues.

Description

Introspy-Android comprises two separate components: a GUI interface to configure hooks, filters and options and a Cydia Substrate extension containing the core of the tool functionalities, including hooks and analysis of potential issues.

Introspy-Android can be installed on a rooted device and dynamically configured to hook security-sensitive Android APIs at run-time. The tool records all the relevant API calls made by an application, including function calls, arguments and return values. It then perform tests for security issues in real time and persists the results in a database and in the Android logging system.

The Introspy-Analyzer can then be used to analyse a database generated by the tracer, and generate HTML reports containing the list of logged function calls as well as a list of potential vulnerabilities affecting the application.

See http://isecpartners.github.io/introspy-android/ for a quick introduction.

Usage

The Instrospy-Android Config application displays apps the Core application will hook and the various filters and options applied to them. This application need root access (you can use supersu to give temporary root access to the application). The changes are dynamic and you do not need to restard the applications for them to be effective.

  • Once configured with the Config application, logs are dumped in the system logs and in a database in the directory of the application hooked (in databases/introspy.db)
  • To generate an html report using the generated database, you can use the Introspy-Analyzer (by A.Diquet and T.Daniels: https://github.com/iSECPartners/Introspy-Analyzer)

It should be noted that the Core application can work on a device running Android 2.3 and above whereas the Config application can only run from Android 3.0 on due to the use of specific APIs. In order to test applications on older SDKs without the GUI by only using the Core application, you can simply create a file named "introspy.config" containing filters you want to hook in the directory of the applications you want to test. Example:

    adb shell su -c echo "GENERAL CRYPTO, KEY, HASH, FS, IPC, PREF, URI, WEBVIEW" > /data/data/com.YOUR_APP_NAME/introspy.config

How to uninstall

    adb uninstall com.introspy.core
    adb uninstall com.introspy.config

What if the extension crashes

This tool has not been tested on all versions of Android. If the tool does not work on your version, please send us your error logs:

    adb logcat -s "InstrospyError"

If due to the error the phone does not boot anymore, you can still connect to it via adb and simply remove the extension to fix it with:

    adb shell su -c rm /data/app/com.introspy.core*

If you still have issues, it may be due to Cydia Substrate itself, which may not be compatible with your device? To uninstall it you can do the following (from Cydia Substrate's website): "By holding down the volume-up button on your device you can disable Substrate while it is attempting to load modifications (such as while it is turning on and starting); this will give you an opportunity to use Google Play to uninstall things that might be broken."

Reporting

Reporting

  • Relevant data including potential issues related to the APIs hooked is dumped in a database and in the system logs. You can do the following commands to display them:

  • Display the complete logs:

      adb logcat -s "Introspy"
    
  • Display potential issues:

      adb logcat -s "Introspy:W"
    
  • Use the Android version of the analyzer (TBD, it will be pushed to a different github repository soon) to generate an HTML formatted report.

Display relevant call stacks

Checking the "STACK TRACES" option within the Config tool will dump a relevant call stack (comprising of 3 calls) for the selected filters.

What is being analysed/logged, exactly?

General Crypto:
  • Log encrypted/decrypted data before/after calls and the algo used (Note: "readable data is displayed if at least 75% of characters are readable, unreadable characters are stored as ".". If data is not readable, it is stored as base 64)
  • Spot static IVs and broken algorithms
  • Spot weak RNG
Hash:
  • Log data that is being hashed and the resulting hash
  • Display algo used and warns if weak (MD5)
Key:
  • Log any keys used to encrypt
  • Log PBKDF key creation (key, passcode, iterations)
  • Log passcode used with a keystore
FS:
  • Log only some file system accesses as they are very noisy
  • Spot read/write on SD card and the creation of file (or set property) as world readable/writable
IPC:
  • Log IPC creations with details
  • Log some Intent sent with details (and extra)
  • Programmatic permissions and creation
Pref:
  • Log read/write of preferences with its data, the type and the default value (value set if nothing is returned)
  • Dump all preferences when getAll is called, this is done only once to avoid noise
  • Log world read/writeable prefs
  • Warn for access to preferences that don't exist (could be a hidden preferences to enable logs for instance)
SSL:
  • Warn if SSL is used but any hostname is validated for a valid cert
  • Warn if the app validates any cert (self-signed etc.)
  • Log if cert pinning is potentially implemented
  • Log if SSL not used
Webview:
  • Log when JS, plugins or FS access are enabled for a webview
  • Warn/log when a JS interface is used (JS bridge)
SQLite:
  • Log data passed to execSQL, update*, insert*, replace

Doing It Yourself

Building From Source

Most users should just download and install the pre-compiled packages. However, if you want to modify the tool's functionality you will have to clone the source repository and build the packages yourself.

git clone https://github.com/iSECPartners/introspy-android.git

Then you need to add the Cydia Substrate SDK to eclipse. See here for instructions on how to do so: http://www.cydiasubstrate.com/id/73e45fe5-4525-4de7-ac14-6016652cc1b8/.

Adding hooks

Adding hooks is simple and can be done within the com.introspy.custom_hooks module. See the pre-filled example in the code (CustomHookList.java and HookExampleImpl.java) and make sure to enable the "CUSTOM HOOKS" option in the Introspy Config application. See http://isecpartners.github.io/Introspy-Android/ for more instructions.

Notes: Some methods simply cannot be hooked due to potential issues in Cydia Substrate and the hook may just crash the process. Also, make sure to not try hooking abstract methods as it just throws an exception that is never caught by Cydia Substrate (and will just crash the process). You need to hook their implementation, which is sometimes not documented but can be easily found in the Android code base (for example: android.content.Context is implemented in android.content.ContextImpl).

License

See ./LICENSE.

Author

Marc Blanchou

introspy-android's People

Contributors

mblanchou avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

introspy-android's Issues

Error with DB: java.lang.NullPointerException

W/IntrospyError(): --> Error with DB: java.lang.NullPointerException

The databases is not being written in any application. Tried with both jellybean and kitkat variants of android with no success. Still do have value from the logcat output.

Crash when hooking StringBuilder

new HookConfig(true, // set to true to enable the hook
"java.lang.StringBuilder", "append", new Class<?>[]{java.lang.String.class},
// class, method name, arguments
new StringBuilderHook(),
// instance of the implementation extending IntroHook (here in HookExampleInpl.java)
"StringBuilder Hook"),

I tried to hook the ``append'' method of StringBuilder, but the app crashed after hooking.
In addition, after hooking, the device cannot launch after rebooting. I also tried to hook the "equals"
method of "java.lang.String", it worked fine. So please check the StringBuilder class hooking.

how to get ssl plain text?

I really like this tool, I recommend adding a feature to send plaintext data https print out, I wanted to achieve this function myself, but I did not find a suitable API to Hook it. I hope you can join this function or give me some tips. Thank you.

Introspy not requesting root

Introspy is not requesting root when I select the application. It used to with an old install.
I have burned an entire day trying to get it working with no success.
The devices are Genymotion Nexus 4 - 4.1.1 and 4.2.2
Devices are both rooted
I have tried the unaltered apk versions
I have tried recompiling the application with added permissions as some stack-exchange threads have suggested and also added ACCESS_SUPERUSER but it still won't create an introspy.config or database file.
If I manually create an introspy.config file and get logcat telling me Unknown id:GENERAL after it tries to echo GENERAL CRYPTO to the config file.
I have had this working in the past. I only added the Superuser permissions after it would not work any other way, as a last resort.

Logcat output when I select the app to spy:

D/dalvikvm( 645): GC_CONCURRENT freed 395K, 5% free 9060K/9492K, paused 2ms+1ms, total 9ms
I/IntrospyGUI( 1569): su -c echo 'GENERAL CRYPTO,KEY,HASH,FS,IPC,PREF,URI,SSL,WEBVIEW,CUSTOM HOOKS,SQLite (NO DB)' > /data/data//introspy.config ; su -c chmod 664 /data/data/.debug/introspy.config ;
W/genymotion_audio( 124): out_write() limiting sleep time 44149 to 23219
W/genymotion_audio( 124): out_write() limiting sleep time 45759 to 23219
W/genymotion_audio( 124): out_write() limiting sleep time 37369 to 23219
W/genymotion_audio( 124): out_write() limiting sleep time 28979 to 23219
I/CydiaSubstrate( 1921): MS:Notice: Injecting: /system/bin/toolbox
D/su ( 1921): su invoked.
W/genymotion_audio( 124): out_write() limiting sleep time 31178 to 23219
I/CydiaSubstrate( 1922): MS:Notice: Injecting: /system/bin/toolbox
E/su ( 1922): Unknown id: 'GENERAL
E/su ( 1922):
W/genymotion_audio( 124): out_write() limiting sleep time 30204 to 23219

Any help is greatly appreciated

Introspy.db file is note getting created

I am using Android 4.3 Galaxy S3. I have already rooted the device and performed the actions as mentioned in the userguide for introspy. I am not able to find the introspy.db file and introspy.config file even after following the below instructions.

"I know this was asked a long time ago but in case anyone else who searches needs an answer:

I also had this problem when running Introspy on a Galaxy S4 running KitKat (4.4.2). I have ran Introspy with zero problems on a Nexus S running JellyBean (4.2.1). Because of this I believe it is an Android SDK problem with newer versions.

If you look at the AndroidManifest file for Introspy-Android Core, the targetSdkVersion is 18, which denotes Jellybean. I looked at logcat files and found that I was getting the error:

Permission Denial: get/set setting for user asks to run as user -2 but is calling from user 0; this requires android.permission.INTERACT_ACROSS_USERS_FULL
I simply added this permission to the Android Core AndroidManifest.xml file as well as the Android Config AndroidManifest.xml with the command:

I then just recompiled both binaries and it worked! Hope this helps."

Am i missing something?

Get Application name

Hello,

Using Introspy-Android, we can get package-name, class-name, method-name, etc.
Is it possible to get application name also in log?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.