FlowDroid
FlowDroid 的 wiki 中提供了一些常见组件的 nightly build。
感觉soot的编译还是比较复杂的,至今的几次编译尝试都以缺少某些依赖而失败。
https://github.com/secure-software-engineering/soot-infoflow-android/wiki
soot nightly build
http://ssebuild.cased.de/nightly/soot/lib/soot-trunk.jar
直接从apk生成数据流图
举一个例子
1 2 3 4 5 6 7 8 9
| java -cp soot-trunk.jar soot.tools.CFGViewer \ --graph=BriefUnitGraph \ --soot-class-path /usr/lib/jvm/java-7-oracle/jre/lib/ext/zipfs.jar:/usr/lib/jvm/java-7-oracle/jre/lib/rt.jar:/usr/lib/jvm/java-7-oracle/jre/lib/ext/sunpkcs11.jar:/usr/lib/jvm/java-7-oracle/jre/lib/resources.jar:/usr/lib/jvm/java-7-oracle/jre/lib/ext/sunec.jar:/usr/lib/jvm/java-7-oracle/jre/lib/ext/sunjce_provider.jar:/usr/lib/jvm/java-7-oracle/jre/lib/jfr.jar:/home/gary/workspace-kepler/Test/bin/:/usr/lib/jvm/java-7-oracle/jre/lib/jsse.jar:/usr/lib/jvm/java-7-oracle/jre/lib/ext/localedata.jar:/usr/lib/jvm/java-7-oracle/jre/lib/jce.jar:/usr/lib/jvm/java-7-oracle/jre/lib/charsets.jar:/usr/lib/jvm/java-7-oracle/jre/lib/ext/dnsns.jar:/home/gary/autobuild/releases/AXMLPrinter2.jar:/home/gary/autobuild/releases/baksmali-1.2.5.jar:/home/gary/dev/AndroidTestApp/crackme.apk:/home/gary/dev/android-platforms/android-17/android.jar:/home/gary/dev/android-platforms/android-17/android-17-api.jar \ --d /home/gary/dev/soot-runable/sootOutput \ -src-prec apk \ -allow-phantom-refs \ -ire \ -f J \ -process-dir crackme.apk
|
一些脚本
我们也可以使用一些脚本来简化操作
这些脚本的运行方法是
1 2
| $ mkdir ./out/ $ ./runSootOnApk.sh ./snake.apk ./out/
|
runSootOnApktoClasses.sh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
| ANDROID_JARS_PATH="/home/gary/dev/android-platforms" JAVA_CLASSPATH="\ /home/gary/autobuild/releases/soot-trunk.jar:\ /home/gary/autobuild/releases/AXMLPrinter2.jar:\ /home/gary/autobuild/releases/baksmali-2.1.3.jar:\ " APK_FILE=$1 BASE_APK_NAME=`basename -s .apk $APK_FILE` SOOT_OUT_DIR=$BASE_APK_NAME-classes mkdir $SOOT_OUT_DIR PROCESS_THIS=" -process-dir $APK_FILE" SOOT_CLASSPATH="\ "${APK_FILE}":\ " SOOT_CMD="soot.Main \ -d $SOOT_OUT_DIR \ -android-jars $ANDROID_JARS_PATH \ -allow-phantom-refs \ -src-prec apk \ -ire \ $PROCESS_THIS " java \ -Xss100m \ -Xmx3500m \ -classpath ${JAVA_CLASSPATH} \ ${SOOT_CMD}\
|
runSootOnApktoJimple.sh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
| ANDROID_JARS_PATH="/home/gary/dev/android-platforms" JAVA_CLASSPATH="\ /home/gary/autobuild/releases/soot-trunk.jar:\ /home/gary/autobuild/releases/AXMLPrinter2.jar:\ /home/gary/autobuild/releases/baksmali-2.1.3.jar:\ " APK_FILE=$1 BASE_APK_NAME=`basename -s .apk $APK_FILE` SOOT_OUT_DIR=$BASE_APK_NAME-classes mkdir $SOOT_OUT_DIR PROCESS_THIS=" -process-dir $APK_FILE" SOOT_CLASSPATH="\ "${APK_FILE}":\ " SOOT_CMD="soot.Main \ -d $SOOT_OUT_DIR \ -android-jars $ANDROID_JARS_PATH \ -allow-phantom-refs \ -src-prec apk \ -ire \ -f J \ $PROCESS_THIS " java \ -Xss100m \ -Xmx3500m \ -classpath ${JAVA_CLASSPATH} \ ${SOOT_CMD}\
|
runSootOnApktoDot.sh
./runSootOnApktoDot.sh crackme.apk
会自动在当前目录下创建一个crackme-dots的文件夹
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
| ANDROID_JARS_PATH="/home/gary/dev/android-platforms" JAVA_CLASSPATH="\ /home/gary/autobuild/releases/soot-trunk.jar:\ /home/gary/autobuild/releases/AXMLPrinter2.jar:\ /home/gary/autobuild/releases/baksmali-2.1.3.jar:\ " APK_FILE=$1 BASE_APK_NAME=`basename -s .apk $APK_FILE` SOOT_OUT_DIR=$BASE_APK_NAME-dots mkdir $SOOT_OUT_DIR PROCESS_THIS=" -process-dir $APK_FILE" SOOT_CLASSPATH="\ "${APK_FILE}":\ " SOOT_CMD="soot.tools.CFGViewer \ --graph=BriefUnitGraph \ -d $SOOT_OUT_DIR \ -android-jars $ANDROID_JARS_PATH \ -allow-phantom-refs \ -src-prec apk \ -ire \ -f J \ $PROCESS_THIS " java \ -Xss100m \ -Xmx3500m \ -classpath ${JAVA_CLASSPATH} \ ${SOOT_CMD}\
|
统计当前目录下特定文件的数量
1 2 3 4 5 6 7 8 9
| # 递归统计特定文件 ls -lR|grep "^-"| grep "dot" |wc -l ls -lR|grep "^-"| grep "jimple" |wc -l # 只统计当前目录下,不包括子目录 ls -l|grep "^-"| grep "jimple" |wc -l # 统计目录数量 ls -l |grep "^d" |wc -l
|
失败的 soot 编译尝试
参考资料
http://www.abartel.net/dexpler/
这里提供了一个自动化脚本,然而并没有什么卵用
https://gist.github.com/quentin/5099059
我在compile jasmin的时候报错了。
1 2 3 4
| $ git clone https://github.com/Sable/soot.git $ git branch -f develop origin/develop $ git checkout develop $ cp ant.settings.template ant.settings
|
下载各种组件模块
heros https://ssebuild.cased.de/nightly/heros/
jasmin https://sourceforge.net/projects/jasmin/files/jasmin/jasmin-2.4/
polyglot https://github.com/Sable/polyglot/tree/master/lib
jflex http://jflex.de/download.html
配置好ant设置文件的几个关键组件的目录
1 2 3 4 5 6
| $ cat ant.settings [...] polyglot.jar=${user.home}/jar/soot/polyglotclasses-1.3.5.jar jasmin.jar=${user.home}/src/jasmin-2.4.0/lib/jasminclasses-2.4.0.jar heros.jar=../heros/heros-trunk.jar [...]
|
polyglot.jar=/home/gary/autobuild/releases/polyglot.jar
jasmin.jar=/home/gary/autobuild/releases/jasmin.jar
heros.jar=/home/gary/autobuild/releases/heros-trunk.jar
中途缺少了一些奇怪的东西
https://github.com/Sable/abc
还有一些缺少的东西可以通过搜索本地文件找到
缺少jflex
jflex.de/release/jflex-1.6.1.tar.gz
缺少 asm.jar
http://forge.ow2.org/projects/asm/
缺少jboss
http://www.java2s.com/Code/Jar/j/Downloadjbosscommoncore229gajar.htm
参考资料
app 自动化分析平台
最近一直在研究的檢測,寫了一個系列的文章——手工檢測,自動化檢測,常見漏洞分析。今天給大家帶來的是自動化檢測。本篇沒有深入的講解每一個漏洞的詳情,僅作測試結果對比和自己的體驗心得。
五大在線檢測平台:
騰訊的金剛審計系統 http://service.security.tencent.com/kingkong
360 的捉蟲獵手 http://appscan.360.cn/
阿里巴巴的聚安全 http://jaq.alibaba.com/gc/appsec/index.htm
百度的移動雲測試中心 http://mtc.baidu.com/
梆梆加固測試平台 http://dev.bangcle.com/apps/index
360的另一个系统 http://dev.360.cn/html/vulscan/scanning.html
STS安全测试服务 http://sts.aliyun.com/index.html
爱内测 http://www.ineice.com/
APP安全云 -通付盾 http://www.appfortify.cn/
墨贝科技 http://www.mobeisecurity.com/
360手机应用检测 http://scan.shouji.360.cn/index.jsp
娜迦测试平台 http://www.nagain.com/appscan/
本次在線檢測實戰旨在幫助開發者更快的評估自己的android 問題,作為一個菜鳥app 檢測人員,希望帶給大家的是讓自己的app 更加安全,當然安全從開發開始構思時,就該考慮是否使用第三方包,這樣,對app 的安全更加可控。
keen team https://github.com/flankerhqd/JAADAS
其他
[1] soot dexpler
