A self basic audit for Android applications

Those days we are fighting with no mercy disinformations, privacy abusement and generally measures adopted by various governments that uses the covid19 pandemic to spread tracking and survelliance to citizens.
A side that, we also attempt to provide fast and quick solutions to govns applications that allows access/tampering of sensitive information without any link to our person.

This is a call to all the security researchers all around the world to join this fight which I’m proud to be part thanks to the invite of fs0c131y.

Mainly, the targets those days are split in 2 different branches.

  1. People abusing covid19 to spread malwares.
    The idea is to create a subset of yara rules to scan the market in order to identify potentially dangerous applications.
    Follow this topic on the tweet thread started by fs0c131y
  2. Govns pushed applications.
    For obvious reason we give the assumption that thus applications are not shipped with malware but instead could be fullfit of privacy abusement and terrible code which could lead to easy and colorful ways to access other people informations.

In this blog post, with my call to action, I’m mainly focussing to the point 2 and the reason is pretty simple.
We are already able to instrument, analyze and debug any application which does not require any personal tax id associated to the country, however, this stuck is preventing me (us) to perform any kind of audit on applications which are spread outside our country.

You can find an updated list of applications available for each country in this github repository.

Perform your audits

To do so I started this morning to revive an old project that I open sourced 2 years ago.
This project uses frida, and eventually gplaycli to download+install the app, to setup a subset of hooks on sensitive system api and will output a json report with the following informations:

  • Application details (developer contact, signatures, versions, activities, services, receivers, permissions used and play store informations)
  • Access to bluetooth.getAddress
  • Access to LocationManager
  • Access to NetworkManager to retrieve macAddress and ip
  • Access to Debugger information
  • Access to TelephonyManager to retrieve SIM card informations, phone number, country and more
  • Access to Google fuse location service
  • Dispatched broadcast, intent and external services/activities communication
  • Query to content resolvers
  • Ciphers
  • Network requests (SSL and no need to unpin)
  • File open and access
  • Parsed host
  • more…

The report include also a backtrace to allow security researchers to go further in the analysis.

The project is available here and a sample of generated report is available here.

To run this project you will need a rooted android device with the most recent frida server running.
Once the env is ready what you want to run is simply:

python3 tracer.py -p com.target.package

python3 tracer.py -p com.target.package -pd
If you want to use the google play api shipped with the framework to download+install the apk and collect additional informations

I’m available through Twitter to provide additional information about the setup of the environment.

Obviously, this is the highest point of abstraction I’m able to reach. More accurate and customized tests should be performed on each application but I’m sure this could highlight many terrible things, also due to the fact that thus applications are built with the urgency to be spread as soon as possible.

I would love to see also some reports from all around the world and hints to improve the subset of tracing functions so, feel free to ping me anytime on Twitter

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.