1 00:00:00,100 --> 00:00:04,870 - Hello all, and welcome to this new video of Android Security and 2 00:00:04,870 --> 00:00:11,770 Exploitation, by PentesterAcademy. So, in this video, we are going to have a look at 3 00:00:11,770 --> 00:00:17,020 a framework, called Androguard, which is one of the really handy frameworks for 4 00:00:17,020 --> 00:00:22,070 analyzing applications. So, it's a reverse engineering and malware analysis 5 00:00:22,070 --> 00:00:26,830 framework, which is, also, completely open-source. So, if you're planning to go 6 00:00:26,830 --> 00:00:33,600 into scripting of malware analysis, or even just Android application security 7 00:00:33,600 --> 00:00:38,460 analysis, by writing automated scripts, so this is something, which you'll be really 8 00:00:38,460 --> 00:00:45,570 interested in. So, the framework is completely open-source and located at 9 00:00:45,570 --> 00:00:52,850 github.com/androguard/androguard. It's really easy to start out with. I'll just 10 00:00:52,850 --> 00:01:01,100 give you a sample. Androguard comes with a bunch different other tools, such as the 11 00:01:01,100 --> 00:01:07,960 Androlyze, which is for analyzing an application. Androsim, for analyzing the 12 00:01:07,960 --> 00:01:12,790 similarity between two different Android applications, which is, kind of, useful, 13 00:01:12,790 --> 00:01:19,070 in malware analysis. Then you have the Andromercury, which is related to the 14 00:01:19,070 --> 00:01:25,420 drozer framework, which was earlier known as Mercury. Androsign, Androdump, 15 00:01:25,420 --> 00:01:33,430 Androdiff and a lot many others. So, we'll start off with Androlyze, which is the 16 00:01:33,430 --> 00:01:39,240 part of Androguard framework, and we will start off with it. So, this entire 17 00:01:39,240 --> 00:01:44,210 framework is written in iPython, and that is also one of the reasons, which...it's 18 00:01:44,210 --> 00:01:50,880 really easy to use in all the scripting that you do. Right. So, once you have 19 00:01:50,880 --> 00:01:56,420 launched Androguard, or, in fact, Androlyze, we'll go ahead and identify all 20 00:01:56,420 --> 00:02:02,770 the activities, permissions, and services. So, we don't have to decompile the 21 00:02:02,770 --> 00:02:08,450 application, and go through the entire AndroidManifest.xml, in order to identify 22 00:02:08,450 --> 00:02:16,910 all this. So, once we load up Androlyze, we can simply do a myapp, or any variable 23 00:02:16,910 --> 00:02:26,190 name, and load the APK with it. So, let's go here and do it. So, let's myapp = 24 00:02:26,190 --> 00:02:42,313 APK('/home/adi/Downloads/training/ vulnapps/catch.apk'). You have myapp over 25 00:02:42,313 --> 00:02:47,990 here, right? And that's, basically, a really good starting point. And now, if 26 00:02:47,990 --> 00:02:54,391 you simply do myapp, then dot and just hit Tab, it will show you a bunch of options, 27 00:02:54,391 --> 00:03:01,052 which you can play around with. You can get different files, you can get all the 28 00:03:01,052 --> 00:03:08,187 activities, you can get the dex, package name, and so on. So, let's start off with 29 00:03:08,187 --> 00:03:16,522 getting the activities. Get activities. So, it's as simple as this. It will show 30 00:03:16,522 --> 00:03:23,523 you a list of all the activities. Similarly, for services, get services, 31 00:03:23,523 --> 00:03:30,390 and, in this case, it just has three services. Let's try out with content 32 00:03:30,390 --> 00:03:41,114 providers. Providers. And these are the two different content providers of Catch 33 00:03:41,114 --> 00:03:46,258 application. You can also get the permissions for the application, model 34 00:03:46,258 --> 00:03:52,329 permissions as user. Let's have a look at the permissions, as 35 00:03:52,329 --> 00:03:59,384 well, myapp.get_permissions. These are all the permissions that the application is 36 00:03:59,384 --> 00:04:07,690 using. Right. You can also do myapp.get_details of all 37 00:04:07,690 --> 00:04:12,920 the permissions. So, it will show you a detail of all the permissions. So, for 38 00:04:12,920 --> 00:04:17,410 example, the permission INTERNET is one of the permissions that comes in the 39 00:04:17,410 --> 00:04:22,990 dangerous category, and the description is, "full internet access, " and it simply 40 00:04:22,990 --> 00:04:29,450 allows an application to create network sockets. And so on, and so forth. So, this 41 00:04:29,450 --> 00:04:36,350 is how you can use Androguard, and what you can do is, you can just write a Python 42 00:04:36,350 --> 00:04:39,230 script, and play around with the application, basically, extracting the 43 00:04:39,230 --> 00:04:44,310 application in full, finding a bunch of different vulnerabilities. I really 44 00:04:44,310 --> 00:04:49,280 recommend you to do that, and, maybe, post it on GitHub, and share with the security, 45 00:04:49,280 --> 00:04:54,160 or the PentesterAcademy community, so that others can also learn from your 46 00:04:54,160 --> 00:05:06,080 experiences. Right. And, taken care of all the activities. So, this is permissions, 47 00:05:06,080 --> 00:05:12,710 and also the providers. So, the android_manifest_xml gives you the 48 00:05:12,710 --> 00:05:18,160 manifest in the XML format. Then you have the details_permissions, which we just 49 00:05:18,160 --> 00:05:23,330 did. Then you can get the list of all the files, as well. So if you're, maybe, 50 00:05:23,330 --> 00:05:28,020 analyzing a malware, you might be interested in what all files this 51 00:05:28,020 --> 00:05:35,190 particular application has. So, if you'll do get_files, it'll give you a list of all 52 00:05:35,190 --> 00:05:42,720 the files inside the application, without even you having to unzip it. Right. So, 53 00:05:42,720 --> 00:05:48,750 the other things, that you can do is get the package name, and check whether it's a 54 00:05:48,750 --> 00:05:56,050 valid apk or not. One of the other things, you can do, is, you can retrieve all the 55 00:05:56,050 --> 00:06:01,280 classes from the application. Right. So, you just do a d, or any other 56 00:06:01,280 --> 00:06:10,210 variable, and give it a dvm. DalvikVMFormat, and simply use the myapp, 57 00:06:10,210 --> 00:06:16,720 which was the name of the variable, which we used earlier, and get_dex. From there, 58 00:06:16,720 --> 00:06:26,470 you can, basically, get all the classes. So, let's try it out. So, you can simply 59 00:06:26,470 --> 00:06:46,520 do a d = dvm. DalvikVMFormat/myapp.get_dex. I have d 60 00:06:46,520 --> 00:06:59,994 with me. And now I can simply do for class in d.get_classes, and print out all 61 00:06:59,994 --> 00:07:18,919 the class names. Print class.get_name. I hope it works. Invalid syntax, which is, 62 00:07:18,919 --> 00:07:25,192 kind of, interesting. So, for class in d.get_classes, so I missed something over 63 00:07:25,728 --> 00:07:40,924 here. Let's try it again. Classes. Print class.get_name. Let's see where we went 64 00:07:40,924 --> 00:07:48,126 wrong. For class in d.get_classes print class.get_name. This should be working. 65 00:07:58,261 --> 00:08:07,780 Print class.get_name Invalid syntax. Let's try it for t in 66 00:08:07,780 --> 00:08:20,220 d.get_classes, print t.get_name. Right. So, class was already a part of it, so 67 00:08:20,220 --> 00:08:26,140 that's why it didn't work. This is how you get a list of all the different classes, 68 00:08:26,140 --> 00:08:32,050 in the particular application, which is really, really useful. So you can see that 69 00:08:32,050 --> 00:08:37,760 there's a ClearNotes class, there's a MediaMover class and so on. Basically, you 70 00:08:37,760 --> 00:08:45,760 can, also, go ahead and write a script to get all the methods. This is 71 00:08:45,760 --> 00:08:52,280 something, which I recommend you to do, and, also, post it on GitHub, and share 72 00:08:52,280 --> 00:08:57,290 with the community. So, that's all for this video. I would really recommend you 73 00:08:57,290 --> 00:09:02,780 to play around with Androguard a lot, and experiment with all the different tools, 74 00:09:02,780 --> 00:09:07,900 that are a part of Androguard framework. Thanks for watching this video, and if you 75 00:09:07,900 --> 00:09:13,250 have any feedback or queries, feel free to reach out to me at adi@attify.com, and you 76 00:09:13,250 --> 00:09:16,652 can also tweet to me @adi1391. Thank you.