APK静态分析-JAADAS工具

1. 简介

1.1官方介绍

       JAADAS can also combines multidex into one and analysis them altogether. Most of JAADAS's detection capabilities can be defined in groovy config file and text file (soot's source and sink file).
  JAADAS是KEEN团队的Flanker在GIT上开源的一个Android静态检查工具，基于SOOF开发，可以检查Android应用类漏洞。

下载地址：GitHub - flankerhqd/JAADAS: Joint Advanced Defect assEsment for android applications

1.2 案例

CVE-2015-3854 in AOSP: http://seclists.org/fulldisclosure/2016/May/71

2 安装

2.1 环境要求

JDK >= 1.8 (must)
Scala >=2.11 Tested

Android SDK已经安装，并且platforms下有对应的API。

3 执行

3.1 快速执行

官方已提供了编译好的release 版本，是个jar包，可以下载直接使用。

下载地址：https://github.com/flankerhqd/JAADAS/releases/download/release0.1/jaadas-0.1.zip

下载后加压，路径如下：

3.2 命令

3.2.1 FullAnalysis

FullAnalysis unleash the full power of JAADAS and Soot, including inter-procedure whole-application analysis and inter-procedure dataflow analysis. But it may also consume much time and may not finish on machines with small memory (<16GB). Default is full-mode.
完整的FUZZ扫描，但是要求最小内存是16G

3.2.2 FastAnalysis

FastAnalysis usually finishes in less than 1 minute and is intended for large-scale batch analysis. Inter-procedure analysis is disabled to achieve maxmium flexibility. In normal situations this mode is enough for common audit.

–fastanalysis enables fastanalysis and disables fullanalysis.

Command line for analysis:

java -jar jade-0.1.jar vulnanalysis -f 1.apk -p /xxx/android-sdks/platforms/ -c /xxx/JAADAS/jade/config/ --fastanalysis

Notice
Soot requires the specific version of platform.jar to be presented, for example, if your analysis target has targetSDK=22, then Soot will look for platforms/android-22/android.jar, otherwise will raise error. If you don’t have the specific jar, actually you can just make a symbolic at that position pointing what you already have, say, android-16.jar to make Soot happy. It won’t affect analysis result precision.

3.2.3 ## -f option

-f option
-f option specifies the APK to be analyzed.

3.2.4 ## -c option

-c option
-c option must be provided as the directory for config files, including taint rules, source and sink, vulnerable API description and so on. If you do not understand the config files content, do not modify them, leave them as it is.

3.2.5 ## -p option

-p option
-p option specifies the android platform directory, which usually just points to ${ANDROID_SDK}/platforms/.

3.2.6 扫描过程及结果分析

我们针对我们自己的产品的一个APK做安全分析，执行的命令和过程如下：

生成的文件在 D:\jaadas-0.1\output 这个目录下：

内容如下：

结论分析：
存在1个安全问题，描述为：io.dcloud.PandoraEntry FragmentInjection exist! (before API 17)，5分，等级3。

3.3 异常处理

执行过程中，有时候需要配置

To avoid OOM, add -Xmx option to commandline, e.g. java -jar -Xmx8192m jade-0.1.jar

4. 漏洞类型

4.1 注入类漏洞

FragmentInjection exist

4.2 Backup漏洞

application doesn’t disable backup

4.3 Crash类漏洞

cast crash exception

4.4 Webview类漏洞

Check webview save password disabled or not

4.5 解压缩漏洞

Scan for ZipEntry vulnerable to unzip directory traversal vulnerability

4.6 中间人攻击

SSL setHostnameVerifier
X509TrustManager empty impl, lead to SSL vulnerability
implements custom verifier that always return true