Introspy-Android - Tool For Blackbox Android App Analysis

Introspy-Android - Tool For Blackbox Android App Analysis

Introspy-Android is a Blackbox tool designed to help penetration testers understand what an application does at runtime and to assist in the identification of potential security issues.

The tool comprises two separate components: a GUI interface to configure hooks, filters and options and a Cydia Substrate extension containing the core of the tool functionalities, including hooks and analysis of potential issues.

It can be installed on a rooted device and dynamically configured to hook security-sensitive Android APIs at run-time. The tool records all the relevant API calls made by an application, including function calls, arguments, and return values. It then performs tests for security issues in real time and persists the results in a database and in the Android logging system.

The Introspy analyzer can then be used to analyze a database generated by the tracer, and generate HTML reports containing the list of logged function calls as well as a list of potential vulnerabilities affecting the application.

Once installed, the tool will store in an SQLite database (and in the system logs) calls made by Android applications to security-sensitive APIs as well as potential issues.

An example of data dumped in logcat:

Introspy-Android Data Dump

Example of an HTML report (leveraging the Analyzer):

Introspy-Android HTML Report

The GUI lets the user choose which Android App should be monitored and which APIs to monitor. The "NO DB" option disables logging into a database (which makes the apps faster) and the "STACK TRACE" option will save and log a minimal call stack for the selected filters.

Introspy-Android Config Screenshot


1. Ensure that Cydia Substrate has been deployed on your test device. The installer requires a rooted device and can be found on the Google Play store

2. Download the pre-compiled APKs (download links are at the end of this article).

3. Install Introspy-Android Core.apk on a device where Cydia Substrate is installed with:
adb install Introspy-Android Core.apk

4. Install Introspy-Android Config.apk:
adb install Introspy-Android Config.apk

The Instrospy-Android Config application displays apps the Core application will hook and the various filters and options applied to them. This application needs root access (you can use superSU to give temporary root access to the application). The changes are dynamic and you do not need to restart the applications for them to be effective.
  • Once configured with the Config application, logs are dumped in the system logs and in a database in the directory of the application hooked (in databases/introspy.db).
  • To generate an HTML report using the generated database, you can use the Introspy-Analyzer.
It should be noted that the Core application can work on a device running Android 2.3 and above whereas the Config application can only run on Android 3.0 due to the use of specific APIs. In order to test applications on older SDKs without the GUI by only using the Core application, you can simply create a file named "introspy.config" containing filters you want to hook in the directory of the applications you want to test. 

adb shell su -c echo "GENERAL CRYPTO, KEY, HASH, FS, IPC, PREF, URI, WEBVIEW" > /data/

How to uninstall Instrospy-Android:
adb uninstall com.introspy.core
adb uninstall com.introspy.config

Relevant data including potential issues related to the APIs hooked is dumped in a database and in the system logs. You can do the following commands to display them:

Display the complete logs:
adb logcat -s "Introspy"

Display potential issues:
adb logcat -s "Introspy:W"

What is being analyzed/logged?

General Crypto:
  • Log encrypted/decrypted data before/after calls and the algo used (Note: "readable data is displayed if at least 75% of characters are readable, unreadable characters are stored as ".". If data is not readable, it is stored as base 64)
  • Spot static IVs and broken algorithms
  • Spot weak RNG

  • Log data that is being hashed and the resulting hash
  • Display algo used and warns if weak (MD5)

  • Log any keys used to encrypt
  • Log PBKDF key creation (key, passcode, iterations)
  • Log passcode used with a keystore

  • Log only some file system accesses as they are very noisy
  • Spot read/write on SD card and the creation of file (or set property) as world readable/writable

  • Log IPC creations with details
  • Log some Intent sent with details (and extra)
  • Programmatic permissions and creation

  • Log read/write of preferences with its data, the type and the default value (value set if nothing is returned)
  • Dump all preferences when getAll is called, this is done only once to avoid noise
  • Log world read/writeable prefs
  • Warn for access to preferences that don't exist (could be a hidden preference to enable logs for instance)

  • Warn if SSL is used but any hostname is validated for a valid cert
  • Warn if the app validates any cert (self-signed etc.)
  • Log if cert pinning is potentially implemented
  • Log if SSL not used

  • Log when JS, plugins or FS access are enabled for a webview
  • Warn/log when a JS interface is used (JS bridge)

  • Log data passed to execSQL, update*, insert*, replace

No comments

Powered by Blogger.