Hack Tools

truegaze v0.1.5 releases: Static analysis tool for Android/iOS apps focusing on security issues

truegaze

A static analysis tool for Android and iOS applications focusing on security issues outside the source code such as resource strings, third-party libraries, and configuration files.

Structure

The application is command line and will consist of several modules that check for various vulnerabilities. Each module does its own scanning, and all results get printed to the command line.

Changelog v0.1.5

  • Fixed issue with IPA file detection (#3)
  • Fixed packaging problem

Install

pip install truegaze

Use


To scan an application:

truegaze scan test.apk

truegaze scan test.ipa

Sample output

Listing modules:

[pastacode lang=”markup” message=”” highlight=”” provider=”manual”]

[email protected]:~/$ truegaze list
Total active plugins: 1
+----------------+------------------------------------------+---------+------+
|      Name      |               Description                | Android | iOS  |
+----------------+------------------------------------------+---------+------+
| AdobeMobileSdk | Detection of incorrect SSL configuration |  True   | True |
|                |         in the Adobe Mobile SDK          |         |      |
+----------------+------------------------------------------+---------+------+

[/pastacode]

 

 

Scanning an application:

[pastacode lang=”markup” message=”” highlight=”” provider=”manual”]

[email protected]:~/$ truegaze scan ~/test.ipa
Identified as an iOS application via a manifest located at: Payload/IPAPatch-DummyApp.app/Info.plist
Scanning using the "AdobeMobileSdk" plugin
-- Found 1 configuration file(s)
-- Scanning "Payload/IPAPatch-DummyApp.app/Base.lproj/ADBMobileConfig.json'
---- FOUND: The ["analytics"]["ssl"] setting is missing or false - SSL is not being used
---- FOUND: The ["remotes"]["analytics.poi"] URL doesn't use SSL: http://assets.example.com/c234243g4g4rg.json
---- FOUND: The ["remotes"]["messages"] URL doesn't use SSL: http://assets.example.com/b34343443egerg.json
---- FOUND: A "templateurl" in ["messages"]["payload"] doesn't use SSL: http://my.server.com/?user={user.name}&zip={user.zip}&c16={%sdkver%}&c27=cln,{a.PrevSessionLength}
---- FOUND: A "templateurl" in ["messages"]["payload"] doesn't use SSL: http://my.43434server.com/?user={user.name}&zip={user.zip}&c16={%sdkver%}&c27=cln,{a.PrevSessionLength}
Done!

[/pastacode]

 

 

Copyright (C) 2019 nightwatchcyber

Source: https://github.com/nightwatchcybersecurity/



The post truegaze v0.1.5 releases: Static analysis tool for Android/iOS apps focusing on security issues appeared first on Penetration Testing.

Comments
To Top