This is a shell script to perform static analysis on mobile applications. Currently it only works for android apk files. What makes this tool different from all the other tools that do this? My goal with this project is to actually exploit things. Often you find static analysis tools point to things and say VULNERABLE! and the user is left to figure out why. Or worst its a false positive.
This tool has two options currently:
- -v verbose = Show me why you think its broken (useful for fixing and reporting)
- -e exploit = Show me how to exploit this so called broken thing. Or show me how to manually check if it is indeed broken. I try provide actual commands that can be cut and pasted into the terminal verbatim to demonstrate risk.
apkinfo # sudo apt-get install apkinfo
d2j-dex2jar # sudo apt-get install openjdk-7-jre
apktool # https://ibotpeaches.github.io/Apktool/install/
./mavs.sh
╓
╕ ╒╣╕ ╣╣╣─ ╦╣╣
╓ ║╬ ╣╣╣ ╒ ╣╣╣─ ╒╣╣╩╙╣╬║╣
╣╕ ╣╣ ╫╣ ╫╣ ╡ ╔ ╣╣╣ ╦╣╩ ║╣╬
╣╣╣ ║╣╣╬ ╔╣╩ ╫╣╖ ╞╬ ╣╣ ╣╣╣ ╣╣╬ ╞╩
╒╣╣╩╣╣╖ ╔╣╬╣╣╕ ╔╣╣╗╗╦╦╣╣╦╦╣╣ ╣╣╣ ╣╣╣ ╙╣╣╣╦╗╖
╔╣╣╜ ╝╣╣╣╜ ╙╣╣═╩╜║╣╣╜ ╫╣╖ ╣╣╣ ╒╣╣╣ ╠╜╝╣╣╣╣╗╖
╓╣╣╩ ╚╣╣ ╦╣╬ ╚╣╗ ╣╣╬╓╣╣╬ ╓╦╣╣╣╩ ╙╙╝╣╣╣╗╖
╒╣╣╬╗╗╗ ╚╣╣╖ ╙╣╣╗ ╙╣╣╣╣╩ ╓╣╣╩╙ ║╣ ╙╣╣╣╖
╓╣╣╝╜╙╙╙╙ ╚╣╣╖╦ ╙╝╣╗╖ ╫╣╣╬ ├╣╣╖ ╬ ╓╓╗╣╣╣╩
║╣╣╣╣╣╣╣╣╣╖ ╓╣╣╣ ╣╬ ╙╙╝╣╣╣╣╣╣╣╣╣╣╣╣╣╣╣╝╝╜╙╙
└╙╙╨╝╝╝╝╝╝╝╝╝╨╜╜╙╙╙ ╣
Mobile Application Vulnerability Scanner | @sho_luv
Usage: mavs.sh [OPTIONS]
Required:
-f <apk> Andorid APK file to decompile and run static analysis
Options:
-v Verbose, show affected files
-e Show how to exploit finding
-h Show this help
- Insufficient Certificate Validation -- partial check
- Application Logging
- Backups Allowed
- Debugging Enabled
- Snapshot Allowed
- Cleartext Allowed
- Debugging Enabled
- Hard codded *.pem files
- App built with flutter
- Provides examples on how to check app, device storage issues