ASAP

This WhiteHat School(WHS) Project is an open-source, analysis tool to support for App Vulnerability Manual Analysis Hackers and App Developers.

The ASAP tool basically provides possible locations for vulnerabilities in code obtained using the jadx decompiler.

ASAP only supports static analysis.

---

Scope of Vulnerabilities in ASAP:

• SQL_Injection

  Detects query statements, detects the uri address of Content Provider with exported = true, and returns it to the result value

• WebView

  Detect if you use an external intent as an activity target with [exported="true"] exported from androidmanifest.xml and load the intent with loadURL => webview vulnerability detection Check presence of function that allows file access with javascripted function in same activity => xss vulnerability detection

• DeepLink

  Print [scheme://host/path] from Androidmanifest.xml, detection of parameters through getQueryParameter function in smali code, adjustable host/path through addURI function, url matching scheme through 'Uri; ->parse, JavascriptInterface Detection of JavascriptInterface Available in WebView via JavascriptInterface Annotation, addJavascriptInterface Detection =>Redirect Vulnerability

• HardCoded

  API Key or Credentials inside the apk

• Permission

  Extract Permission from Android Manifest in xml Code

• Insecure_DataStorage (Crypto)

  Extract encryption logic within Shared Preference

• Insecure_Logging (LogE)

  Log detection that outputs sensitive information in Java code

---

ASAP Tool Guide

1. Getting Started

git clone https://github.com/WHS-ASAP/ASAP.git
cd ASAP
pip install -r requirements.txt

---

2. Add ASAP/src/tools/jadx/lib/jadx-dev-all.jar

Download the jadx-dev-all.jar file from here: https://drive.google.com/file/d/1u2BQv8YsoNmeNCLvpt2V9HRhnzU-51Q8/view?usp=sharing

---

3. If you want to set target applications, go to ASAP/src/docs/target.txt and write app package name

Go to ASAP/src/docs

---

4. If you want to test some HackerOne applications, just run apk_Downloader.py without target.txt

---

5. Go to ASAP/src, run apk_Downloader.py

---

6. If you can find ASAP/src/apk_dir, run ASAP.py

First, run ApkProcessor.py -> you can find ASAP/src/java_src and ASAP/src/smali_src

Then, run Ananyzer.py

---

7. Go to ASAP/src/ASAP_Web, run app.py

---

Check execution with video

ASAP_Guide.mp4

References

(OWASP Mobile Top10)

(BWASP)

(Webview Hijacking)

Contributor version 1.0

• PM: Yeeun Lee (@Yenniiii)

  Develop WebView module

• Jeongahn Jang (@jeongahn)

  Full-Stack(develop web), Development Manager(contribute all of modules)

• Seoah Myeoung (@SeoA0703)

  Develop Permission, Log module

• Woohyun Son (@emerards)

  Develop SQL_Injection

• Yebean Kim (@kimyebean)

  Develop Crypto module

• Yunseong Lee (@hansowon)

  Develop DeepLink module

• Yuwon Seol (@AR3CIA)

  Develop HardCoded module

---

Contributor version 2.0

• PM : Jeongahn Jang (@jeongahn)

  Develop SQL_Injection, Log module

• Yeeun Lee (@Yenniiii)

  Develop WebView, DeepLink module

• Seoah Myeoung (@SeoA0703)

  Develop Permission module

• Yuwon Seol (@AR3CIA)

  Develop HardCoded module

---

• Mentor: Joowon Kim (@arrester)
• PL: Seonggwang Park (@n0paew)

---

Acknowledgement

This work was supported by Korea Information Technology Research Institute (KITRI) 2nd WhiteHat School (WHS) Program.

[Project Name: APP in Security (ASAP) Project]