MARA is a Mobile Application Reverse engineering and Analysis Framework. It is a tool that puts together commonly used mobile application reverse engineering and analysis tools, to assist in testing mobile applications against the OWASP mobile security threats. Its objective is to make this task easier and friendlier to mobile application developers and security professionals.
How it all started
For the past few months by digging into the Android Operating system to understand its inner workings and how different elements are pieced together. It is decided to start of with trying to understand how applications are developed.
The first step was to understand the components of an android application, then later how the operating system executes it, what data is stored, where its stored and who had access to it.
It soon started to become quite frustrating on having to run various tools to get different output. For example, running dex to jar to convert the android application (apk) into a jar file or converting the apk into smali bytecode using baksmali. This process was not only inconvenient and slow, but i could only reverse engineer and study one app at a time. At this point in time my good friend Chrispus was also facing the same challenges on reverse engineering android apps.
After a bit of googling it came across MobSF. Its an awesome tool that performs both static and dynamic analysis of both Android and iOS applications. After downloading the tool from github and poking around in it, found the strings it was using to perform the static analysis, and that was when we had the light bulb moment.
It has figured, why don’t we use the same strings to perform the static analysis but dumping the identified matches to a text file for review. First thing first, was to ask Ajin, the creator of MobSF for permission to use the detection strings, of which he obliged. What crossed our minds next was the OWASP mobile top 10, which checks are supposed to be performed on an mobile application in accordance to OWASP mobile security threats. then it came across the list of mobile app checklist on the OWASP website for both static and dynamic analysis.
After a few months of bash scripting, the simple reverse engineering script morphed into the MARA framework. A tool that decompiles android application, java classes, dex file and class files into java class files, then proceeds to statically analyze them. Included androbugs to scan for potential vulnerabilities in the apk, alongside a number of other tools. There is also an integrated SSL scanner for scanning domains extracted from the resulting source code. This was nothing more than a script to make our work easier, faster and more efficient.
APK Reverse Engineering
- Disassembling Dalvik bytecode to smali bytecode via baksmali and apktool
- Disassembling Dalvik bytecode to java bytecode via enjarify
- Decompiling APK to Java source code via jadx
- APK deobfuscation via apk-deguard.com
- Parsing smali files for analysis via smalisca
- Dump apk assets,libraries and resources
- Extracting certificate data via openssl
- Extract strings and app permissions via aapt
- Identify methods and classes via ClassyShark
- Scan for apk vulnerabilities via androbugs
- Analyze apk for potential malicious behaviour via androwarn
- Identify compilers, packers and obfuscators via APKiD
- Extract execution paths, IP addresses, URL, URI, emails via rege
APK Manifest Analysis
- Extract Intents
- Extract exported activities
- Extract receivers
- Extract exported receivers
- Extract Services
- Extract exported services
- Check if apk is debuggable
- Check if apk allows backups
- Check if apk allows sending of secret codes
- Check if apk can receive binary SMS
- Domain SSL scan via pyssltest and testssl
- Website fingerprinting via whatweb
- Source code static analysis based on OWASP Top Mobile Top 10 and the OWASP Mobile Apps Checklist
- MARA is capable of performing either single or mass analysis of apk, dex or jar files.
For more information please follow the LINK
A multiple set of test tools will be necessary for a more thorough and comprehensive testing process .I have given an overview of the MARA Framework setup process and how it can expedite your android app reverse engineering and static analysis process.
BriskInfosec holds utmost experience in Mobile App Penetration Test to identify potential vulnerabilities and insure coding practises in android application.