Truegaze - Static Analysis Tool For Android/Ios Apps Focusing On Safety Issues Exterior The Rootage Code
Influenza A virus subtype H5N1 static analysis tool for Android as well as iOS applications focusing on safety issues exterior the source code such equally resources strings, 3rd political party libraries as well as configuration files.
Requirements
Python three is required as well as you lot tin notice all required modules inwards the requirements.txt file. Only tested on Python 3.7 precisely should function on other 3.x releases. No plans to 2.x back upwards at this time.
Installation
You tin install this via PIP equally follows:
pip install truegaze truegaze
To download as well as run manually, gain the following:git clone https://github.com/nightwatchcybersecurity/truegaze.git cd truegaze pip -r requirements.txt python -m truegaze.cli
How to use
To listing modules:
truegaze list
To scan an application:truegaze scan test.apk truegaze scan test.ipa
Sample output
Listing modules:
user@localhost: /$ truegaze listing Total active plugins: 1 +----------------+------------------------------------------+---------+------+ | Name | Description | Android | iOS | +----------------+------------------------------------------+---------+------+ | AdobeMobileSdk | Detection of wrong SSL configuration | True | True | | | inwards the Adobe Mobile SDK | | | +----------------+------------------------------------------+---------+------+
Scanning an application:user@localhost: /$ truegaze scan /test.ipa Identified equally an iOS application via a manifest located at: Payload/IPAPatch-DummyApp.app/Info.plist Scanning using the "AdobeMobileSdk" plugin -- Found 1 configuration file(s) -- Scanning "Payload/IPAPatch-DummyApp.app/Base.lproj/ADBMobileConfig.json' ---- FOUND: The ["analytics"]["ssl"] setting is missing or simulated - SSL is non beingness used ---- FOUND: The ["remotes"]["analytics.poi"] URL doesn't purpose SSL: http://assets.example.com/c234243g4g4rg.json ---- FOUND: The ["remotes"]["messages"] URL doesn't purpose SSL: http://assets.example.com/b34343443egerg.json ---- FOUND: Influenza A virus subtype H5N1 "templateurl" inwards ["messages"]["payload"] doesn't purpose SSL: http://my.server.com/?user={user.name}&zip={user.zip}&c16={%sdkver%}&c27=cln,{a.PrevSessionLength} ---- FOUND: Influenza A virus subtype H5N1 "templateurl" inwards ["messages"]["payload"] doesn't purpose SSL: http://my.43434server.com/?user={user.name}&zip={user.zip}&c16={%sdkver%}&c27=cl n,{a.PrevSessionLength} Done!
Display installed version:user@localhost: /$ truegaze version Current version: v0.2
Structure
The application is command line as well as volition consist of several modules that banking concern tally for diverse vulnerabilities. Each module does its ain scanning, as well as all results conk printed to ascendency line.
Reporting bugs as well as characteristic requests
Please purpose the GitHub number tracker to study issues or advise features: https://github.com/nightwatchcybersecurity/truegaze
You tin also mail emai to research /at/ nightwatchcybersecurity [dot] com
Wishlist
- More unit of measurement examine coverage for code that interacts amongst Click
- Ability to extract additional files from online source
- Ability to banking concern tally if a item vulnerability is exploitable
- Ability to gain JSON or XML output that tin feed into other tools
- More modules!
About the name
"True Gaze" or "Истинное Зрение" is a magical piece that reveals the invisible (from the majority "Last Watch" past times Sergei Lukyanenko)