A instrument to automate the recon course of on an APK file.
Slicer accepts a path to an extracted APK file after which returns all of the actions, receivers, and providers that are exported and have null permissions and may be externally provoked.
Be aware: The APK needs to be extracted through jadx or apktool.
Why?
I began bug bounty like 3 weeks in the past(in June 2020) and I’ve been making an attempt my greatest on android apps. However I seen one factor that in all of the apps there have been sure issues which I’ve to do earlier than diving in deep. So I simply thought it could be good to automate that course of with a easy instrument.
Why not drozer?
Properly, drozer is a distinct beast. Although it does finds out all of the accessible elements however I used to be bored with operating these instructions repeatedly.
Why not automate utilizing drozer?
I truly wrote a bash script for operating sure drozer instructions so I will not must run them manually however there was nonetheless some boring stuff that needed to be executed. Like Checking the strings.xml for numerous API keys, testing if firebase DB was publically accessible or if these google API keys have setup any cap or something on their utilization and lot of different stuff.
Why not search all of the information?
I feel {that a} instrument like grep or ripgrep could be a lot quicker to go looking via all of the information. So if there’s something particular that you simply need to search it could be higher to make use of these instruments. However if you happen to assume that there’s something which must be checked in all of the android information then be happy to open a problem.
-
Examine if the APK has set the
android:allowbackuptotrue -
Examine if the APK has set the
android:debuggabletotrue. -
Return all of the actions, providers and broadcast receivers that are exported and have null permission set. That is selected the idea of two issues:
android:exporte=trueis current in any of the part and haven’t any permission set.- If exported is just not point out then slicer verify if any
Intent-filtersare outlined for that part, if sure that signifies that part is exported by default(That is the rule given in android documentation.)
-
Examine the Firebase URL of the APK by testing it for
.jsontrick.- If the firebase URL is
myapp.firebaseio.comthen it would verify ifhttps://myapp.firebaseio.com/.jsonreturns one thing or offers permission denied. - If this factor is open then that may be reported as excessive severity.
- If the firebase URL is
-
Examine if the google API keys are publically accessible or not.
- This may be reported on some bounty applications however have a low severity.
- However more often than not reporting this type of factor will convey out the ache of
Duplicate. - Additionally generally the corporate can simply shut it as
not relevantand can declare that the KEY has autilization cap– r/suspiciouslyspecific
-
Return different API keys which can be current in
strings.xmland inAndroidManifest.xml -
Checklist all of the file names current in
/res/uncookedandres/xmllisting. -
Extracts all of the URLs and paths.
- These can be utilized with instrument like dirsearch or ffuf.
git clone https://github.com/mzfr/slicer
cd slicer- Now you’ll be able to run it:
python3 slicer.py -h
It is quite simple to make use of. Following choices can be found:
Extract info from Manifest and strings of an APKUtilization:
slicer [OPTION] [Extracted APK directory]
Choices:
-d, --dir path to jadx output listing
-o, --output Title of the output file(not applied)
I’ve not applied the output flag but as a result of I feel if you happen to can redirect slicer output to a yaml file it would a correct format.
- Extract info from the APK and show it on the display screen.
python3 slicer.py -d path/to/extact/apk -c config.jsonThe extractor module used to extract URLs and paths is taken from apkurlgrep by @ndelphit
All of the options applied on this are issues that I’ve realized in previous few weeks, so if you happen to assume that there are numerous different issues which must be checked in an APK then please open a problem for that function and I would be completely happy to implement that 🙂
If you would like you should buy me some espresso:
