IOT>> super>> 返回
项目作者: SUPERAndroidAnalyzer

项目描述 :
Secure, Unified, Powerful and Extensible Rust Android Analyzer
高级语言: Rust
项目地址: git://github.com/SUPERAndroidAnalyzer/super.git
创建时间: 2016-05-12T16:25:49Z
项目社区:https://github.com/SUPERAndroidAnalyzer/super
开源协议:GNU General Public License v3.0
下载


SUPER Android Analyzer

Build Status
codecov

SUPER Android Analyzer logo

Secure, Unified, Powerful and Extensible Rust Android Analyzer

SUPER is a command-line application that can be used in Windows, MacOS X and Linux, that analyzes
.apk files in search for vulnerabilities. It does this by decompressing APKs and applying a series
of rules to detect those vulnerabilities.

But, why create a new analyzer? Is it not enough with MobSF, Qark, Androbugs…? Well, we think it’s
not enough. All of them have two main issues we wanted to fix: They are written in Java or Python
and they are not easily extensible. They are not meant to be used by businesses directly working in
Android analysis, and don’t put that kind of functionality first.

Our approach solves those issues in different ways: We first decided to use Rust as our
programming language. The language developed openly by Mozilla Foundation gives us lots of
utilities to work with regular expressions, files etc. and, most importantly, it enables us to
create a secure software that does not depend in JVM or JIT compilers. With Rust, stack
overflows, segmentation faults etc. are directly not possible, which makes sense in a security
centered application. And it also gives us enough power to do efficient analysis, giving us the
option to automate it in high volume. This is given by Rust zero-cost abstractions, that gives us
an efficiency only comparable to C/C++.

And secondly, we decided to make the software 100% extensible: All rules are centered in a
rules.json file, and each company or tester could create its own rules to analyze what they need.
It’s also modular, so that new developments can easily add new functionality. Finally, a templating
system for results reports gives users the ability to personalize the report.

It also gives great code review tools, directly in the HTML report, so that anyone can search
through the generated code with syntax highlighting for even better vulnerability analysis.

Installation

We have released some binaries in the download page for Windows (8.1+), Linux, and
MacOS X. We only have 64-bit packages for now. If you need to use SUPER in a 32-bit system, you
will need to compile SUPER from source. For that, you will need to install Rust with
rustup.rs.

Note: It requires Java 1.7+ to run.

Usage

SUPER is very easy to use. Just download the desired .apk into the downloads folder (create
that folder if necessary) and use the name as an argument when running the program. After the
execution, a detailed report will appear in the results folder with that application name. There
are a few usage options available:

  1. USAGE:
  2.     super [FLAGS] [OPTIONS] <package>
  4. FLAGS:
  5.         --bench       Show benchmarks for the analysis
  6.         --force       If you'd like to force the auditor to do everything from the beginning
  7.     -h, --help        Prints help information
  8.         --html        Generates the reults in HTML format
  9.         --json        Generates the reults in JSON format
  10.         --open        Open the report in a browser once it is complete
  11.     -q, --quiet       If you'd like a zen auditor that won't output anything in stdout
  12.     -a, --test-all    Test all .apk files in the downloads directory
  13.     -V, --version     Prints version information
  14.     -v, --verbose     If you'd like the auditor to talk more than necessary
  16. OPTIONS:
  17.         --dex2jar <dex2jar>                    Where to store the jar files
  18.         --dist <dist>                          Folder where distribution files will be extracted
  19.         --downloads <downloads>                Folder where the downloads are stored
  20.         --jd-cmd <jd-cmd>                      Path to the jd-cmd file
  21.         --min-criticality <min_criticality>    Set a minimum criticality to analyze (Critical, High, Medium, Low)
  22.         --results <results>                    Folder where to store the results
  23.         --rules <rules>                        Path to a JSON rules file
  24.         --template <template>                  Path to a results template file
  25.     -t, --threads <threads>                    Number of threads to use, by default it will use one thread per logical CPU core
  27. ARGS:
  28.     <package>    The package string of the application to test

Contributing

Everybody is welcome to contribute to SUPER. Please check out the
SUPER Contribution Guidelines for instructions about how to proceed.

Development documentation

License

This program is free software: you can redistribute it and/or modify it under the terms of the GNU
General Public License as published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.