Dynamic android vulnerability scanner using OpenNebula and Android-x86 emulators.

Version: 0.01

Vulnerabilities analyzed dynamically are:

• JAVASCRIPT_INTERFACE
• PHONEGAP_JS_INJECTION
• PHONEGAP_CVE_3500_URL
• SSL_CUSTOM_TRUSTMANAGER
• SSL_CUSTOM_HOSTNAMEVERIFIER
• SSL_ALLOWALL_HOSTNAMEVERIFIER
• SSL_INSECURE_SOCKET_FACTORY
• SSL_WEBVIEW_ERROR
• WEBVIEW_FILE_SCHEME

Also it checks for new vulnerabilities that might be found while searching for others:

• ZIP_PATH_TRAVERSAL
• INSECURE_TRANSMISSION
• INSECURE_STORAGE

VMManager is in charge of searching new vulnerabilities to be analyzed in Marvin's Django database.

VMClients receive the app and type of vulnerability to analyze and emulator to use from VMManager. It uses ADB to connect to the emulator and start the analysis. It also configures the emulator to act as its gateway to intercept HTTP/HTTPS requests.

VMClients uses a custom fuzzer MarvinToqueton developed for interacting with the application to try triggering the vulnerabilities.

The emulators are running Android 4.3 x86 because of Cydia Substrate support. The project is using Android-x86 images.

There are 3 types of emulator:

• Emulators with no SSL verification
• Emulators with normal SSL verification (They are used to check if an application does proper SSL verification)
• Emulators running ICS 4.0 (Used for exploiting Javascript Interface vulnerability)

VMManager configurations are in settings.py:

NET_ID = 1 #ID used for OpenNebula virtual network
#credentials for RPC
ONE_IP = "http://IP:2633/RPC2"
ONE_CREDS = "" #OpenNebula xml RPC credentials
ELASTIC_SEARCH_SERVER = "ELASTIC_SEARCH_IP_ADDRESS"
DOWNLOAD_APK_SITE = "http://FRONTEND_IP_ADDRESS/frontpage/"
ANDROID_VM_POOL = {"NONSSL":{"NON_SSL_EMULATOR_IP"},"SSL":{"EMULATOR_IP"},"JAVASCRIPTINTERFACE":{"ICS_EMULATOR_IP"}}

IMPORTANT: Under the django_support directory, also configure the settings.py file with the corresponding SECRET_KEY, database password and BungieSearch URL from Marvin-frontend configuration.

VMClient configurations are also in the settings.py file:

VM_MANAGER_IP = 'VMMANAGER_IP_ADDRESS:8082'
REPORTER_IP = 'localhost:8081'
DEBUG_MODE = False

#Some fuzzer configurations that can be modified in Marvin-toqueton project.

Start the server with:

	python VMManager.py

And VMClients with:

	./client.sh

Marvin dynamic analyzer obtains the next app to analyze from the pool of unverified vulnerabilities on Marvin's database. If you want to run an analysis on a single app you can change the variable DEBUG_MODE to True in settings.py of the client. Then you can run an analysis with:

	python VMClient.py [VULNERABILITY_ID] [PACKAGE-NAME/FILE-NAME] '''{"emulator":"EMULATOR_IP_ADDRESS","count":0}'''

In the case of PHONEGAP_CVE_3500_URL, you must also include the parameter "activity" with a reference to the initial application activity. If you only want to run checks against vulnerabilities not found statically such as ZIP path traversal, insecure storage and insecure transmission use "dummy" as the vulnerability ID.

IMPORTANT: The filename of the APK must be the same as the package name.

VMManager and VMClient can use any Linux virtual machine hosted in OpenNebula. Authors used ttylinux - kvm from OpenNebula Marketstore as template.

Run to install dependencies:

	pip install bungiesearch

	sudo apt-get install python-mysqldb

	apt-get install default-jre

	apt-get install python-django

Run to install dependencies:

	apt-get install mitmproxy

Download from the Android-x86 site the ISO for 4.3 or 4.0 release. Install it in a disk with your favorite virtualization tool. Authors used VirtualBox.

Convert the installed image to KVM qemu's format in order to support OpenNebula's snapshot feature. You can use the following command:

	qemu-img convert -O qcow2 original-image image-converted.qcow

Upload the image to OpenNebula and create a new template for the emulator.

Example of template:

	CONTEXT=[NETWORK="YES",SSH_PUBLIC_KEY="$USER[SSH_PUBLIC_KEY]"]

	CPU="2"

	DISK=[DRIVER="qcow2",IMAGE="Image Name",IMAGE_UNAME="Your user"]

	GRAPHICS=[LISTEN="0.0.0.0",TYPE="VNC"]

	HYPERVISOR="kvm"

	MEMORY="512"

	NIC=[MODEL="pcnet",NETWORK="Your Virtual Network Name",NETWORK_UNAME="Your user"]

	SUNSTONE_CAPACITY_SELECT="YES"

	SUNSTONE_NETWORK_SELECT="YES"

IMPORTANT: Set QCOW2 as the image mapping driver for snapshot support.

IMPORTANT: When creating a ICS Android device, set the network interface driver to pcnet.

Create a VM using the previous template and boot the device.

IMPORTANT: Start the kernel in debug mode the first time and edit the file /mnt/grub/menu.lst. Add "quiet nomodeset vga=788" before the option video=-16 to kernel arguments.

So far there is no contextualization support for Android VMs running in OpenNebula so the network interfaces have to be configured manually. First to run commands as root run in Terminal application the following commands:

	adb root

	adb kill-server

	adb start-server

	adb shell

The following commands should work to set the network if run using the Terminal application as root.

	ifconfig eth0 [IP] netmask [NETMASK]

	busybox route add default gw [GATEWAY] dev eth0

Once the network configuration is set,exit the Terminal in root mode and use adb to allow remote debugging with:

	adb tcpip 5556

Manually configure:

• Disable all sound in emulator (Settings->Sound)
• Unverify appplications with Settings->Security->Uncheck Verify Apps

Then run android_setup_client.sh in a host with the following parameters:

	emulator_setup.sh {SSL/NOSSL} {EMULATOR-IP} {GATEWAY-IP-FOR-EMULATOR}

Choose {SSL/NOSSL} to emulator deploy type 1 or 2.

This script:

• Roots the emulator
• Adds network static configuration
• Installs SuperUser and CydiaSubstrate, links Substrate and allows it to run as root.
• If it's NOSSL type, install Android-SSL-TrustKiller to skip SSL verification
• Install the Marvin-toqueton fuzzer.
• Disables lockscreen and suspension

Lastly, create a snapshot of the VM running with any name you refer.

• Deployed Marvin-frontend
• Python 2.7.x (DO NOT USE Python 3.X)

• Joaquín Rinaudo (@xeroxnir)
• Juan Heguiabehere (@jheguia)

• Send an email to stic at fundacionsadosky.org.ar