Skip to main content

Static analysis tool for Android/iOS apps focusing on security issues outside the source code.

Project description

truegaze

Build Status codecov GitHub

A static analysis tool for Android and iOS applications focusing on security issues outside the source code such as resource strings, third party libraries and configuration files.

Requirements

Python 3 is required and you can find all required modules in the requirements.txt file. Only tested on Python 3.7 but should work on other 3.x releases. No plans to 2.x support at this time.

Installation

You can install this via PIP as follows:

pip install truegaze
truegaze

To download and run manually, do the following:

git clone https://github.com/nightwatchcybersecurity/truegaze.git
cd truegaze
pip -r requirements.txt
python -m truegaze.cli

How to use

To list modules:

truegaze list

To scan an application:

truegaze scan test.apk
truegaze scan test.ipa

To view the installed version:

truegaze version

Sample output

Listing modules:

user@localhost:~/$ truegaze list
Total active plugins: 1
+----------------+------------------------------------------+---------+------+
|      Name      |               Description                | Android | iOS  |
+----------------+------------------------------------------+---------+------+
| AdobeMobileSdk | Detection of incorrect SSL configuration |  True   | True |
|                |         in the Adobe Mobile SDK          |         |      |
+----------------+------------------------------------------+---------+------+

Scanning an application:

user@localhost:~/$ truegaze scan ~/test.ipa
Identified as an iOS application via a manifest located at: Payload/IPAPatch-DummyApp.app/Info.plist
Scanning using the "AdobeMobileSdk" plugin
-- Found 1 configuration file(s)
-- Scanning "Payload/IPAPatch-DummyApp.app/Base.lproj/ADBMobileConfig.json'
---- FOUND: The ["analytics"]["ssl"] setting is missing or false - SSL is not being used
---- FOUND: The ["remotes"]["analytics.poi"] URL doesn't use SSL: http://assets.example.com/c234243g4g4rg.json
---- FOUND: The ["remotes"]["messages"] URL doesn't use SSL: http://assets.example.com/b34343443egerg.json
---- FOUND: A "templateurl" in ["messages"]["payload"] doesn't use SSL: http://my.server.com/?user={user.name}&zip={user.zip}&c16={%sdkver%}&c27=cln,{a.PrevSessionLength}
---- FOUND: A "templateurl" in ["messages"]["payload"] doesn't use SSL: http://my.43434server.com/?user={user.name}&zip={user.zip}&c16={%sdkver%}&c27=cln,{a.PrevSessionLength}
Done!

Display installed version:

user@localhost:~/$ truegaze version
Current version: v0.2

Structure

The application is command line and will consist of several modules that check for various vulnerabilities. Each module does its own scanning, and all results get printed to command line.

Reporting bugs and feature requests

Please use the GitHub issue tracker to report issues or suggest features: https://github.com/nightwatchcybersecurity/truegaze

You can also send emai to research /at/ nightwatchcybersecurity [dot] com

Wishlist

  • More unit test coverage for code that interacts with Click
  • Ability to extract additional files from online source
  • Ability to check if a particular vulnerability is exploitable
  • Ability to produce JSON or XML output that can feed into other tools
  • More modules!

About the name

"True Gaze" or "Истинное Зрение" is a magical spell that reveals the invisible (from the book "Last Watch" by Sergei Lukyanenko)

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

truegaze-0.1.1.tar.gz (7.7 kB view details)

Uploaded Source

Built Distribution

truegaze-0.1.1-py3-none-any.whl (14.3 kB view details)

Uploaded Python 3

File details

Details for the file truegaze-0.1.1.tar.gz.

File metadata

  • Download URL: truegaze-0.1.1.tar.gz
  • Upload date:
  • Size: 7.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.32.2 CPython/3.7.3

File hashes

Hashes for truegaze-0.1.1.tar.gz
Algorithm Hash digest
SHA256 d092b3e116d5adf6442644b74f1a921481cce48f7be98529c1dbee9cda6355e7
MD5 66ea38567e28f08ff577e79ad2a4fab0
BLAKE2b-256 34aa27d5821d1946b48ba13d6cb59da06ea610c90bb621aeccf59210625e2a9d

See more details on using hashes here.

File details

Details for the file truegaze-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: truegaze-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 14.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.13.0 pkginfo/1.5.0.1 requests/2.22.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.32.2 CPython/3.7.3

File hashes

Hashes for truegaze-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 cab193c896b918f505c8d453dd562e4785fe09c046e9a8857e28ab3412984883
MD5 d046d4a9175c72801852c9ff8148c584
BLAKE2b-256 c01bf29c7f91cfd5a5c057e0bd24b9920f3e886bef88750de773563414d43d7a

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page