Trueseeing is a non-decompiling Android application vulnerability scanner.
Project description
README
trueseeing is a fast, accurate and resillient vulnerabilities scanner for Android apps. It operates on Android Packaging File (APK) and outputs a comprehensive report in HTML, JSON or a CI-friendly format. It doesn't matter if the APK is obfuscated or not.
Capability
Currently trueseeing can detect the following class of vulnerabilities:
-
Improper Platform Usage (M1)
- Debuggable
- Inadvent publishing of Activities, Services, ContentProviders, BroadcastReceivers
-
Insecure Data (M2)
- Backupable (i.e. suspectible to the backup attack)
- Insecure file permissions
- Logging
-
Insecure Commnications (M3)
- Lack of pinning (i.e. suspictible to the TLS interception attack)
- Use of cleartext HTTP
- Tamperable WebViews
-
Insufficient Cryptography (M5)
- Hardcoded passphrase/secret keys
- Vernum ciphers with static keys
- Use of the ECB mode
-
Client Code Quality Issues (M7)
- Reflectable WebViews (i.e. XSSs in such views should be escalatable to remote code executions via JS reflection)
- Usage of insecure policy on mixed contents
-
Code Tampering (M8)
- Hardcoded certificates
-
Reverse Engineering (M9)
- Lack of obfuscation
Installation
$ pip3 install trueseeing
$ trueseeing --bootstrap
Usage
The following command line is sufficient to scan a APK (target.apk), yielding findings listed in stderr:
$ trueseeing /path/to/target.apk
To generate a report in HTML format:
$ trueseeing -o report.html /path/to/target.apk
$ trueseeing --format=html -o report.html /path/to/target.apk
To generate a report in JSON format:
$ trueseeing --format=json -o report.json /path/to/target.apk
To get report generated in stdout, specify '-' as filename:
$ trueseeing -o - /path/to/target.apk > report.html
$ trueseeing --format=html -o - /path/to/target.apk > report.html
$ trueseeing --format=json -o - /path/to/target.apk > report.json
To fix (not all) problems it catches:
$ trueseeing --patch-all /path/to/target.apk
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for trueseeing-2.1.6-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 2fc2c3433ee87adbd1f1cc81c9debe1ee1189e30b75c7223ed41b2916beea0de |
|
MD5 | be79434412579f955382621eb7ce666f |
|
BLAKE2b-256 | 50a0081afb841e25cfa5fa38b4511d3e254cd0c451c1900bcb21ab05025690c2 |