Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/bytedance/appshark

Appshark is a static taint analysis platform to scan vulnerabilities in an Android app.
https://github.com/bytedance/appshark

android compliance static-analysis vulnerability

Last synced: about 1 month ago
JSON representation

Appshark is a static taint analysis platform to scan vulnerabilities in an Android app.

Lists

README

        

## Document Index
- [1.overview](doc/zh/overview.md)
- [2.startup](doc/zh/startup.md)
- [3.how to write rules](doc/zh/how_to_write_rules.md)
- [4.how to find compliance problems use appshark](doc/zh/how_to_find_compliance_problem_use_appshark.md)
- [5.a path traversal game](doc/zh/path_traversal_game.md)
- [6.argument](doc/zh/argument.md)
- [7.engine config](doc/zh/EngineConfig.md)
- [8.result](doc/zh/result.md)
- [9.faq](doc/zh/faq.md)

# AppShark

Appshark is a static taint analysis platform to scan vulnerabilities in an Android app.

## Prerequisites

Appshark requires a specific version of JDK
-- [JDK 11](https://www.oracle.com/java/technologies/javase/jdk11-archive-downloads.html). After testing, it does not
work on other LTS versions, JDK 8 and JDK 16, due to the dependency compatibility issue.

## Building/Compiling AppShark

We assume that you are working in the root directory of the project repo. You can build the whole project with
the [gradle](https://gradle.org/) tool.

```shell
$ ./gradlew build -x test
```

After executing the above command, you will see an artifact file `AppShark-0.1.2-all.jar` in the directory `build/libs`.

## Running AppShark

Like the previous step, we assume that you are still in the root folder of the project. You can run the tool with

```shell
$ java -jar build/libs/AppShark-0.1.2-all.jar config/config.json5
```

The `config.json5` has the following configuration contents.

```JSON
{
"apkPath": "/Users/apks/app1.apk"
}
```

Each JSON has these basic field.

- apkPath: the path of the apk file to analyze
- out: the path of the output directory
- rules: specifies the rules, split by `,`. Default is all *.json files in the $rulePath directory
- rulePath: specifies the rule's parent directory, default is ./config/rules
- maxPointerAnalyzeTime: the timeout duration in seconds set for the analysis started from an entry point
- debugRule: specify the rule name that enables logging for debugging

For more config field, please visit `net.bytedance.security.app.ArgumentConfig`

If you provide a configuration JSON file which sets the output path as `out` in the project root directory, you will
find the result file `out/results.json` after running the analysis.

## Interpreting the Results

Below is an example of the `results.json`.

```JSON
{
"AppInfo": {
"AppName": "test",
"PackageName": "net.bytedance.security.app",
"min_sdk": 17,
"target_sdk": 28,
"versionCode": 1000,
"versionName": "1.0.0"
},
"SecurityInfo": {
"FileRisk": {
"unZipSlip": {
"category": "FileRisk",
"detail": "",
"model": "2",
"name": "unZipSlip",
"possibility": "4",
"vulners": [
{
"details": {
"position": "",
"Sink": "->$r31",
"entryMethod": "",
"Source": "->$r3",
"url": "/Volumes/dev/zijie/appshark-opensource/out/vuln/1-unZipSlip.html",
"target": [
"->$r3",
"pf{obj{:35=>java.lang.StringBuilder}(unknown)->@data}",
"->$r11",
"->$r31"
]
},
"hash": "ec57a2a3190677ffe78a0c8aaf58ba5aee4d2247",
"possibility": "4"
},
{
"details": {
"position": "",
"Sink": "->$r34",
"entryMethod": "",
"Source": "->$r3",
"url": "/Volumes/dev/zijie/appshark-opensource/out/vuln/2-unZipSlip.html",
"target": [
"->$r3",
"pf{obj{:33=>java.lang.StringBuilder}(unknown)->@data}",
"->$r14",
"->$r34"
]
},
"hash": "26c6d6ee704c59949cfef78350a1d9aef04c29ad",
"possibility": "4"
}
],
"wiki": "",
"deobfApk": "/Volumes/dev/zijie/appshark-opensource/app.apk"
}
}
},
"DeepLinkInfo": {
},
"HTTP_API": [
],
"JsBridgeInfo": [
],
"BasicInfo": {
"ComponentsInfo": {
},
"JSNativeInterface": [
]
},
"UsePermissions": [
],
"DefinePermissions": {
},
"Profile": "/Volumes/dev/zijie/appshark-opensource/out/vuln/3-profiler.json"
}

```

# License

AppShark is licensed under the [APACHE LICENSE, VERSION 2.0](http://www.apache.org/licenses/LICENSE-2.0)

# Contact Us

Lark ![](appshark-lark.png)