Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/devkekops/checkkarlmarx

Careful tool for security checking release apk/ipa files
https://github.com/devkekops/checkkarlmarx

Last synced: 3 months ago
JSON representation

Careful tool for security checking release apk/ipa files

Host: GitHub
URL: https://github.com/devkekops/checkkarlmarx
Owner: devkekops
Created: 2021-04-22T00:07:25.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2021-12-16T13:23:33.000Z (almost 3 years ago)
Last Synced: 2024-04-30T13:35:06.279Z (7 months ago)
Language: Python
Homepage: https://hub.docker.com/r/devkekops/checkkarlmarx
Size: 46.9 KB
Stars: 34
Watchers: 1
Forks: 4
Open Issues: 1
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        CheckKarlMarx

=========================================



Automated tool for security checking mobile app release binaries (apk, ipa). 

CheckKarlMarx good at finding several things:

* network misconfigurations

* insecure, test and basic auth URLs

* various keys, tokens, credentials

* exported components (android)

* insecure webview settings (android)

Usage

-------------

Pull from docker hub and run:

```sh

$ docker pull devkekops/checkkarlmarx

$ docker run -v :/mount devkekops/checkkarlmarx /mount

```

It will generate ```report.html``` in `````` folder.

Run with options:

```sh

usage: checkkarlmarx.py [-h] [--html | --sarif] [--file | --stdout] [-o [OUTPUT]] [-d [DOMAINS [DOMAINS ...]]] [-q [QATAGS [QATAGS ...]]] [-p [PACKAGES [PACKAGES ...]]] path

positional arguments:

  path                  path to apk/ipa

optional arguments:

  -h, --help            show this help message and exit

  --html                set report format as html

  --sarif               set report format as sarif

  --file                print report to file

  --stdout              print report to stdout

  -o [OUTPUT], --output [OUTPUT]

                        report filename

  -d [DOMAINS [DOMAINS ...]], --domains [DOMAINS [DOMAINS ...]]

                        domain list (e.g. example.com)

  -q [QATAGS [QATAGS ...]], --qatags [QATAGS [QATAGS ...]]

                        test domain tags list

  -p [PACKAGES [PACKAGES ...]], --packages [PACKAGES [PACKAGES ...]]

                        package names (android only, e.g. com.example)

```

* report format html or sarif (html by default): --html or --sarif

* print report to file or stdout (file by default): --file or --stdout

* report filename (report.html or report.sarif by default): -o --output

* filter found URLs by domain list: -d --domains

* filter test domain URLs by tag list: -q --qatags

* filter found webview settings by package list (android only): -p --packages

Example:

```sh

$ docker run -v $(pwd):/mount devkekops/checkkarlmarx /mount --sarif --stdout -d mycompany.com -q qa test dev stage -p com.mycompany com.example

```

Exit codes:

* 0 - binary have no vulnerabilities

* 1 - binary have some vulnerabilities

* 2 - something went wrong

For build from sources:

```sh

$ docker build -t my_app .

```