https://github.com/sho-luv/mavs

Mobile Application Vulnerability Scanner
https://github.com/sho-luv/mavs

Last synced: about 1 month ago
JSON representation

Mobile Application Vulnerability Scanner

• Host: GitHub
• URL: https://github.com/sho-luv/mavs
• Owner: sho-luv
• Created: 2020-05-28T01:38:59.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2023-03-31T21:34:19.000Z (over 1 year ago)
• Last Synced: 2024-08-02T01:17:41.162Z (4 months ago)
• Language: Shell
• Size: 53.7 KB
• Stars: 20
• Watchers: 4
• Forks: 7
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-rainmana - sho-luv/mavs - Mobile Application Vulnerability Scanner (Shell)

README

        




Mobile Application Vulnerability Scanner



  

  

  



# mavs.sh

This is a shell script to perform static analysis on mobile applications. Currently it only works for android apk files.

What makes this tool different from all the other tools that do this? My goal with this project is to actually exploit things.

Often you find static analysis tools point to things and say **VULNERABLE!** and the user is left to figure out why. Or worst its a 

false positive. 

This tool has two options currently:

  - -v verbose = Show me why you think its broken (useful for fixing and reporting)

  - -e exploit = Show me how to exploit this so called broken thing. Or show me how to manually check if it is indeed broken. I try

  provide actual commands that can be cut and pasted into the terminal verbatim to demonstrate risk.

## Required Dependencies

```

apkinfo       # sudo apt-get install apkinfo

d2j-dex2jar   # sudo apt-get install openjdk-7-jre

apktool       # https://ibotpeaches.github.io/Apktool/install/

```

## Usage mavs.sh

```

./mavs.sh 

                                   ╓

                        ╕         ╒╣╕                     ╣╣╣─    ╦╣╣

                ╓      ║╬         ╣╣╣      ╒             ╣╣╣─  ╒╣╣╩╙╣╬║╣

                ╣╕     ╣╣        ╫╣ ╫╣     ╡  ╔         ╣╣╣   ╦╣╩   ║╣╬

               ╣╣╣    ║╣╣╬      ╔╣╩  ╫╣╖  ╞╬  ╣╣       ╣╣╣   ╣╣╬    ╞╩

             ╒╣╣╩╣╣╖ ╔╣╬╣╣╕    ╔╣╣╗╗╦╦╣╣╦╦╣╣  ╣╣╣     ╣╣╣     ╙╣╣╣╦╗╖

            ╔╣╣╜  ╝╣╣╣╜ ╙╣╣═╩╜║╣╣╜     ╫╣╖     ╣╣╣  ╒╣╣╣          ╠╜╝╣╣╣╣╗╖

          ╓╣╣╩           ╚╣╣ ╦╣╬        ╚╣╗     ╣╣╬╓╣╣╬      ╓╦╣╣╣╩      ╙╙╝╣╣╣╗╖

        ╒╣╣╬╗╗╗           ╚╣╣╖           ╙╣╣╗   ╙╣╣╣╣╩    ╓╣╣╩╙ ║╣             ╙╣╣╣╖

      ╓╣╣╝╜╙╙╙╙            ╚╣╣╖╦           ╙╝╣╗╖ ╫╣╣╬    ├╣╣╖    ╬           ╓╓╗╣╣╣╩

                       ║╣╣╣╣╣╣╣╣╣╖           ╓╣╣╣ ╣╬      ╙╙╝╣╣╣╣╣╣╣╣╣╣╣╣╣╣╣╝╝╜╙╙

                             └╙╙╨╝╝╝╝╝╝╝╝╝╨╜╜╙╙╙   ╣

		            Mobile Application Vulnerability Scanner | @sho_luv

 

Usage: mavs.sh [OPTIONS]

 Required:

  -f 	Andorid APK file to decompile and run static analysis

 

 Options:

  -v 		Verbose, show affected files

  -e 		Show how to exploit finding

  -h 		Show this help

```

## Example Output



## Current Security Checks

1. Insufficient Certificate Validation -- partial check

2. Application Logging

3. Backups Allowed

4. Debugging Enabled

5. Snapshot Allowed

6. Cleartext Allowed

7. Debugging Enabled

8. Hard codded *.pem files

9. App built with flutter

10. Provides examples on how to check app, device storage issues