MobileAudit - SAST and Malware Analysis for Android Mobile APKs
Django Web application for performing Static Analysis and detecting malware in Android APKs
In each of the scans, it would have the following information:
For easy access there is a sidebar on the left page of the scan:
Image is based on python buster. Link to Docker Hub image
The application has an engine with different rules and patterns that are used though the findings scanning phase to detect vulnerabilities and/or malicious code into the apk.
These can be activated and deactivated in
Note: some of the hardcoded patterns are from apkleaks
The application has an created models for each of the entities of the scans' information to be able to create relations an abtain the best conclusions for each of the apks.
To see the whole model schema, go to models
It checks if there has been an scan of the APK and extract all its information. Also, there is the possibility of uploading the APK is selected a property in the environment (Disabled by default).
It is possible to upload the findings to the defect manager.
It checks in the database if there are URLs in the APK that are related with Malware.
docker-compose.yml file allows you to run the app locally in development.
To build the local image and if there are changes to the local Application Dockerfile, you can build the image with:
Then, to start the container, run:
Optional: run in detached mode (not see the logs)
docker-compose up -d
Once the application has launched, you can test the application by navigating to: http://localhost:8888/ to access the dashboard.
Also, there is a TLS version using
docker-compose.prod.yaml running in port 443
To use it, execute
docker-compose -f docker-compose.prod.yaml up
Then, you can test the application by navigating to: https://localhost/ to access the dashboard.
For more information, see TLS
To stop and remove the containers, run
REST API integration with Swagger and ReDoc.
Authorization: Token <ApiKey>
openssl req -x509 -nodes -days 1 -newkey rsa:4096 -subj "/C=ES/ST=Madrid/L=Madrid/O=Example/OU=IT/CN=localhost" -keyout nginx/ssl/nginx.key -out nginx/ssl/nginx.crt
By default, there is a volume in
docker-compose.yml with the configuration with 8888 available
** In production environment** use
docker-compose.prod.yaml with port 443
All the environment variables are in a
.env file, there is an
.env.example with all the variables needed. Also there are collected in
CWE_URL = env('CWE_URL', 'https://cwe.mitre.org/data/definitions/') MALWARE_ENABLED = env('MALWARE_ENABLED', True) MALWAREDB_URL = env('MALWAREDB_URL', 'https://www.malwaredomainlist.com/mdlcsv.php') MALTRAILDB_URL = env('MALTRAILDB_URL', 'https://raw.githubusercontent.com/stamparm/aux/master/maltrail-malware-domains.txt') VIRUSTOTAL_ENABLED = env('VIRUSTOTAL_ENABLED', False) VIRUSTOTAL_URL = env('VIRUSTOTAL_URL', 'https://www.virustotal.com/') VIRUSTOTAL_FILE_URL = env('VIRUSTOTAL_FILE_URL', 'https://www.virustotal.com/gui/file/') VIRUSTOTAL_API_URL_V3 = env('VIRUSTOTAL_API_URL_V3', 'https://www.virustotal.com/api/v3/') VIRUSTOTAL_URL_V2 = env('VIRUSTOTAL_API_URL_V2', 'https://www.virustotal.com/vtapi/v2/file/') VIRUSTOTAL_API_KEY = env('VIRUSTOTAL_API_KEY', '') VIRUSTOTAL_UPLOAD = env('VIRUSTOTAL_UPLOAD', False) DEFECTDOJO_ENABLED = env('DEFECTDOJO_ENABLED', False) DEFECTDOJO_URL = env('DEFECTDOJO_URL', 'http://defectdojo:8080/finding/') DEFECTDOJO_API_URL = env('DEFECTDOJO_API_URL', 'http://defectdojo:8080/api/v2/') DEFECTDOJO_API_KEY = env('DEFECTDOJO_API_KEY', '')
If you like to contribute, see Contributing