Project is hosted on github: https://github.com/wuntee/androidAuditTools
When taking the SANS reverse engineering malware class, the two analysis techniques taught are dynamic and static. These concepts/techniques are directly applicable to any sort of reverse engineering. When I am assessing, or pen-testing an application I usually separate my thought process into one of those two buckets. During dynamic analysis of a mobile device it becomes very difficult to understand whats going on in the operating system due to the lack of automated tools; there are no tools that can easily hook into the kernel processes that tell you key information like network connections, file writes, etc. I also typically don’t enjoy doing work on a physical device – I prefer doing as much analysis on my computer as possible.
One function I find very beneficial in dynamic malware analysis, but is lacking from anything I have seen in the mobile space, is a tool that has the ability to automate and visualize filesystem differences when performing actions like installing or running applications.
This set of points led me to writing a toolset for the Android platform. First, I wrote a tool that recursively lists the directories in an Android filesystem via adb and has the ability to show the differences between two points in time. It can automatically install APK, and pause for you to run them, interact, and then re-scan. A simple example would be to run google maps, do a search, and close the application.
As you can see, there are many files added ([+]), deleted ([-]) and modified ([c]); that would be almost impossible to determine that from any command line interactions. In fact, I am surprised as to how many files are actually mucked with.
This tool will easily help detect two of the OWASP Top 10 Mobile Security Risks; specifically:
- 1. Insecure or unnecessary client-side data storage
- 5. Failure to implement least privilege authorization policy
This tool can also be helpful during mobile malware analysis. For example, when malware starts targeting specific applications (like the Skype issue presented in a previous post), or malware attempts to root a device through an exploit, it will be easy to see if an application creates or modifies files it shouldn’t.
There are two other tools in the androidTools project:
- findfileswithperms.rb – Find files given a regular expression of the permissions string (ex: find directories – ruby findfileswithperms.rb –perm ‘^d.*’)
- listallfiles.rb – Lists all files on the device given a base directory
Note1: The fsdiff.rb is best used with an emulator because the emulator will automatically drop to a root shell. A (non-rooted) physical devices drops to a a user shell, and does not have access to the entire filesystem; in turn, many changes may be lost.
Note2: This was written in a few hours, there is a lot of functionality that can be added, minimal comments, and potentially many bugs. Please use the github repo for any problems/requests/etc.
Note3: You must run the applications from the bin directory, as it includes the lib directory relative to bin.
Published date:  18 May 2011
Written by:  wuntee