Analyzing AndroidManifest.xml File with Yara and Python

August 2, 2017 | Views: 4549

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Important note: Before you try this tutorial, please make sure that Python version 3 and the Yara library are installed on your operating system.

Yara is a multi-platform tool that is used for pattern matching in malware analysis to identify and classify malware samples. With Yara you can create description and rules to be applied with. from this point of view Yara can be used not just for malware analysis but for vulnerability analysis in a mobile android application (APK file). In this content post, I’m going to focus on finding vulnerabilities inside one of the components in the AndroidManifest.xml file.

What is AndroidManifest.xml:

according to developer.android.com “Every application must have a AndroidManifest.xml file (with precisely that name) in its root directory. The manifest file provides essential information about your app to the Android system, which the system must have before it can run any of the app’s code.” by this explanation we can ensure that the following XML file contains very vital information for running Android APK file and also because its vital and contain essential information a hacker can exploit the permission inside the  XML file to get sensitive information inside the application.

Standard security in AndroidManifest.xml:

here is the list of component and security guideline for an android manifest file: (source: https://pentestlab.blog/category/mobile-pentesting/page/6/)

  • Debug Mode
  • Backup Flag
  • External Storage
  • Permissions
  • Application Components
  • Intents
  • Summary

Depending on the functionality an application can launch a service, perform an activity, receive content from another source or receive intents by phone or by other applications. There are four application components:

  • Activities
  • Services
  • Content Providers
  • Broadcast Receivers

Activities, Services, Content Providers and Broadcast Receivers can all be exported. Therefore all of them they should be reviewed that they don’t perform any sensitive action and that they are protected by appropriate permissions as otherwise information could be exposed to malicious third parties. so right now our objective is to find the component that could be exported

example:

<receiver

android:exported=”true”;

android:name=”string”;

android:permission = “string”;

</receiver>

let’s try to exploit application components using Yara and Python:

How to write a rule in Yara:

First, we need to create a rule in Yara so that the python program could analyze the XML file with predefined rule:

rule [name of the rule]

{

meta: [the meta description of the rule, i like to use to this so it will not get confused with other rule]

description = " [fill into the description] "

strings:[the string that will be check]

$variable = " [fill the string that you want to match] "

condition: [the condition that have to be fulfill so it can generate true or false value]

$variable [you can add boolean operator to be more specific]

}

example:

rule android_export

{

meta:

description = "android activity can be exported by other application"

strings:

$check = "android:exported="true""

condition:

$check

}

with that we can move to create our python code, here i paste the code that i have write from analyzing androidmanifest.xml file:

import yara

import re

rules = yara.compile("manifest_rule.yara") #the yara file

with open("sieve/AndroidManifest.xml") as file:

matches = rules.match(data=file.read()) # don't forget to indent this line of code

Note: The data that is going to be passed in the variable from matching yara rule will be in dictionary value.

That’s pretty easy right now. The one that I just showed was just the simple implementation that you can use for implementing Yara in python you can develop it even further and add more rule in Yara file.

Thank you.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
1 Comment
  1. its can be support any bank program

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel