{"id":424,"date":"2018-12-12T01:46:05","date_gmt":"2018-12-12T01:46:05","guid":{"rendered":"http:\/\/blog.um-palembang.ac.id\/sayfudin\/?p=424"},"modified":"2018-12-12T01:46:06","modified_gmt":"2018-12-12T01:46:06","slug":"mobile-application-testing-toolkit","status":"publish","type":"post","link":"http:\/\/blog.um-palembang.ac.id\/sayfudin\/mobile-application-testing-toolkit\/","title":{"rendered":"Mobile Application Testing Toolkit"},"content":{"rendered":"\n<figure class=\"wp-block-image\"><a href=\"https:\/\/asciinema.org\/a\/hC7sfGHVc5x7CWa57IXcGb3Um\" target=\"_blank\" rel=\"noreferrer noopener\"><img decoding=\"async\" src=\"https:\/\/1.bp.blogspot.com\/-xNyuaOMLPao\/W5H2ChguZ_I\/AAAAAAAAMZ0\/Rt6GQxQ79iYAkXybzDGuy5tXZpPMu8RaQCLcBGAs\/s640\/scrounger.png\" alt=\"\" \/><\/a><\/figure>\n\n\n\n<p><strong>Scrounger<\/strong> &#8211; a person who borrows from or lives off others.\n\nThere is no better description for this tool for two main reasons, the \nfirst is because this tool takes inspiration from many other tools that \nhave already been published, the second reason is because it lives off \nmobile application&#8217;s vulnerabilities.\n\n<\/p>\n\n\n\n<p><strong>Why<\/strong>\n\nEven though several other mobile application analysis tools have been \ndeveloped, there is no one tool that can be used for both android and \nios and can be called a &#8220;standard&#8221; must use on every mobile application \nassessment.\n\nThe idea behind <strong>Scrounger<\/strong> is to make a metasploit-like tool that will not do a <a href=\"https:\/\/www.kitploit.com\/search\/label\/Pentesters\">pentesters<\/a> work but help the pentester on his assessment by executing mundane tasks that need to be performed on all assessments.\n\n<br><strong>The Difference<\/strong>\n\nThe main features <strong>Scrounger<\/strong> offers that others don&#8217;t:\n<\/p>\n\n\n\n<ul><li>Works with Android and iOS<\/li><li>Metasploit-like console and modules<\/li><li>Offers a variaty of modules that can be run to give the pentester a starting point<\/li><li>Easily extendable<\/li><\/ul>\n\n\n\n<p><strong>Inspiration \/ Thanks<\/strong><strong>Scrounger<\/strong> was inspired by other tools, a huge thanks to the developers of:\n<\/p>\n\n\n\n<ul><li>Drozer (<a href=\"https:\/\/github.com\/mwrlabs\/drozer\" rel=\"noreferrer noopener\" target=\"_blank\">https:\/\/github.com\/mwrlabs\/drozer<\/a>);<\/li><li>Needle (<a href=\"https:\/\/github.com\/mwrlabs\/needle\" rel=\"noreferrer noopener\" target=\"_blank\">https:\/\/github.com\/mwrlabs\/needle<\/a>); and<\/li><li>iOS Application Analysis (<a href=\"https:\/\/github.com\/timb-machine\/ios-application-analyser\" rel=\"noreferrer noopener\" target=\"_blank\">https:\/\/github.com\/timb-machine\/ios-application-analyser<\/a>).<\/li><\/ul>\n\n\n\n<p><strong>Technical<\/strong>\n\nAs a disclaimer, all identified findings by <strong>Scrounger<\/strong> should always be manually double checked.\n\n<strong>When using modules that need an Android or iOS device, Scrounger needs a Rooted or Jailbroken device respectively<\/strong><br><strong>Install<\/strong><br><\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code brush: plain; notranslate\">git pull https:\/\/github.com\/nettitude\/scrounger.git\ncd scrounger\nbash setup.sh\npip install -r requirements.txt\npython setup.py install<\/pre>\n\n\n\n<p><strong>Development<\/strong><br><\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code brush: plain; notranslate\">git pull https:\/\/github.com\/nettitude\/scrounger.git\ncd scrounger\nbash setup.sh\npip install -r requirements.txt\npython setup.py develop<\/pre>\n\n\n\n<p><strong>Update<\/strong><br><\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code brush: plain; notranslate\">cd scrounger\ngit pull\npython setup.py install --upgrade<\/pre>\n\n\n\n<p><strong>Required Binaries<\/strong><br><br><strong>For Android Modules<\/strong><br><\/p>\n\n\n\n<ul><li>java (<a href=\"http:\/\/www.oracle.com\/technetwork\/java\/javase\/downloads\/index.html\" rel=\"noreferrer noopener\" target=\"_blank\">http:\/\/www.oracle.com\/technetwork\/java\/javase\/downloads\/index.html<\/a>)<\/li><li>jd-cli (<a href=\"https:\/\/github.com\/kwart\/jd-cmd\" rel=\"noreferrer noopener\" target=\"_blank\">https:\/\/github.com\/kwart\/jd-cmd<\/a>)<\/li><li>apktool (<a href=\"https:\/\/ibotpeaches.github.io\/Apktool\/\" rel=\"noreferrer noopener\" target=\"_blank\">https:\/\/ibotpeaches.github.io\/Apktool\/<\/a>)<\/li><li>d2j-dex2jar (<a href=\"https:\/\/github.com\/pxb1988\/dex2jar\" rel=\"noreferrer noopener\" target=\"_blank\">https:\/\/github.com\/pxb1988\/dex2jar<\/a>)<\/li><li>adb (<a href=\"https:\/\/developer.android.com\/studio\/releases\/platform-tools\" rel=\"noreferrer noopener\" target=\"_blank\">https:\/\/developer.android.com\/studio\/releases\/platform-tools<\/a>)<\/li><li>Other (Optional):<ul><li>avdmanager (<a href=\"https:\/\/developer.android.com\/studio\/#downloads\" rel=\"noreferrer noopener\" target=\"_blank\">https:\/\/developer.android.com\/studio\/#downloads<\/a>)<\/li><\/ul>\n<\/li><\/ul>\n\n\n\n<p><strong>For iOS Modules<\/strong><br><\/p>\n\n\n\n<ul><li>jtool (Linux) (<a href=\"http:\/\/www.newosxbook.com\/tools\/jtool.html\" rel=\"noreferrer noopener\" target=\"_blank\">http:\/\/www.newosxbook.com\/tools\/jtool.html<\/a>)<\/li><li>otool (MacOS) (<a href=\"https:\/\/developer.apple.com\/xcode\/\" rel=\"noreferrer noopener\" target=\"_blank\">https:\/\/developer.apple.com\/xcode\/<\/a>)<\/li><li>ldid (<a href=\"https:\/\/github.com\/daeken\/ldid.git\" rel=\"noreferrer noopener\" target=\"_blank\">https:\/\/github.com\/daeken\/ldid.git<\/a>)<\/li><li>iproxy (Package: libimobiledevice)<\/li><li>lsusb (Package: usbutils)<\/li><li>unzip<\/li><\/ul>\n\n\n\n<p><strong>iOS Binaries<\/strong><br><\/p>\n\n\n\n<ul><li>Bundled Binaries:<ul><li>clutch<\/li><li>dump_backup_flag<\/li><li>dump_file_protection<\/li><li>dump_keychain<\/li><li>dump_log<\/li><li>listapps<\/li><\/ul>\n<\/li><li>Cydia Karen&#8217;s Repository (<a href=\"https:\/\/cydia.angelxwind.net\/\" rel=\"noreferrer noopener\" target=\"_blank\">https:\/\/cydia.angelxwind.net<\/a>) (Optional):<ul><li>AppSync Unified (Package: net.angelxwind.appsyncunified)<\/li><li>appinst (Package: com.linusyang.appinst)<\/li><\/ul>\n<\/li><li>Other (Optional):<ul><li>ldid<\/li><li>otool<\/li><\/ul>\n<\/li><\/ul>\n\n\n\n<p><strong>Install Scripts<\/strong><br><br><strong>Linux<\/strong><br><\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code brush: plain; notranslate\"># install iproxy lsusb\nsudo apt-get install libimobiledevice usbutils\n\n# install jd-cli\nif [ ! -x \"$(which jd-cli)\" ]; then\n    curl -L -o \/tmp\/jdcli.zip https:\/\/github.com\/kwart\/jd-cmd\/releases\/download\/jd-cmd-0.9.2.Final\/jd-cli-0.9.2-dist.zip\n    unzip \/tmp\/jdcli.zip \/usr\/local\/share\/jd-cli\n    ln -s \/usr\/local\/share\/jd-cli\/jd-cli \/usr\/local\/bin\/jd-cli\n    ln -s \/usr\/local\/share\/jd-cli\/jd-cli.jar \/usr\/local\/bin\/jd-cli.jar\n    rm -rf \/tmp\/jdcli.zip\nfi\n\n# install apktool\nif [ ! -x \"$(which apktool)\" ]; then\n    mkdir \/usr\/local\/share\/apktool\n    curl -L -o \/usr\/local\/share\/apktool\/apktool https:\/\/raw.githubusercontent.com\/iBotPeaches\/Apktool\/master\/scripts\/osx\/apktool\n    curl -L -o \/usr\/local\/share\/apktool\/apktool.jar https:\/\/bitbucket.org\/iBotPeaches\/apktool\/downloads\/apktool_2.3.3.jar\n    chmod +x \/usr\/local\/share\/apktool \/usr\/local\/share\/apktool\/apktool.jar\n    ln -s \/usr\/local\/share\/apktool \/usr\/local\/bin\/apktool\n    ln -s \/usr\/local\/share\/apktool.jar \/usr\/local\/bin\/apktool.jar\nfi\n\n# install dex2jar\nif [ ! -x \"$(which d2j-dex2jar)\" ]; then\n    curl -L -o \/tmp\/d2j.zip https:\/\/github.com\/pxb1988\/dex2jar\/files\/1867564\/dex-tools-2.1-SNAPSHOT.zip\n    unzip \/tmp\/d2j.zip -d \/tmp\/d2j\n    dirname=$(ls --color=none \/tmp\/d2j)\n    mv \/tmp\/d2j\/$dirname \/usr\/local\/share\/d2j-dex2jar\n    ln -s \/usr\/local\/share\/d2j-dex2jar\/d2j-dex2jar.sh \/usr\/local\/bin\/d2j-dex2jar.sh\n    ln -s \/usr\/local\/share\/d2j-dex2jar\/d2j-apk-sign.sh \/usr\/local\/bin\/d2j-apk-sign.sh\n    rm -rf \/tmp\/d2j.zip\nfi\n\nif [ ! -x \"$(which d2j-dex2jar)\" ]; then\n    ln -s \/usr\/local\/bin\/d2j-dex2jar.sh \/usr\/local\/bin\/d2j-dex2jar\nfi\n\n# install adb\nif [ ! -x \"$(which adb)\" ]; then\n    curl -L -o \/tmp\/platform-tools.zip https:\/\/dl.google.com\/android\/repository\/platform-tools-latest-linux.zip\n    unzip \/tmp\/platform-tools.zip -d \/tmp\/pt\n    mv \/tmp\/pt\/platform-tools \/usr\/local\/share\/\n    ln -s \/usr\/local\/share\/platform-tools\/adb \/usr\/local\/bin\/adb\n    ln -s \/usr\/local\/share\/platform-tools\/fastboot \/usr\/local\/bin\/fastboot\nfi\n\n# install ldid\nif [ ! -x \"$(which ldid)\" ]; then\n    git clone https:\/\/github.com\/daeken\/ldid.git \/tmp\/ldid\n    cd \/tmp\/ldid\n    .\/make.sh\n    mv ldid \/usr\/local\/bin\/\n    cd \/tmp\n    rm -rf \/tmp\/ldid\nfi\n\n# install jtool\nif [ ! -x \"$(which jtool)\" ]; then\n    curl -L -o \/tmp\/jtool.tar http:\/\/www.newosxbook.com\/tools\/jtool.tar\n    mkdir \/tmp\/jtool\n    tar xvf \/tmp\/jtool.tar -C \/tmp\/jtool\n    mv \/tmp\/jtool\/jtool.ELF64 \/usr\/local\/bin\/jtool\n    rm -rf \/tmp\/jtool.tar \/tmp\/jtool\nfi\n\n# install scrounger\ngit clone git@github.com:nettitude\/scrounger.git\ncd scrounger\npip install -r requirements.txt\npython setup.py install<\/pre>\n\n\n\n<p><strong>MacOS<\/strong><br><\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code brush: plain; notranslate\"># install iproxy ldid lsusb\nbrew tap jlhonora\/lsusb &amp;&amp; brew install lsusb libimobiledevice ldid\n\n# install jd-cli\nif [ ! -x \"$(which jd-cli)\" ]; then\n    curl -L -o \/tmp\/jdcli.zip https:\/\/github.com\/kwart\/jd-cmd\/releases\/download\/jd-cmd-0.9.2.Final\/jd-cli-0.9.2-dist.zip\n    unzip \/tmp\/jdcli.zip \/usr\/local\/share\/jd-cli\n    ln -s \/usr\/local\/share\/jd-cli\/jd-cli \/usr\/local\/bin\/jd-cli\n    ln -s \/usr\/local\/share\/jd-cli\/jd-cli.jar \/usr\/local\/bin\/jd-cli.jar\n    rm -rf \/tmp\/jdcli.zip\nfi\n\n# install apktool\nif [ ! -x \"$(which apktool)\" ]; then\n    mkdir \/usr\/local\/share\/apktool\n    curl -L -o \/usr\/local\/share\/apktool\/apktool https:\/\/raw.githubusercontent.com\/iBotPeaches\/Apktool\/master\/scripts\/osx\/apktool\n    curl -L -o \/usr\/local\/share\/apktool\/apktool.jar https:\/\/bitbucket.org\/iBotPeaches\/apktool\/downloads\/apktool_2.3.3.jar\n    chmod +x \/usr\/local\/share\/apktool \/usr\/local\/share\/apktool\/apktool.jar\n    ln -s \/usr\/local\/share\/apktool \/usr\/local\/bin\/apktool\n    ln -s \/usr\/local\/share\/apktool.jar \/usr\/local\/bin\/apktool.jar\nfi\n\n# install dex2jar\nif [ ! -x \"$(which d2j-dex2jar)\" ]; then\n    curl -L -o \/tmp\/d2j.zip https:\/\/github.com\/pxb1988\/dex2jar\/files\/1867564\/dex-tools-2.1-SNAPSHOT.zip\n    unzip \/tmp\/d2j.zip -d \/tmp\/d2j\n    dirname=$(ls --color=none \/tmp\/d2j)\n    mv \/tmp\/d2j\/$dirname \/usr\/local\/share\/d2j-dex2jar\n    ln -s \/usr\/local\/share\/d2j-dex2jar\/d2j-dex2jar.sh \/usr\/local\/bin\/d2j-dex2jar.sh\n    ln -s \/usr\/local\/share\/d2j-dex2jar\/d2j-apk-sign.sh \/usr\/local\/bin\/d2j-apk-sign.sh\n    rm -rf \/tmp\/d2j.zip\nfi\n\nif [ ! -x \"$(which d2j-dex2jar)\" ]; then\n    ln -s \/usr\/local\/bin\/d2j-dex2jar.sh \/usr\/local\/bin\/d2j-dex2jar\nfi\n\n# install adb\nif [ ! -x \"$(which adb)\" ]; then\n    curl -L -o \/tmp\/platform-tools.zip https:\/\/dl.google.com\/android\/repository\/platform-tools-latest-darwin.zip\n    unzip \/tmp\/platform-tools.zip -d \/tmp\/pt\n    mv \/tmp\/pt\/platform-tools \/usr\/local\/share\/\n    ln -s \/usr\/local\/share\/platform-tools\/adb \/usr\/local\/bin\/adb\n    ln -s \/usr\/local\/share\/platform-tools\/fastboot \/usr\/local\/bin\/fastboot\nfi\n\n# install Xcode \/ command line tools\nxcode-select --install\n\n# install scrounger\ngit clone git@github.com:nettitude\/scrounger.git\ncd scrounger\npip install -r requirements.txt\npython setup.py install<\/pre>\n\n\n\n<p><strong>Adding Custom Modules<\/strong><br>\nWhen installing the application a folder <code>~\/.scrounger<\/code> will be created. Inside <code>~\/.scrounger<\/code> will be a folder called <code>modules\/custom<\/code> with the same structure as the default scrounger modules, e.g., <code>analysis\/android\/module_name<\/code>.<br>\nTo create a new custom module just add a new file with the module name \nyou want and it will be included the next time you launch scrounger.<br><br><strong>Example<\/strong><br>\nAdded the following module (<code>~\/.scrounger\/modules\/custom\/misc\/test.py<\/code>):<br><\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code brush: plain; notranslate\">from scrounger.core.module import BaseModule\n\nclass Module(BaseModule):\n    meta = {\n        \"author\": \"RDC\",\n        \"description\": \"\"\"Just a Test module\"\"\",\n        \"certainty\": 100\n    }\n\n    options = [\n        {\n            \"name\": \"output\",\n            \"description\": \"local output directory\",\n            \"required\": False,\n            \"default\": None\n        },\n    ]\n\n    def run(self):\n\n        print(\"This is a print from the custom module\")\n\n        return {\n            \"print\": \"This will be print by scrounger's console.\"\n        }<\/pre>\n\n\n\n<p><strong>Execution<\/strong><br><\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code brush: plain; notranslate\">$ scrounger-console\nStarting Scrounger console...\n\nscrounger &gt; list custom\/misc\n\nModule            Certainty  Author  Description\n------            ---------  ------  -----------\ncustom\/misc\/test  100%       RDC     Just a Test module\n\nscrounger &gt; use custom\/misc\/test\n\nscrounger custom\/misc\/test &gt; options\n\nGlobal Options:\n\n    Name    Value\n    ----    -----\n    device\n    output  \/tmp\/scrounger-app\n\nModule Options (custom\/misc\/test):\n\n    Name    Required  Description             Current Setting\n    ----    --------  -----------             ---------------\n    output  False     local output directory  \/tmp\/scrounger-app\n\nscrounger custom\/misc\/test &gt; run\nThis is a print from the custom module\n[+] This will be print by scrounger's console.\n\nscrounger custom\/misc\/test &gt;<\/pre>\n\n\n\n<p><strong>Examples<\/strong><br><br><strong>Listing \/ Searching modules<\/strong><br><\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code brush: plain; notranslate\">$ scrounger-console\nStarting Scrounger console...\n\n&gt; help\n\nDocumented commands (type help &lt;topic&gt;):\n========================================\nadd_device  devices  list     print  results  set   unset\nback        help     options  quit   run      show  use\n\n\n&gt; help list\nLists all available modules\n\n&gt; list ios\n\nModule                                  Certainty Author Description\n------                                  --------- ------ -----------\nanalysis\/ios\/app_transport_security     90%       RDC    Checks if there are any Application Transport Security misconfigurations\nanalysis\/ios\/arc_support                90%       RDC    Checks if a binary was compiled with ARC support\nanalysis\/ios\/backups                    90%       RDC    Checks the application's files have the backup flag on\nanalysis\/ios\/clipboard_access           75%       RDC    Checks if the application disables clipboard access\nanalysis\/ios\/debugger_detection         75%       RDC    Checks if the application detects debuggers\nanalysis\/ios\/excessive_permissions      90%       RDC    Checks if the application uses excessive permissions\nanalysis\/ios\/file_protection            90%       RDC    Checks the application's files specific protection flags\nanalysis\/ios\/full_analysis              100%      RDC    Runs all modules in analysis and writes a report into the output directory\nanalysis\/ios\/insecure_channels          50%       RDC    Checks if the application uses insecure channels\nanalysis\/ios\/insecure_function_calls    75%       RDC    Checks if the application uses insecure function calls\nanalysis\/ios\/jailbreak_detection        60%       RDC    Checks if the application implements jailbreak detection\nanalysis\/ios\/logs                       60%       RDC    Checks if the application logs to syslog\nanalysis\/ios\/passcode_detection         60%       RDC    Checks if the application checks for passcode being set\nanalysis\/ios\/pie_support                100%      RDC    Checks if the application was compiled with PIE support\nanalysis\/ios\/prepared_statements        60%       RDC    Checks if the application uses sqlite calls and if so checks if it also uses prepared statements\nanalysis\/ios\/ssl_pinning                60%       RDC    Checks if the application implements SSL pinning\nanalysis\/ios\/stack_smashing             90%       RDC    Checks if a binary was compiled stack smashing protections\nanalysis\/ios\/third_party_keyboard       65%       RDC    Checks if an application checks of third party keyboards\nanalysis\/ios\/unencrypted_communications 80%       RDC    Checks if the application implements communicates over unencrypted channels\nanalysis\/ios\/unencrypted_keychain_data  70%       RDC    Checks if the application saves unencrypted data in the keychain\nanalysis\/ios\/weak_crypto                60%       RDC    Checks if the application uses weak crypto\nanalysis\/ios\/weak_random                50%       RDC    Checks if a binary uses weak random functions\nanalysis\/ios\/weak_ssl_ciphers           50%       RDC    Checks if a binary uses weak SSL ciphers\nmisc\/ios\/app\/archs                      100%      RDC    Gets the application's available architectures\nmisc\/ios\/app\/data                       100%      RDC    Gets the application's data from the remote device\nmisc\/ios\/app\/entitlements               100%      RDC    Gets the application's entitlements\nmisc\/ios\/app\/flags                      100%      RDC    Gets the application's compilation flags\nmisc\/ios\/app\/info                       100%      RDC    Pulls the Info.plist info from the device\nmisc\/ios\/app\/start                      100%      RDC    Launches an application on the remote device\nmisc\/ios\/app\/symbols                    100%      RDC    Gets the application's symbols out of an installed application on the device\nmisc\/ios\/class_dump                     100%      RDC    Dumps the classes out of a decrypted binary\nmisc\/ios\/decrypt_bin                    100%      RDC    Decrypts and pulls a binary application\nmisc\/ios\/install_binaries               100%      RDC    Installs iOS binaries required to run some checks\nmisc\/ios\/keychain_dump                  100%      RDC    Dumps contents from the connected device's keychain\nmisc\/ios\/local\/app\/archs                100%      RDC    Gets the application's available architectures\nmisc\/ios\/local\/app\/entitlements         100%      RDC    Gets the application's entitlements from a local binary and saves them to file\nmisc\/ios\/local\/app\/flags                100%      RDC    Gets the application's compilation flags using local tools. Will look for otool and jtool in the PATH.\nmisc\/ios\/local\/app\/info                 100%      RDC    Pulls the Info.plist info from the unzipped IPA file and saves an XML file with it's contents to the output folder\nmisc\/ios\/local\/app\/symbols              100%      RDC    Gets the application's symbols out of an installed application on the device\nmisc\/ios\/local\/class_dump               100%      RDC    Dumps the classes out of a decrypted binary\nmisc\/ios\/pull_ipa                       100%      RDC    Pulls the IPA file from a remote device\nmisc\/ios\/unzip_ipa                      100%      RDC    Unzips the IPA file into the output directory<\/pre>\n\n\n\n<p><strong>Using Misc Module<\/strong><br><\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code brush: plain; notranslate\">$ scrounger-console\nStarting Scrounger console...\n\n&gt; use misc\/android\/decompile_apk\n\nmisc\/android\/decompile_apk &gt; options\n\nGlobal Options:\n\n    Name   Value\n    ----   -----\n    device\n    output \/tmp\/scrounger-app\n\nModule Options (misc\/android\/decompile_apk):\n\n    Name   Required Description                Current Setting\n    ----   -------- -----------                ---------------\n    output True     local output directory     \/tmp\/scrounger-app\n    apk    True     local path to the APK file\n\nmisc\/android\/decompile_apk &gt; set output scrounger-demo-output\n\nmisc\/android\/decompile_apk &gt; set apk .\/a.apk\n\nmisc\/android\/decompile_apk &gt; options\n\nGlobal Options:\n\n    Name   Value\n    ----   -----\n    device\n    output \/tmp\/scrounger-app\n\nModule Options (misc\/android\/decompile_apk):\n\n    Name   Required Description                Current Setting\n    ----   -------- -----------                ---------------\n    output True     local output directory     scrounger-demo-output\n    apk    True     local path to the APK file .\/a.apk\n\nmisc\/android\/decompile_apk &gt; run\n2018-05-01 10:29:53 -                  decompile_apk : Creating decompilation directory\n2018-05-01 10:29:53 -                  decompile_apk : Decompiling application\n2018-05-01 10:29:59 -                       manifest : Checking for AndroidManifest.xml file\n2018-05-01 10:29:59 -                       manifest : Creating manifest object\n[+] Application decompiled to scrounger-demo-output\/com.eg.challengeapp.decompiled<\/pre>\n\n\n\n<p><strong>Using results from other modules<\/strong><br><\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code brush: plain; notranslate\">misc\/android\/decompile_apk &gt; show results\n\nResults:\n\n    Name                             Value\n    ----                             -----\n    com.eg.challengeapp_decompiled scrounger-demo-output\/com.eg.challengeapp.decompiled\n\nmisc\/android\/decompile_apk &gt; use analysis\/android\/permissions\n\nanalysis\/android\/permissions &gt; options\n\nGlobal Options:\n\n    Name   Value\n    ----   -----\n    device\n    output \/tmp\/scrounger-app\n\nModule Options (analysis\/android\/permissions):\n\n    Name           Required Description                                        Current Setting\n    ----           -------- -----------                                        ---------------\n    decompiled_apk True     local folder containing the decompiled apk file\n    permissions    True     dangerous permissions to check for, seperated by ; android.permission.GET_TASKS;android.permission.BIND_DEVICE_ADMIN;android.permission.USE_CREDENTIALS;com.android.browser.permission.READ_HISTORY_BOOKMARKS;android.permission.PROCESS_OUTGOING_CA\n\nanalysis\/android\/permissions &gt; print option permissions\n\nOption Name: permissions\nValue: android.permission.GET_TASKS;android.permission.BIND_DEVICE_ADMIN;android.permission.USE_CREDENTIALS;com.android.browser.permission.READ_HISTORY_BOOKMARKS;android.permission.PROCESS_OUTGOING_CALLS;android.permission.READ_LOGS;android.permission.READ_SMS;android.permission.READ_CALL_LOG;android.permission.RECORD_AUDIO;android.permission.MANAGE_ACCOUNTS;android.permission.RECEIVE_SMS;android.permission.RECEIVE_MMS;android.permission.WRITE_CONTACTS;android.permission.DISABLE_KEYGUARD;android.permission.WRITE_SETTINGS;android.permission.WRITE_SOCIAL_STREAM;android.permission.WAKE_LOCK\n\nanalysis\/android\/permissions &gt; set decompiled_apk result:com.eg.challengeapp_decompiled\n\nanalysis\/android\/permissions &gt; options\n\nGlobal Options:\n\n    Name   Value\n    ----   -----\n    device\n    output \/tmp\/scrounger-app\n\nModule Options (analysis\/android\/permissions):\n\n    Name           Required Description                                        Current Setting\n    ----           -------- -----------                                        ---------------\n    decompiled_apk True     local folder containing the decompiled apk file    result:com.eg.challengeapp_decompiled\n    permissions    True     dangerous permissions to check for, seperated by ; android.permission.GET_TASKS;android.permission.BIND_DEVICE_ADMIN;android.permission.USE_CREDENTIALS;com.android.browser.permission.READ_HISTORY_BOOKMARKS;android.permission.PROCESS_OUTGOING_CA\n\nanalysis\/android\/permissions &gt; run\n2018-05-01 10:54:58 -                       manifest : Checking for AndroidManifest.xml file\n2018-05-01 10:54:58 -                       manifest : Creating manifest object\n2018-05-01 10:54:58 -                    permissions : Analysing application's manifest permissions\n[+] Analysis result:\nThe Application Has Inadequate Permissions\n    Report: True\n    Details:\n* android.permission.READ_SMS<\/pre>\n\n\n\n<p><strong>Using devices<\/strong><br><\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code brush: plain; notranslate\">$ scrounger-console\nStarting Scrounger console...\n\n&gt; show devices\n\nAdded Devices:\n\n    Scrounger ID Device OS Identifier\n    ------------ --------- ----------\n\n&gt; add_device\nandroid  ios\n\n&gt; add_device android 00cd7e67ec57c127\n\n&gt; show devices\n\nAdded Devices:\n\n    Scrounger ID Device OS Identifier\n    ------------ --------- ----------\n    1            android   00cd7e67ec57c127\n\n&gt; set global device 1\n\n&gt; options\n\nGlobal Options:\n\n    Name   Value\n    ----   -----\n    device 1\n    output \/tmp\/scrounger-app\n\n&gt; use misc\/list_apps\n\nmisc\/list_apps &gt; options\n\nGlobal Options:\n\n    Name   Value\n    ----   -----\n    device 1\n    output \/tmp\/scrounger-app\n\nModule Options (misc\/list_apps):\n\n    Name   Required Description            Current Setting\n    ----   -------- -----------            ---------------\n    output False    local output directory \/tmp\/scrounger-app\n    device True     the remote device      1\n\nmisc\/list_apps &gt; unset output\n\nmisc\/list_apps &gt; options\n\nGlobal Options:\n\n    Name   Value\n    ----   -----\n    device 1\n    output \/tmp\/scrounger-app\n\nModule Options (misc\/list_apps):\n\n    Name   Required Description            Current Setting\n    ----   -------- -----------            ---------------\n    output False    local output directory\n    device True     the remote device      1\n\nmisc\/list_apps &gt; run\n[+] Applications installed on 00cd7e67ec57c127:\n\ncom.android.sharedstoragebackup\ncom.android.providers.partnerbookmarks\ncom.google.android.apps.maps\ncom.google.android.partnersetup\nde.codenauts.hockeyapp\n...<\/pre>\n\n\n\n<p><strong>Command Line Help<\/strong><br><\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code brush: plain; notranslate\">$ scrounger --help\nusage: scrounger [-h] [-m analysis\/ios\/module1;analysis\/ios\/module2]\n                 [-a argument1=value1;argument1=value2;]\n                 [-f \/path\/to\/the\/app.[apk|ipa]] [-d device_id] [-l] [-o]\n                 [-p \/path\/to\/full-analysis.json] [-V] [-D]\n\n   _____\n  \/ ____|\n | (___   ___ _ __ ___  _   _ _ __   __ _  ___ _ __\n  \\___ \\ \/ __| '__\/ _ \\| | | | '_ \\ \/ _` |\/ _ \\ '__|\n  ____) | (__| | | (_) | |_| | | | | (_| |  __\/ |\n |_____\/ \\___|_|  \\___\/ \\__,_|_| |_|\\__, |\\___|_|\n                                     __\/ |\n                                    |___\/\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -m analysis\/ios\/module1;analysis\/ios\/module2, --modules analysis\/ios\/module1;analysis\/ios\/module2\n                        modules to be run - seperated by ; - will be run in order\n  -a argument1=value1;argument1=value2;, --arguments argument1=value1;argument1=value2;\n                        arguments for the modules to be run\n  -f \/path\/to\/the\/app.[apk|ipa], --full-analysis \/path\/to\/the\/app.[apk|ipa]\n                        runs a full analysis on the application\n  -d device_id, --device device_id\n                        device to be used by the modules\n  -l, --list            list available devices and modules\n  -o, --options         prints the required options for the selected modules\n  -p \/path\/to\/full-analysis.json, --print-results \/path\/to\/full-analysis.json\n                        prints the results of a full analysis json file\n  -V, --verbose         prints more information when running the modules\n  -D, --debug           prints more information when running scrounger<\/pre>\n\n\n\n<p><strong>Using the command line<\/strong><br><\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code brush: plain; notranslate\">\n$ scrounger -o -m \"misc\/android\/decompile_apk\"\n\nModule Options (misc.android.decompile_apk):\n\n    Name   Required Description                Default\n    ----   -------- -----------                -------\n    output True     local output directory     None\n    apk    True     local path to the APK file None\n\n$ scrounger -m \"misc\/android\/decompile_apk\" -a \"apk=.\/a.apk;output=.\/cli-demo\"\nExcuting Module 0\n2018-05-01 11:17:42 -                  decompile_apk : Creating decompilation directory\n2018-05-01 11:17:42 -                  decompile_apk : Decompiling application\n2018-05-01 11:17:46 -                       manifest : Checking for AndroidManifest.xml file\n2018-05-01 11:17:46 -                       manifest : Creating manifest object\n[+] Application decompiled to .\/cli-demo\/com.eg.challengeapp.decompiled<\/pre>\n\n\n\n<p><strong><a href=\"https:\/\/github.com\/nettitude\/scrounger\" rel=\"noreferrer noopener\" target=\"_blank\">Download Scrounger<\/a><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Scrounger &#8211; a person who borrows from or lives off others. There is no better description for this tool for two main reasons, the first is because this tool takes inspiration from many other tools that have already been published, the second reason is because it lives off mobile application&#8217;s vulnerabilities. Why Even though several [&hellip;]<\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":""},"categories":[11],"tags":[41,40,42],"_links":{"self":[{"href":"http:\/\/blog.um-palembang.ac.id\/sayfudin\/wp-json\/wp\/v2\/posts\/424"}],"collection":[{"href":"http:\/\/blog.um-palembang.ac.id\/sayfudin\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.um-palembang.ac.id\/sayfudin\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.um-palembang.ac.id\/sayfudin\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.um-palembang.ac.id\/sayfudin\/wp-json\/wp\/v2\/comments?post=424"}],"version-history":[{"count":1,"href":"http:\/\/blog.um-palembang.ac.id\/sayfudin\/wp-json\/wp\/v2\/posts\/424\/revisions"}],"predecessor-version":[{"id":425,"href":"http:\/\/blog.um-palembang.ac.id\/sayfudin\/wp-json\/wp\/v2\/posts\/424\/revisions\/425"}],"wp:attachment":[{"href":"http:\/\/blog.um-palembang.ac.id\/sayfudin\/wp-json\/wp\/v2\/media?parent=424"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.um-palembang.ac.id\/sayfudin\/wp-json\/wp\/v2\/categories?post=424"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.um-palembang.ac.id\/sayfudin\/wp-json\/wp\/v2\/tags?post=424"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}