+ droidstatx is a Python tool that generates an Xmind map with all the information gathered and any evidence of possible vulnerabilities identified via static analysis.
+ The map itself is an Android Application Pentesting Methodology component, which assists Pentesters to cover all important areas during an assessment. This was the main goal driving the tool development.
+ The tool also allows to add custom checks in a simple way, to confirm the existence of those patterns in the dalvik bytecode instructions.
– pip (apt-get install python-pip)
– Java JRE (Probably already installed but if not, apt-get install default-jre)
As stated above, this was the tool development’s main driving goal. The Xmind map Methodology topic is structured following the OWASP Mobile TOP 10 2016 categories
Each category has topics that you will need to cover in the format of a checklist, to guarantee and highlight coverage. Each topic has a URL to the respective chapter in the OWASP The Mobile Security Testing Guide (MSTG) explaining the vulnerability and how to confirm its existence. I collaborated a little bit on the OWASP MSTG project and have to give a big shout out to Bernhard and Sven for creating the project and bringing a lot of people together to develop it.
The tool will automatically fill some of the topics with evidences based on the analysis, to help confirm if it is a false or a true positive.
Each time the tool runs against a package, if the xmind map already exists,a new tab will be created on the workbook. This way it’s possible to keep a history file of every new version tested and compare it against previous runs.
Use and Download:
git clone https://github.com/integrity-sa/droidstatx && cd droidstatx
* The setup will download the latest jar version of apktool and pip install androguard and xmind-sdk-python.
python droidstatx.py --apk [your_apk]
Best run on Kali Linux 2017, Ubuntu 16.04 and Debian 9.0