Lawnchair Launcher apk analyzed using MobSF

Outline: [Article Title]

Keyword: [Enter Targeted Keyword]

Keyword MSV: [Enter Targeted Keyword’s Monthly Search Volume]

Author: [Enter Author Name]

Due Date: [Enter Due Date]

Publish Date: [Enter Desired Publish Date]

User Persona: [Enter Targeted Reader and/or User Persona]

Lawnchair launcher apk analysis using MobSF

Over the preceding decade, mobile technology has become more widespread in all aspects of society. Cell phones and tablets are commonly used to access the internet, run apps, get email, post to social media, and conduct financial and banking transactions, among various other things. The use of mobile devices for both personal and professional uses has skyrocketed. The emergence of mobile devices and the proliferation of mobile applications have tremendously aided mobility and flexibility. As a result, there have been concerns raised about maintaining security while gliding through the digital world.

On our planet alone, there are approximately 6.5 to 7 billion or more mobile phone users, which equates to 95 percent of the global population. The security of mobile devices is becoming more relevant as a cause of concern for users’ privacy. Despite the fact that mobile device manufacturers are concerned about user security and data privacy, using internet-based applications creates substantial hurdles in terms of resolving threats and vulnerabilities while safeguarding a user’s data privacy. The vast majority of software applications are created to do a certain activity and are tailored for a specific set of devices, such as smartphones and tablets. Protecting data on mobile devices is a high-risk activity due to numerous amount of hazards and flaws.

Privacy and Security Concerns with Mobile Device

As wireless technology progresses and mobile device usage improves, the mobile market continues to rise. Individuals, society, and organizations have had significant difficulty generating and maintaining secure identities for mobile devices, especially in mobile added value services such as mobile banking, mobile ticketing, and a variety of other types of services.

Understanding the depth of mobile security.

It’s difficult to be secure these days, and our heavy reliance on mobile technology makes it even more difficult. Our cellphones carry personal social media profiles, emails, important texts, and even bank account information. We continue to keep these data on file despite the fact that they are frequently very sensitive and may contain useful information. Furthermore, the majority of business-to-business transactions are conducted via smartphones. Cellphones are also where most people use social media. As a result, a company that does not have mobile or smartphone applications is ineffective. It’s no secret that mobile technology is advancing at a breakneck pace. On the internet, there are literally millions and billions of people, many of whom rely heavily on their smartphones.

What is MobSF ?

MobSF(Mobile Security Framework) is an automated, all in one security assessment framework.It can automatically analyze Android, iOS, and Windows binaries and source codes, despite only Java and Objective C source codes are supported at the moment. MobSF can also be used to record web traffic from an application, which can then be sent to fuzzing tools like Burp suite and Owasp zap for analysis.

MobSF is an fully open-source security program that is absolutely free. In December of 2014, the project began. Developers from a number of locations are now collaborating on MobSF. MobSF is a great tool for developers because it allows them to find security flaws in their apps while they’re still being developed. It also helps security engineers perform mobile app security audits by allowing them to perform security analysis on both the final production-ready binaries and the source code. MobSF also has a REST API that DevSecOps experts or anyone can use to incorporate directly into their CI/CD pipelines, and malware researchers may use it to quickly detect malicious activity and malware signatures in their applications.With the help of MobSF, it is also possible to do sandbox dynamic runtime analysis and evaluate the malware’s activity in real time. MobSF is self-hosted, and it runs as a web application also, it is cross-platform, which means it can run on Linux, Mac OS X, and Windows based operating systems. The static analysis component of the MobSF can be executed on a virtual machine or in a Docker container but in order to perform dynamic analysis, MobSF must be installed on the host operating system. If it’s installed in a dockerized or virtualized environment, it won’t be able to perform dynamic analysis.

Installing MobSF.

MobSF is an actively maintained open-source project having a lot of potential. So, the documentation may change over time. Hence, always utilize the most up-to-date documentation available from MobSF’s official documentation page.

However, before we begin using MobSF, let us first install it on our PC. There are numerous ways to install and use MobSF:

First Method of installing MobSF:

The first way to install MobSF is to manually install all of the prerequisites and then run the setup script required for your Host Operating System.

Prerequisites requirements

For Mac users

• Install Git
• Install Python 3.8-3.9
• After installing Python 3.8+, go to /Applications/Python 3.8/ and run Update Shell Profile.command first and then Install Certificates.command
• Install JDK 8+
• Install command line tools xcode-select --install
• Download & Install wkhtmltopdf
• Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux. More Info

For Ubuntu/Debian based Linux users:

• Install Git sudo apt-get install git
• Install Python 3.8-3.9 sudo apt-get install python3.8
• Install JDK 8+ sudo apt-get install openjdk-8-jdk
• Install the following dependencies

sudo apt install python3-dev python3-venv python3-pip build-essential libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev wkhtmltopdf

• Windows App Static analysis requires a Windows Host or Windows VM for Mac and Linux. More info

For Windows users

• Install Git
• Install Python 3.8-3.9
• Install JDK 8+
• Install Microsoft Visual C++ Build Tools
• Install OpenSSL (non-light)
• Download & Install wkhtmltopdf .
• Add the folder that contains wkhtmltopdf binary to environment variable PATH.

NOTE: Set JAVA_HOME environment variable. iOS IPA Analysis works only on Mac, Linux and Docker containers.

So, once all of the prerequisites have been installed, you can proceed to the installation stage.

_ Second method of installing MobSF _:

If you only need to do static analysis and don’t want to perform dynamic analysis, you may always utilize prebuilt MobSF docker images. To pull and deploy prebuilt MobSF docker images, copy and paste the following commands into the command line:

Note: Ensure that Docker is running on your computer.

docker pull opensecurity/mobile-security-framework-mobsf

docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest

_ Third method of running MobSF _:

You can use the cloud version of MobSF instead of installing it on your computer if you don’t want to install MobSF on your PC. To do so, go to Mobsf.live.

Static Analysis using MobSF

MobSF Installation

What is a static analysis?

Static analysis, often known as static code analysis, is the process of examining a computer program without running it to find flaws. Static analysis is most typically performed on a program’s source code using tools that convert the code to an abstract syntax tree (AST) in order to completely evaluate the code’s structure and, as a result, find flaws in it. An Abstract Syntax Tree (AST) is a tree representation of the source code of a computer program that shows the structure of the source code.

Static analysis, often known as static code analysis, is the practice of looking for faults in a computer program without running it. Static analysis is most typically performed on a program’s source code using tools that convert the code to an abstract syntax tree (AST) in order to completely evaluate the code’s structure and, as a result, find flaws in it. An Abstract Syntax Tree (AST) is a tree representation of a computer program’s source code that shows the source code’s structure.

Let’s get started and run MobSF static analysis.

• To begin, ensure that your host PC has all of the required software installed.
• Second, the repository should then be cloned.

Note: We’ll be using ‘Windows’ as the host operating system and FreeOTP apk ‘Android’ apk binaries for static/dynamic analysis in this tutorial.

• Installing all the required dependencies.

For Linux / mac:

./setup.sh

For Windows:

./setup.bat

• Now, execute the Run command.

For Linux & mac:

./run.sh

For Windows:

./run.bat

MobSF is now accessible directly from the browser itself.

<img src="https://user-images.githubusercontent.com/37651620/156296221-f558cedf-6c89-4dbf-be11-b50704176a90.png height="auto" width="200px">

Features of MobSF static analysis

Information Section:

The app’s various scores, such as the average CVSS, security score, and number of recognized trackers, are displayed in this section at the top, and the file’s name, size, and basic hashes are displayed in the File information section, which is located next to the App score. Finally, the App Information section, which is located next to the File Information section, provides numerous characteristics about the app, such as the package name, main activity, and current version of the application.

APP scores

This section displays the app’s various scores, such as the average CVSS, security score, and number of trackers recognized.

MobSF scorecard

This section shows a visual representation of the scores for several findings in a very great detail.

The Security score is determined by the severity, but the average CVSS score is calculated by computing the average CVSS score.

A perfect score of 100 is awarded to each app. MobSF then deducts 15 points from the score for each finding with a high severity. For each finding with a severity warning, MobSF subtracts ten points and adds five to the score for each finding with a good severity. The app security score is deemed 100 as long as the calculated score is more than 100. If the estimated value is less than 0, the app security score is assigned a value of 10.

File information

The name, size, and basic hashes of the application is displayed in this File information section, which is positioned right next to the App score section.

App Information

The App Information section, which appears next to the File Information section, provides details on the app’s package name, main activity, and current version of the application.

Playstore description

The App Information section, which appears just below to the App scores section, This section will simply list the description of the app as it appears on the Google Play Store.

Component section

This section lists the various basic components used in Android apps, such as Activities, which is simply a single screen in your app with a user-interactive interface, Services, which is a background-running part of the app, Receivers, which allows users to register for system or application events, and Providers, which simply provides its own UI for working with the data.

Scan Option

This section includes options such as Rescan and dynamic analysis. Not only that, but it also has a decompiled code section that displays decompiled versions of android manifest files, java source code, and smali source code, as well as the ability to download the entire java source code, smali source code, and even the main apk file itself.

Signer Certificate

Basic information about a code signing certificate may be found in the Signer Certificate section, which contains the signature version, hash techniques used, fingerprints, and along with the issuer identifications. If anything favourable or unfavourable is identified, it will be mentioned in the certificate status box along with its brief summary.

Application permission

All of the permissions used by the application (Lawnchair Launcher apk) are listed in the Permissions section, along with their status, information, and descriptions.

Android API

This section simply provides the information about all the API which is being used inside this particular application.

Browsable activities

This section will simply lists all of the browsable activities, such as all of the activities that may be viewed by a specific scheme.

Security Analysis:

The security analysis section includes manifest, code, binary, NIAP, and file analysis.

Network Security

This section will simply display all network-related and configuration issues found in the examined application, along with their brief status and descriptions.

Manifest Analysis

MobSF runs a static analysis on Android Manifest files to find any vulnerabilities it then lists all of the issues related to it, as well as their severity and a full description and displays in this section.

Code analysis

MobSF performs static analysis on all decompiled java source code and then provides a report that includes all issues encountered, as well as their severity, standard, and file location, which is displayed in this section.

Binary Analysis

MobSF lists out all of the issues that have been detected on the shared objects and displays it inside this particular section.

NIAP Analysis

The Department of Defense and other federal agencies must guarantee that their mobile apps meet the security criteria of the National Information Assurance Partnership (NIAP). The National Intelligence Assessment Program (NIAP) certifies the security of commercial hardware and software used in national security systems. So MobSF can display the NIAP analysis, and this section will show all of the NIAP results, as well as their Identifier, requirement, characteristics, and brief descriptions.

File analysis

It is now currently empty, however MobSF lists all of the sensitive files, such as certificates, that are hard coded within the application under this section.

Malware analysis

APKiD analysis

This section provides a solid details and picture of the application’s behavior from a code perspective.

Server location

This is MobSF’s greatest feature because it includes a lovely World Map UI that displays the assessed app’s entire server location in pin-point detail.

Quark analysis

Domain malware check

MobSF extracts domains from binaries and compares them to domains recorded in its database that aren’t malicious. As a consequence, it assesses if a domain is excellent or harmful based on such information.

Reconnassance

URLs

MobSf will list and display all of the URLs found in the various source code files for this application in this particular section.

Firebase DB

MobSF can extract all of the Firebase database URLs from the app, as well as do a secondary check to see if the database is leaked to the public or not.

Emails

MobSF is able to extract all of the emails contained in the source code and present them in this section.

Trackers

MobSF is capable of extracting out all the possible trackers that are currently being used inside the application and display it inside this particular section.

Trackers are simply a development toolkits or add-ons that collect data and information on the application’s behalf.

Strings

MobSF lists out all the hard coded strings present in the binary, especially the ones from the strings resource.

Possible hardcoded secrets

Components

Components refer to the different sections of the application. This section includes a list of all the activities, services, receivers, providers, and libraries that this application employs. It also contains all files found in the application’s binaries.

Activities

Activities are simply a single screen in your app with an interface that the user can interact with.

Services

Services are part of application which runs in the background.

Receviers

Receviers allows users to register for system or in any kind of application events.

Providers

Providers provides its own UI for working with the data.

PDF report

The PDF report section allows you to create a professional-looking PDF report with high-level information about the different findings of this particular analyzed application. If you want to keep records of your security analysis, it’s quite handy.

Visit this link to see the full report on this LawnchairLauncher v2 application.

What is Dynamic analysis ?

Dynamic analysis is the process of testing and analyzing a program while the application is running. Dynamic analysis, also known as dynamic code scanning, which aids in the detection and correction of errors, memory issues, memory leaks and several other issues with program execution.

Note: It is necessary to undertake static analysis before going on to dynamic analysis.

Dynamic analysis mechanism

MobSf will first install the apk on the genymotion vm before instrumenting it. For instrumentation, Xposed and Frida are used; Frida is for Android 5.0 and up, and Xposed is for Android 5.0 and below. In the genymotion VM, there are several agents as well. Once the app has been instrumented, the agents will begin capturing and gathering data relevant to it. After the report is finished, the collected data will be forwarded to MobSF, and the app’s full data will be dumped into the device for further investigation.

Always make sure you’ve configured the dynamic analyzer for MobSF before starting the analysis. You must start a genymotion VM before launching MobSF to perform android dynamic analysis flawlessly.

This error will be thrown if mobsf fails to detect the virtual machine.

You must start a genymotion VM before launching MobSF to perform android dynamic analysis without any issues.

Starting Dynamic analysis

Open scan options and click on Start Dynamic Analysis.

If everything went well, you should be able to see the dashboard.

MobSF Dynamic analysis features and functionality:

Show/Stop Screen:

This functionality allows you to view the screen of the emulated device through the web interface. Some basic functions, like as touches and clicks, are available directly through the web interface.

Remove Root Certificate(CA):

This feature is responsible for intercepting the traffic of the device.

TLS/ SSL test:

TLS/SSL Security test allows you to assess the network security of your application. These tests are only applicable to applications that connect to the internet using the HTTP protocol.

Exported Activity Tester:

This test allows you to dynamically test for exported actions, which is important for developing dynamic proof of concepts (POC) and verifying the static analysis results.

Activity Tester:

You can use this test to forcefully test all non-exported actions.

Get Dependencies:

This feature aids in the collection of all data related to the application’s ‘runtime’ dependencies.

Take Screenshots:

This feature allows you to take a screenshot of a device that is currently running in a virtual machine.

Logcat Stream:

The Logcat stream shows all of the device’s logs in real time.

All of the real-time logs will be displayed in a new window that will get launched separately.

At the moment, MobSF is unable to do autonomous dynamic analysis. This is due to MobSF’s lack of understanding of your app’s business logic, how to fill in the login and password fields, or what data it should offer. You must manually walk through the application’s different business logic and obstacles to get the most out of MobSF dynamic analysis, while MobSF does security analysis on these issues in the background.

Initializing the Dynamic Analysis Process :

The initial stage in the dynamic analysis process is to select start instrumentation, which will load the application and enable MobSF to instrument it.

Instrumentation with Frida

Use the console to see the output created by these Frida scripts, or look in the Frida live logs folder. Whether you’re running a custom Frida script or writing one, Frida live logs will show you all of the output from the various Frida scripts.

Once the instrumentation process is complete, the Live API monitor button will be enabled. The live API monitor simply logs all API calls that occur during the course of the application.

Frida Code editor

MobSF dynamic analyzer also provides access to the Frida code editor where custom or pre-built Frida scripts can be loaded.

Generate Report:

When the Generate Report option is selected, MobSF is instructed to stop all analysis and generate a report. The final report should resemble something this after the dynamic analysis is performed.

Click here to view the full dynamic analysis report of the Lawnchair Launcher v2 apk application.

Closing

MobSF is a very useful tool for developers because it helps them find security flaws in apps while they’re still being developed, as well as do static analysis directly on the source code of those apps. It also aids security engineers in performing mobile app security audits by allowing them to conduct security analysis on both the final production-ready binaries and source code. MobSF also offers a REST API that DevSecOps professionals may use to integrate it directly into CI/CD pipelines, and malware researchers can use to quickly and effectively discover harmful behavior and malware signatures in applications.This article may have been entertaining as well as instructive in terms of how to install MobSF and use it from the ground up on a variety of platforms. Join Aviyel’s community to learn more about the open source project, get tips on how to contribute, and join active dev groups.

Call-to-Action

Aviyel is a collaborative platform that assists open source project communities in monetizing and long-term sustainability. To know more visit Aviyel.com and find great blogs and events, just like this one! Sign up now for early access, and don’t forget to follow us on our socials!