SecDroid is a comprehensive static analysis tool designed to assess the security of Android APKs. Built upon the OWASP Mobile Application Security Verification Standard (MASVS), SecDroid automatically decompiles and inspects Android applications to detect vulnerabilities, insecure configurations, and misconfigurations that could lead to data leakage or unauthorized access.
-
OWASP MASVS-Based Analysis:
Performs security checks based on OWASP MASVS criteria across multiple areas:- V1: Architecture, Design and Threat Modeling
- V2: Data Storage and Privacy
- V3: Cryptography
- V4: Authentication and Session Management
- V5: Network Communication
- V6: Platform Interaction
- V7: Code Quality and Build Settings
- V8: Reverse Engineering Resilience
-
APK Decompilation:
Utilizes d2j-dex2jar and jadx to convert APKs into Java source code and resources for in-depth analysis. -
Static Code Inspection:
Scans decompiled source files and resource files for common security issues such as:- Hardcoded sensitive data (keys, passwords, tokens)
- Insecure data storage practices (unencrypted databases, exposed shared preferences)
- Inadequate network security (weak TLS, improper certificate pinning)
- Misconfigured permissions and IPC vulnerabilities
-
Detailed Reporting:
Provides console output with color-coded sections and, when enabled, generates log files and HTML reports with full details of the findings. -
Batch Scanning:
Supports scanning of both single APK files and entire directories containing multiple APKs. -
Linux-Optimized:
Designed to run on Linux environments (recommended: Kali Linux) for best performance and compatibility.
Before running SecDroid, ensure that your Linux system has the following utilities installed:
- grep: For text pattern searching
- jadx: Android decompiler
- d2j-dex2jar: Converts DEX files to JAR format
- Python 3.x: The tool is written in Python
For example, on Debian/Ubuntu, you can install grep and Python using:
sudo apt update && sudo apt install grep python3 -yAdditionally, you must install jadx and dex2jar (see Installation).
-
Clone the Repository:
git clone https://github.com/Optimized-Brain/SecDroid.git cd SecDroid -
Install Required Tools:
-
jadx:
wget https://github.com/skylot/jadx/releases/latest/download/jadx.zip unzip jadx.zip -d jadx sudo mv jadx /opt/
-
d2j-dex2jar:
wget https://github.com/pxb1988/dex2jar/releases/latest/download/dex-tools.zip unzip dex-tools.zip -d dex-tools sudo mv dex-tools /opt/
-
-
Update Your PATH (if needed):
Add the following lines to your
~/.bashrcor~/.profile:export PATH=$PATH:/opt/jadx/bin:/opt/dex-tools
Then, source your profile:
source ~/.bashrc
SecDroid is executed from the command line. The general syntax is:
python3 SecDroid.py [options] <APK_FILE_OR_DIRECTORY>-h: Display help and usage instructions.-p: Analyze a single APK file.-m: Analyze multiple APK files located in a directory.-l: Enable logging (creates both a.txtlog file and an HTML report).
-
Single APK Analysis:
python3 SecDroid.py -p /path/to/android_app.apk
-
Single APK Analysis with Logging:
python3 SecDroid.py -p /path/to/android_app.apk -l
-
Batch Analysis of a Directory:
python3 SecDroid.py -m /path/to/apk_directory/
-
Batch Analysis with Logging:
python3 SecDroid.py -m /path/to/apk_directory/ -l
-
Introduction & Environment Checks:
SecDroid displays an introductory banner and verifies that it is running on a Linux system. It also checks for the presence of required utilities (grep, jadx, d2j-dex2jar). -
APK Validation & Metadata Extraction:
The tool confirms that the provided file exists, is an APK, calculates its size, and computes MD5 and SHA256 hashes for integrity verification. -
Decompilation:
Usingd2j-dex2jarandjadx, SecDroid decompiles the APK to extract the Java source code and resources into a designated directory. -
Manifest Analysis:
It parses the AndroidManifest.xml to extract vital information such as the package name, version, SDK levels, and security-related configurations. -
Static Code Analysis:
SecDroid recursively scans the decompiled sources and resource files to hunt for potential security vulnerabilities based on OWASP MASVS criteria. This includes checks for insecure data storage, weak cryptography, improper logging, and more. -
Reporting:
Findings are output to the console with color-coded messages for quick identification. When the logging option is enabled, detailed log report is generated and saved as a text file.
New feature is added by incorporating a Custom Rule Engine that scans files against predefined security rules specified in a JSON file. The engine detects patterns in source code and configuration files, helping to identify potential security violations.
Features:
1. Load custom rules from a JSON file.
2. Scan individual files or entire directories recursively.
3. Detect matches using regular expressions with severity classification.
4. Supports rule-specific file type restrictions.
Contributions are welcome! If you wish to report bugs, suggest enhancements, or submit pull requests, please follow these steps:
- Fork the repository.
- Create a new branch for your feature or bugfix.
- Commit your changes with clear and descriptive commit messages.
- Push your branch and open a pull request.
Please ensure that your contributions follow the coding style and include appropriate documentation and testing.
SecDroid is released under the MIT License. See the LICENSE file for further details.
For questions, suggestions, or feedback, please contact:
- Author: Shoaib Attar
- Email: [email protected]
Feel free to open an issue on GitHub or reach out directly via email.
SecDroid is a project of the CoE CNDS Lab and is developed with the aim of enhancing mobile application security testing and ensuring adherence to industry best practices as defined by OWASP MASVS.