4A is a Interactive Application Security Testing (IAST) for Android. It's based on Objection and Frida.
There are two main types of software security testing:
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
A lot of people believe that no one is the best! so we should merge them to get the best outcome. there are different approaches to merge SAST and DAST. One of these approaches is IAST. Android Application Auto Analysis (4A) is a tool for doing Interactive Application Security Testing. We used the power of Frida for Software Instrumentation and Objection for UI/UX.
You have two options:
-
Use Virtual Android: recommended for more security
-
Use Physical Device: recommended for better performance
I suppose you know how to connect a virtual or physical android to your computer. When connected we run this command:
adb devices
Your android, can be discovered by 4A from now on.
First of all, we need to prepare Frida for android. There are two options:
I describe second option here. thanks to Objection, Frida-Gadget injection is a peace of cake. (more info here)
objection patchapk --source app.apk
app.apk is the app that we want to analyze. after running this command, a new file get generated in the current directory, named app.objection.apk.
now you should install it on your device:
adb install app.objection.apk
Go to objection-plugins/android-sandbox/agent directory.
cd objection-plugins/android-sandbox/agent
Then:
npm i
A file named index.js should be created in android-sandbox directory.
Then, run the app from android and run this command in your computer:
objection explore -P ./objection-plugins
4A is a plugin of Objection. It's easy to use 😎.
There are some config files. Just take a loot at them, too!
This is my bachelor's project! I needed to pass the project course! 😁 the final report (in Persian/Farsi) of the project can be downloaded here.
But why I chose this topic? because I ❤️ it.
There is another reason. 😊 It was so hard for me to analyze android application with current tools. I needed something new. so I built it.
There are a lot of things TODO!
- Make TypeScript code beautiful: It's a lot of code, that can be minimized and structured. there are some repetitive structures like Hook and Switch.
- Make Python code beautiful: It's just one huge python file. we can divide it based on command groups.
- Screen recording feature: Screen record with all events and hooks that is stored on the database. This help the analyzer to playback all the events that 4A has captured.
- Auto Interaction: Make random or intelligence input for application.
- Hook All: One command for all hooks.
- any other idea...