Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support scanning AAR/JAR #360

Open
ajinabraham opened this issue Sep 1, 2023 · 8 comments
Open

Support scanning AAR/JAR #360

ajinabraham opened this issue Sep 1, 2023 · 8 comments

Comments

@ajinabraham
Copy link
Contributor

APKiD currently supports APK and DEX files. Can the support be also extended to AAR/JAR.
I tried converting AAR/JAR to DEX and scanning with APKiD, but the binary features are not being detected.

@strazzere
Copy link
Member

strazzere commented Sep 1, 2023 via email

@ajinabraham
Copy link
Contributor Author

ajinabraham commented Sep 1, 2023

Trying to ID AAR/JAR just like we do on DEX or APK. I did the DEX conversion to see if APKiD can work with the converted DEX format.

(venv-py3.10) ➜  testfiles apkid MTestApp-1.0.0-Android-release-r8.apk 
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io

[*] MTestApp-1.0.0-Android-release-r8.apk!classes.dex
 |-> anti_vm : Build.FINGERPRINT check, Build.HARDWARE check, Build.MANUFACTURER check, Build.MODEL check, Build.PRODUCT check, possible Build.SERIAL check
 |-> compiler : r8
(venv-py3.10) ➜  testfiles apkid MTestApp-1.0.0-Android-release-r8.aar
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
(venv-py3.10) ➜  testfiles apkid MTestApp-1.0.0-Android-release-r8.jar 
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io

All these binaries share pretty much same code and compiler but are built differently as APK, JAR and AAR.

@strazzere
Copy link
Member

strazzere commented Sep 1, 2023 via email

@ajinabraham
Copy link
Contributor Author

If APKiD does the scanning only at DEX level, it makes sense to not support additional format out of the box.

However, here is an example of missed detection from a converted DEX using d8.

(venv-py3.10) ➜  ./d8 --release MTestApp-1.0.0-Android-release-r8.jar
(venv-py3.10) ➜   ls classes.dex 
classes.dex
(venv-py3.10) ➜ apkid classes.dex 
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] classes.dex
 |-> compiler : unknown (please file detection issue!)
(venv-py3.10) ➜  ./d8 --release MTestApp-1.0.0-Android-release-r8.aar 
(venv-py3.10) ➜  apkid classes.dex                                                         
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] classes.dex
 |-> compiler : unknown (please file detection issue!)

@strazzere
Copy link
Member

strazzere commented Sep 1, 2023 via email

@enovella
Copy link
Collaborator

enovella commented Sep 4, 2023

If APKiD does the scanning only at DEX level, it makes sense to not support additional format out of the box.

However, here is an example of missed detection from a converted DEX using d8.

(venv-py3.10) ➜  ./d8 --release MTestApp-1.0.0-Android-release-r8.jar
(venv-py3.10) ➜   ls classes.dex 
classes.dex
(venv-py3.10) ➜ apkid classes.dex 
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] classes.dex
 |-> compiler : unknown (please file detection issue!)
(venv-py3.10) ➜  ./d8 --release MTestApp-1.0.0-Android-release-r8.aar 
(venv-py3.10) ➜  apkid classes.dex                                                         
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] classes.dex
 |-> compiler : unknown (please file detection issue!)

Hi @ajinabraham,

It would be great to add this compiler in APKiD. I don't think I will have the time to work on this in the near future, but maybe someone else wants to dig into it. Thanks for opening the ticket!

Best,
Edu

@dustty0
Copy link
Contributor

dustty0 commented Sep 8, 2023

R8 (and / or d8, L8) compiler leaves string artifacts inside dex.

eg.

~~R8{"backend":"dex","compilation-mode":"release","has-checksums":false,"min-api":24,"pg-map-id":"5820188","r8-mode":"full","version":"8.0.46"}

Such artifacts can be retrieved by using r8's ExtractMarker feature.

Refs:

Matching signatures like ~~R8 can detect newer dex compilers (I think).

@CalebFenton
Copy link
Member

We already do something like this.

https://github.com/rednaga/APKiD/blob/master/apkid/rules/dex/compilers.yara#L178

Anyone want to take a stab at it? I may have time next week.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants