Skip to content
This repository has been archived by the owner on Nov 7, 2024. It is now read-only.
/ mallodroid Public archive
forked from sfahl/mallodroid

Find broken SSL certificate validation in Android Apps

License

LGPL-3.0 license
1 star 31 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

stfbk/mallodroid

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 
mallodroid.py
mallodroid.py
 
 

Repository files navigation

MalloDroid

MalloDroid is a small tool built on top of the Androguard reverse engineering framework able to analyze Android apps for broken TLS certificate validation.

This fork is a Python 3 converted and enhanced version of the original MalloDroid combined with the patches provided by @luckenzo.

Installation

In order to use MalloDroid you have to install both Python 3 and Androguard

pip3 install -U androguard

and then clone this git repository by running

git clone https://github.com/stfbk/mallodroid.git

Usage

Once in the right directory, run

./mallodroid.py <parameters>

where

Parameters

  • -h|--help show the help message
  • -f|--file <PATH_TO_APK> analyze the target apk
  • -x|--xml shop XML output
  • -o <PATH_TO_FILE> store the XML output to a file (*New!*)
  • -j|--java show Java code results for non-XML output
  • -d|--dir <DIR> store in DIR decompiled apk's Java code for further analysis

example: ./mallodroid.py -f ExampleApp.apk -x

Internal API (*New!*)

You can now import MalloDroid with import mallodroid and execute it with mallodroid.main(*args).

*args should have:

  • args=['-args','--like','a','bash','call'],

    Demonstrative example:

    mallodroid.main(args=['-f','ExampleApp.apk','-x'])

  • stdout_suppress=False,

    Suppress all output sent to STDOUT. Default to False.

    Demonstrative example:

    mallodroid.main(args=['-f','ExampleApp.apk','-x'],stdout_suppress=True)

  • stderr_suppress=False

    Suppress all output (errors) sent to STDERR. Default to False.

    Demonstrative example:

    mallodroid.main(args=['-f','ExampleApp.apk','-x'],stderr_suppress=True)

Complete example:

import mallodroid

raw_results = mallodroid.main(args=['-f','ExampleApp.apk','-x'],stdout_suppress=False,stderr_suppress=True)

print(raw_results)

License

As mandated by the original script, MalloDroid is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. You may obtain a copy of the License at

https://www.gnu.org/licenses/lgpl-3.0.html

MalloDroid is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.

About

Find broken SSL certificate validation in Android Apps

Resources

Readme

License

LGPL-3.0 license
Activity
Custom properties

Stars

1 star

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%