Professional Documents
Culture Documents
How to Improve Your Android & IOS Static Analysis With Nuclei! _ by Just Mobile Security _ Medium
How to Improve Your Android & IOS Static Analysis With Nuclei! _ by Just Mobile Security _ Medium
Listen Share
TL;DR: In this post, we will cover how to statically analyze Android and iOS
applications using Nuclei. We’ll start:
2. How to properly decompile them, and how to create Nuclei templates to find
common vulnerabilities like hardcoded Google API keys within the source code,
etc.
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 1/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
TL;DR 2: For this practical guide we will use two applications developed by the Just
Mobile Security team, one for iOS and one for Android. Additionally, we will show
how to use additional templates available out of the box with the Nuclei repository.
What is Nuclei?
Nuclei is a vulnerability scanner based on templates that lead to zero false positives
and provide fast scanning. If you want to analyze Android or iOS applications,
Nuclei is a great tool to easily find security vulnerabilities by using predefined or
custom YAML/JSON templates.
Android Prerequisites
Android Device/Emulator with root access.
APKTool
Nuclei
iOS Prerequisites
iOS device with jailbreak (you can check our post performing a Jailbreak with
Palera1n in six steps!)
Frida & Frida-Tools (you can check our latest post talking about Frida)
Download the latest version of iProxy: iProxy will allow you to SSH over USB.
Installing Nuclei
Nuclei requires at least go1.21 to install successfully. Run the following command to
install the latest version.
Installing GO
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 2/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
Do not untar the archive into an existing /usr/local/go tree. This is known to produce
broken Go installations.
You can do this by adding the following line to your $HOME/.profile or /etc/profile
(for a system-wide installation):
$ export PATH=$PATH:/usr/local/go/bin
Note: Changes made to a profile file may not apply until the next time you log into
your computer. To apply the changes immediately, just run the shell commands
directly or execute them from the profile using a command such as source
$HOME/.profile.
3. Verify that you’ve installed Go by opening a command prompt and typing the
following command:
$ go version
Installing Nuclei
1. Using Go Install we will install Nuclei
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 3/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
$ go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
$ export PATH=$PATH:/home/{user}/go/bin/
$ nuclei -h
Linux
1. We are going to install the following dependency to get iproxy working
MacOS
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 4/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
$ cd frida-ios-dump/
$ sudo pip install -r requirements.txt — upgrade
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 5/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
2. Using ADB we will execute the following commands to obtain the APK
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 6/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
Now we have the APK file and we can continue the process to analyze it with Nuclei.
3. On your computer, open a terminal window and run iProxy with the following
parameters:
$ iproxy 2222 44
4. If the application is installed from AppStore, open it and then use the following
frida command in another terminal to know the application name.
7. To get additional information like the internal folder information, Name, Bundle
ID, Version, Data and Binary you can use the following Frida script (check here our
post talking about Frida Configuration)
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 7/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
id: google-api-key
info:
name: Google API key
author: gaurang
severity: low
tags: snippet_vuln
file:
- extensions:
- all
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 8/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
denylist:
- .smali
extractors:
- type: regex
regex:
- "AIza[0-9A-Za-z\\-_]{35}"
id: is the id given to the template which we will use later to call it from Nuclei when
we execute the tool for analyzing the APK
info: is the information about the author of the template and the vulnerability to be
found like name of the vulnerability, author, severity, etc.
file: here is the technical information about the template. We did this conceptual
map to help you understand all the information, related to Nuclei declaration.
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 9/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
So let’s create our first Nuclei Template, in this case, we will create a template to
look for insecure Network Security Configurations within the Android application’s
code.
extensions:
- xml
4. Then we will set the extractor type and regex to find three different insecure
Network Security Configurations:
The first one is the explicit use of user or system certificates within the
application.
The third one is the specification of each domain with clear text enabled.
extractors:
- type: regex
regex:
- "<certificates src=\"(user|system)\""
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 10/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
- "cleartextTrafficPermitted=\"true\""
- "<domain includeSubdomains=\"(false|true)\">\\s*([^<\\s]+)\\s*</dom
id: network-security-config
info:
name: Insecure Network Security Config
author: sagu
severity: Medium
file:
- extensions:
- xml
extractors:
- type: regex
regex:
- "<certificates src=\"(user|system)\""
- "cleartextTrafficPermitted=\"true\""
- "<domain includeSubdomains=\"(false|true)\">\\s*([^<\\s]+)\\s*</dom
Finally, we save the file with the .yaml extension and we are ready to execute it :)
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 11/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
extensions:
- xml
4. Then we will set the extractor type and regex to find four different insecure
NSAppTransportSecurity settings:
1. The first one is the explicit use of insecure HTTP Loads within the application.
3. The third one is the specification of each domain that has clear text enabled.
Note: The main difference between the Android and the iOS templates is that in the
iOS case, the XML is formatted using multiple-line nested XML format for these
configurations, so in this case we will be searching for the keywords that give us the
hint that a insecure setting could potentially been implemented, later the
confirmation of the vulnerability must be performed manually or implementing
some additional checks using python scripting or your preferred language.
5. We will set up three extractors to find these insecure implementations within the
application code.
extractors:
- type: regex
regex:
- "NSExceptionAllowsInsecureHTTPLoads"
- "NSAllowsArbitraryLoads"
- "NSIncludesSubdomains"
- "NSExceptionDomains"
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 12/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
id: ios-app-transport-security-check
info:
name: iOS App Transport Security Configuration Check
author: bananon
severity: Medium
description: Check Info.plist for insecure NSAppTransportSecurity settings
file:
- extensions:
- xml
extractors:
- type: regex
regex:
- "NSExceptionAllowsInsecureHTTPLoads"
- "NSAllowsArbitraryLoads"
- "NSIncludesSubdomains"
- "NSExceptionDomains"
Finally, we save the file with the .yaml extension and we are ready to execute it :)
1. We need to disassemble the APK file, we are going to do this with APKTool (if it’s
your first time using apktool check this publication: Introduction to Smali):
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 13/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
2. Now that we have the folder containing all the files of the application we can run
Nuclei to find the vulnerability:
$ mv application.ipa application.zip
2. Unzip it
$ unzip application.zip
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 14/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
At this point, the idea is to walk all the folders looking for *.plist files and convert
them to .xml files.
4. Now that we have the folder containing all the files of the application we can run
Nuclei to find the vulnerability
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 15/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
Final Conclusions
The Nuclei tool is really powerful in helping us to analyze Android and iOS apps.
This guide shows just how user-friendly and effective Nuclei is at finding
vulnerabilities.
We hope you see this post as a good practice to start creating your templates to
maintain your applications secure or to make templates for automating the analysis
of your applications!
Stay tuned on Just Mobile Security — Medium and Just Mobile Security — Blog -
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 16/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
Follow
We are a company that focuses on the business of mobile applications, their environment and the
information that travels through them.
Jun 8, 2023 62
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 17/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
Feb 22 50 2
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 18/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
Jan 18 115
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 19/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
Jonathan Mondaut
Jun 19 114
n00 🔑
Android Pentesting
Android Penetration Testing is a systematic process used to identify security vulnerabilities in
an Android application. It involves using…
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 20/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
Mar 31 129
Lists
Staff Picks
681 stories · 1109 saves
Self-Improvement 101
20 stories · 2234 saves
Productivity 101
20 stories · 1981 saves
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 21/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
n00 🔑
SSRF:
SSRF- Server Side Request Forgery is a technique used for subverting the application logic
from intended functionality of fetching contents…
Apr 10 1
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 22/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
Feb 22 50 2
Feb 26 18
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 23/23