How to Improve Your Android & IOS Static Analysis With Nuclei! _ by Just Mobile Security _ Medium

04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei!
tatic Analysis with Nuclei! | by Just Mobile Security | Medium
How to Improve Your Android & iOS Static

Analysis with Nuclei!
Just Mobile Security · Follow
9 min read · Apr 29, 2024
Listen Share
TL;DR: In this post, we will cover how to statically analyze Android and iOS
applications using Nuclei. We’ll start:
1. Downloading and obtaining the APK/IPA files from the device.
2. How to properly decompile them, and how to create Nuclei templates to find
common vulnerabilities like hardcoded Google API keys within the source code,
etc.
3. Finally, we’ll demonstrate executing these templates to obtain results.
https://medium.com/@justmobilesec/how-to-improve-your-android-ios-static-analysis-with-nuclei-d44f3daa9cee 1/23
04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei! | by Just Mobile Security | Medium
TL;DR 2: For this practical guide we will use two applications developed by the Just
Mobile Security team, one for iOS and one for Android. Additionally, we will show
how to use additional templates available out of the box with the Nuclei repository.
What is Nuclei?
Nuclei is a vulnerability scanner based on templates that lead to zero false positives
and provide fast scanning. If you want to analyze Android or iOS applications,
Nuclei is a great tool to easily find security vulnerabilities by using predefined or
custom YAML/JSON templates.
These templates can target specific vulnerabilities related to mobile applications,

such as hardcoded sensitive information, misconfigurations, and more. Nuclei has
high-performance scanning capabilities and a library of templates developed and
maintained by its community. Nuclei is the perfect tool for automating security
checks in mobile applications and testing that applications are analyzed to find
common vulnerabilities efficiently.
Android Prerequisites
Android Device/Emulator with root access.
ADB Android Debug Bridge
APKTool
Nuclei
iOS Prerequisites
iOS device with jailbreak (you can check our post performing a Jailbreak with
Palera1n in six steps!)
Frida & Frida-Tools (you can check our latest post talking about Frida)
Download the latest frida-ios-dump
Download the latest version of iProxy: iProxy will allow you to SSH over USB.
IPATool for installing massive apps and Nuclei installed
Installing Nuclei
Nuclei requires at least go1.21 to install successfully. Run the following command to
install the latest version.
Installing GO
1. Remove any previous Go installation by deleting the /usr/local/go folder (if it

exists), then extract the archive you just downloaded into /usr/local, creating a
fresh Go tree in /usr/local/go:
$ rm -rf /usr/local/go && tar -C /usr/local -xzf go1.22.1.linux-amd64.tar.gz
(You may need to run the command as root or through sudo).
Do not untar the archive into an existing /usr/local/go tree. This is known to produce
broken Go installations.
2. Add /usr/local/go/bin to the PATH environment variable.
You can do this by adding the following line to your $HOME/.profile or /etc/profile
(for a system-wide installation):
$ export PATH=$PATH:/usr/local/go/bin
Note: Changes made to a profile file may not apply until the next time you log into
your computer. To apply the changes immediately, just run the shell commands
directly or execute them from the profile using a command such as source
$HOME/.profile.
3. Verify that you’ve installed Go by opening a command prompt and typing the
following command:
$ go version
Confirm that the command prints the installed version of Go.
Installing Nuclei
1. Using Go Install we will install Nuclei
$ go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
2. We add go/bin to the Path.
$ export PATH=$PATH:/home/{user}/go/bin/
3. Let’s check that the Nuclei tool is correctly installed.
$ nuclei -h
Installing iOS Pre-requisites Linux & MacOS

The step number one is different for Linux and MacOS, but steps number two and three are
the same for each platform.
Linux
1. We are going to install the following dependency to get iproxy working
$ sudo apt install libusbmuxd-tools
MacOS
1. We are going to install the following dependency to get iproxy working
$ brew install libimobiledevice
Linux and MacOS same steps

2. We will install Frida (here you can see the post talking about Frida configuration
and installation).
$ pip install frida frida-tools
3. Let’s clone the frida-ios-dump repository and install the requirements
$ git clone https://github.com/AloneMonkey/frida-ios-dump.git
$ cd frida-ios-dump/
$ sudo pip install -r requirements.txt — upgrade
Getting the Applications

This step will be useful if you need to get the application from AppStore or PlayStore
before you start to analyze the applications.
Obtaining the APK from the device (Android)

1. Install the application you want to analyze from the PlayStore.
2. Using ADB we will execute the following commands to obtain the APK
$ adb shell pm list packages | grep <app name>
$ adb shell pm path <package name>
$ adb pull <path>/base.apk
Now we have the APK file and we can continue the process to analyze it with Nuclei.
Obtaining the IPA from the device (iOS)

1. Install the application you want to analyze from the AppStore.
2. Connect your jailbroken device to your computer.
3. On your computer, open a terminal window and run iProxy with the following
parameters:
$ iproxy 2222 44
4. If the application is installed from AppStore, open it and then use the following
frida command in another terminal to know the application name.
$ frida-ps -Uai | grep <app name>
5. Pull a decrypted IPA from a jailbroken device using frida-ios-dump
$ python3 dump.py <app name>
6. Move the decrypted application to your working folder.
7. To get additional information like the internal folder information, Name, Bundle
ID, Version, Data and Binary you can use the following Frida script (check here our
post talking about Frida Configuration)
$ frida -U — codeshare dki/ios-app-info -f <packageName>
General Information from a Nuclei Template

Before we create our first Nuclei template we will first analyze a template that
comes out of the box with the nuclei installation, these templates are developed by
the Nuclei community and are constantly updated.
id: google-api-key
info:
name: Google API key
author: gaurang
severity: low
tags: snippet_vuln
file:
- extensions:
- all
denylist:
- .smali
extractors:
- type: regex
regex:
- "AIza[0-9A-Za-z\\-_]{35}"
Here we can observe multiple information about the template:
id: is the id given to the template which we will use later to call it from Nuclei when
we execute the tool for analyzing the APK
info: is the information about the author of the template and the vulnerability to be
found like name of the vulnerability, author, severity, etc.
file: here is the technical information about the template. We did this conceptual
map to help you understand all the information, related to Nuclei declaration.
Creating a Nuclei Template

Now, we will create a NetworkSecurityConfig template for Android and an
NSAppTransportSecurity template for iOS, because they are similar examples and
easy to understand.
Creating Nuclei Template (Android)
So let’s create our first Nuclei Template, in this case, we will create a template to
look for insecure Network Security Configurations within the Android application’s
code.
1. We will set the template id, in this case, “network-security-config”
2. We will set the general information:
name: Insecure Network Security Config

author: sagu
severity: Medium
3. We will set the files we want to analyze:
extensions:
- xml
4. Then we will set the extractor type and regex to find three different insecure
Network Security Configurations:
The first one is the explicit use of user or system certificates within the
application.
The second one is the explicit use of clear text communications.
The third one is the specification of each domain with clear text enabled.
5. We will set 3 extractors to find these insecure implementations within the

applications code.
extractors:
- type: regex
regex:
- "<certificates src=\"(user|system)\""
- "cleartextTrafficPermitted=\"true\""
- "<domain includeSubdomains=\"(false|true)\">\\s*([^<\\s]+)\\s*</dom
The template should look like this:
id: network-security-config
info:
name: Insecure Network Security Config
author: sagu
severity: Medium
file:
- extensions:
- xml
extractors:
- type: regex
regex:
- "<certificates src=\"(user|system)\""
- "cleartextTrafficPermitted=\"true\""
- "<domain includeSubdomains=\"(false|true)\">\\s*([^<\\s]+)\\s*</dom
Finally, we save the file with the .yaml extension and we are ready to execute it :)
Creating Nuclei Template (iOS)

For the iOS case we will create a template to look for insecure
NSAppTransportSecurity settings within the iOS application’s code, the
NSAppTransportSecurity could be compared with the NetworkSecurityConfig file in
an Android application as we already mentioned.
1. We will set the template id, in this case, “ios-app-transport-security-check”
2. We will set the general information:
name: iOS App Transport Security Configuration Check

author: bananon
severity: Medium
3. We will set the files we want to analyze,
extensions:
- xml
4. Then we will set the extractor type and regex to find four different insecure
NSAppTransportSecurity settings:
1. The first one is the explicit use of insecure HTTP Loads within the application.
2. The second one explicitly allows arbitrary loads.
3. The third one is the specification of each domain that has clear text enabled.
4. The fourth one is the inclusion of the subdomains
Note: The main difference between the Android and the iOS templates is that in the
iOS case, the XML is formatted using multiple-line nested XML format for these
configurations, so in this case we will be searching for the keywords that give us the
hint that a insecure setting could potentially been implemented, later the
confirmation of the vulnerability must be performed manually or implementing
some additional checks using python scripting or your preferred language.
5. We will set up three extractors to find these insecure implementations within the
application code.
extractors:
- type: regex
regex:
- "NSExceptionAllowsInsecureHTTPLoads"
- "NSAllowsArbitraryLoads"
- "NSIncludesSubdomains"
- "NSExceptionDomains"
The template should look like this:
id: ios-app-transport-security-check
info:
name: iOS App Transport Security Configuration Check
author: bananon
severity: Medium
description: Check Info.plist for insecure NSAppTransportSecurity settings
file:
- extensions:
- xml
extractors:
- type: regex
regex:
- "NSExceptionAllowsInsecureHTTPLoads"
- "NSAllowsArbitraryLoads"
- "NSIncludesSubdomains"
- "NSExceptionDomains"
Finally, we save the file with the .yaml extension and we are ready to execute it :)
Finding the Vulnerability with Nuclei (Android)

Now we have everything ready to find vulnerabilities with Nuclei, so let’s start! For
the Android case, we will use the Challenge_3.apk application but if you want to
analyze an application downloaded from the PlayStore you can follow the steps
mentioned in the Obtaining the APK from the device (Android) section.
1. We need to disassemble the APK file, we are going to do this with APKTool (if it’s
your first time using apktool check this publication: Introduction to Smali):
$ apktool d apk_name.apk -o apk_name_dissassambled
2. Now that we have the folder containing all the files of the application we can run
Nuclei to find the vulnerability:
$ echo application | nuclei -t /<path-to-template-folder>
Finding the vulnerability with Nuclei (iOS)

For the iOS case, we will use the Challenge_1_Nuclei.ipa application but if you want
to analyze an application downloaded from the AppStore you can follow the steps
mentioned in the Obtaining the IPA from the device (iOS) section.
1. Convert the .ipa file into .zip file
$ mv application.ipa application.zip
2. Unzip it
$ unzip application.zip
3. Convert all .plist files from “ApplicationName”
$ plutil -convert xml1 Info.plist
At this point, the idea is to walk all the folders looking for *.plist files and convert
them to .xml files.
4. Now that we have the folder containing all the files of the application we can run
Nuclei to find the vulnerability
$ echo Payload | nuclei -t /<path-to-template-folder>
Final Conclusions
The Nuclei tool is really powerful in helping us to analyze Android and iOS apps.
This guide shows just how user-friendly and effective Nuclei is at finding
vulnerabilities.
We hope you see this post as a good practice to start creating your templates to
maintain your applications secure or to make templates for automating the analysis
of your applications!
Stay tuned on Just Mobile Security — Medium and Just Mobile Security — Blog -
If this post was useful for you, share it!

Don’t forget to follow us!
Just Mobile Security | LinkedIn
Juan Urbano Stordeur (@juanurss) / Twitter
This article was written by the Just Mobile Security Team.
Juan Urbano Stordeur Founder & CEO of Just Mobile Security
Juan Martinez Blanco Security Consultant of Just Mobile Security
Follow
Written by Just Mobile Security

237 Followers
We are a company that focuses on the business of mobile applications, their environment and the
information that travels through them.
More from Just Mobile Security
Just Mobile Security
Performing a Jailbreak with Palera1n in six steps!

TLDR: Do you need to make a Jailbreak for newer iOS devices and versions? You are in the right
place! This article will help you to make a…
Jun 8, 2023 62
Deep Links & WebViews Exploitations Part II

TLDR: This post is the second of a two-part series covering Deep Links & WebViews
Exploitations. This article focuses on Deep Links. It…
Feb 22 50 2
Deep Links & WebViews Exploitations Part I

TLDR: This post is the first of a two-part series covering Deep Links & WebViews Exploitations.
This article focuses on WebViews. It…
Jan 18 115
Android Static Analysis Fundamentals: Smali Code Introduction and

Modifications
TL;DR: Discover the power of Smali code, a vital skill for Android app analysis and reverse
engineering apps. Unveil an app’s inner…
Jul 21, 2023 11
See all from Just Mobile Security
Recommended from Medium
Jonathan Mondaut
How ChatGPT Turned Me into a Hacker

Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF
challenges, all with the power of AI.
Jun 19 114
n00 🔑
Android Pentesting
Android Penetration Testing is a systematic process used to identify security vulnerabilities in
an Android application. It involves using…
Mar 31 129
Lists
Staff Picks
681 stories · 1109 saves
Stories to Help You Level-Up at Work

Self-Improvement 101
Productivity 101
Alexander Nguyen in Level Up Coding
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.
Jun 1 10.7K 130
n00 🔑
SSRF:
SSRF- Server Side Request Forgery is a technique used for subverting the application logic
from intended functionality of fetching contents…
Apr 10 1
Deep Links & WebViews Exploitations Part II

TLDR: This post is the second of a two-part series covering Deep Links & WebViews
Exploitations. This article focuses on Deep Links. It…
Feb 22 50 2
Angelo Pio Amirante in InfoSec Write-ups
Android Hacking: Exploiting Broadcast Receiver

Broadcast Receiver
Feb 26 18
See more recommendations

How to Improve Your Android &amp; IOS Static Analysis With Nuclei! _ by Just Mobile Security _ Medium

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

How to Improve Your Android &amp; IOS Static Analysis With Nuclei! _ by Just Mobile Security _ Medium

Uploaded by

Copyright:

Available Formats

04/07/2024, 16:56 How to Improve Your Android & iOS Static Analysis with Nuclei!

tatic Analysis with Nuclei! | by Just Mobile Security | Medium

How to Improve Your Android & iOS Static

1. Downloading and obtaining the APK/IPA files from the device.

3. Finally, we’ll demonstrate executing these templates to obtain results.

These templates can target specific vulnerabilities related to mobile applications,

ADB Android Debug Bridge

Download the latest frida-ios-dump

IPATool for installing massive apps and Nuclei installed

1. Remove any previous Go installation by deleting the /usr/local/go folder (if it

$ rm -rf /usr/local/go && tar -C /usr/local -xzf go1.22.1.linux-amd64.tar.gz

(You may need to run the command as root or through sudo).

2. Add /usr/local/go/bin to the PATH environment variable.

Confirm that the command prints the installed version of Go.

2. We add go/bin to the Path.

3. Let’s check that the Nuclei tool is correctly installed.

Installing iOS Pre-requisites Linux & MacOS

$ sudo apt install libusbmuxd-tools

1. We are going to install the following dependency to get iproxy working

$ brew install libimobiledevice

Linux and MacOS same steps

$ pip install frida frida-tools

3. Let’s clone the frida-ios-dump repository and install the requirements

$ git clone https://github.com/AloneMonkey/frida-ios-dump.git

Getting the Applications

Obtaining the APK from the device (Android)

$ adb shell pm list packages | grep <app name>

$ adb shell pm path <package name>

$ adb pull <path>/base.apk

Obtaining the IPA from the device (iOS)

2. Connect your jailbroken device to your computer.

$ frida-ps -Uai | grep <app name>

5. Pull a decrypted IPA from a jailbroken device using frida-ios-dump

$ python3 dump.py <app name>

6. Move the decrypted application to your working folder.

$ frida -U — codeshare dki/ios-app-info -f <packageName>

General Information from a Nuclei Template

Here we can observe multiple information about the template:

Creating a Nuclei Template

1. We will set the template id, in this case, “network-security-config”

2. We will set the general information:

name: Insecure Network Security Config

3. We will set the files we want to analyze:

The second one is the explicit use of clear text communications.

5. We will set 3 extractors to find these insecure implementations within the

The template should look like this:

Creating Nuclei Template (iOS)

1. We will set the template id, in this case, “ios-app-transport-security-check”

2. We will set the general information:

name: iOS App Transport Security Configuration Check

3. We will set the files we want to analyze,

2. The second one explicitly allows arbitrary loads.

4. The fourth one is the inclusion of the subdomains

The template should look like this:

Finding the Vulnerability with Nuclei (Android)

$ apktool d apk_name.apk -o apk_name_dissassambled

$ echo application | nuclei -t /<path-to-template-folder>

Finding the vulnerability with Nuclei (iOS)

1. Convert the .ipa file into .zip file

3. Convert all .plist files from “ApplicationName”

$ plutil -convert xml1 Info.plist

$ echo Payload | nuclei -t /<path-to-template-folder>

If this post was useful for you, share it!

Juan Urbano Stordeur (@juanurss) / Twitter

How to Improve Your Android & IOS Static Analysis With Nuclei! _ by Just Mobile Security _ Medium

How to Improve Your Android & IOS Static Analysis With Nuclei! _ by Just Mobile Security _ Medium