Vai al contenuto

AndroGuard Cheat Sheet

Panoramica

AndroGuard è uno strumento Python progettato per l'ingegneria inversa e l'analisi di malware di applicazioni Android. Fornisce potenti capacità per analizzare file APK, bytecode DEX e risorse Android.

Installazione

Prerequisiti

```bash

Install Python 3.6+

sudo apt update sudo apt install python3 python3-pip

Install required dependencies

sudo apt install python3-dev libxml2-dev libxslt1-dev zlib1g-dev ```[No content provided]

Installare AndroGuard

```bash

Install from PyPI

pip3 install androguard

Install with optional dependencies

pip3 install androguard[GUI,magic]

Install from source

git clone https://github.com/androguard/androguard.git cd androguard pip3 install -e . ```[No content provided]

Utilizzo Base

Analizzare File APK

```bash

Basic APK analysis

androguard analyze app.apk

Interactive analysis

androguard shell app.apk

Generate analysis report

androguard analyze app.apk --output report.txt ```[No content provided]

Strumenti da Riga di Comando

```bash

APK information

apkinfo app.apk

DEX analysis

dexdump classes.dex

Resource analysis

axml AndroidManifest.xml ```[No content provided]

Utilizzo dell'API Python

Analisi Base

```python from androguard.misc import AnalyzeAPK

Analyze APK

a, d, dx = AnalyzeAPK("app.apk")

Get APK information

print("Package name:", a.get_package()) print("App name:", a.get_app_name()) print("Version:", a.get_androidversion_code()) print("Permissions:", a.get_permissions()) ```[No content provided]

Analisi Avanzata

```python from androguard.core.bytecodes import apk, dvm from androguard.core.analysis import analysis

Load APK

apk_obj = apk.APK("app.apk") dex = dvm.DalvikVMFormat(apk_obj.get_dex()) dx = analysis.Analysis(dex)

Analyze classes and methods

for cls in dx.get_classes(): print(f"Class: \\{cls.name\\}") for method in cls.get_methods(): print(f" Method: \\{method.name\\}") ```[No content provided]

Analisi APK

Informazioni Base

```python

APK metadata

print("Package:", a.get_package()) print("App name:", a.get_app_name()) print("Version code:", a.get_androidversion_code()) print("Version name:", a.get_androidversion_name()) print("Min SDK:", a.get_min_sdk_version()) print("Target SDK:", a.get_target_sdk_version()) ```[No content provided]

Analisi Permessi

```python

Get all permissions

permissions = a.get_permissions() for perm in permissions: print(f"Permission: \\{perm\\}")

Check for dangerous permissions

dangerous_perms = [ "android.permission.READ_SMS", "android.permission.SEND_SMS", "android.permission.ACCESS_FINE_LOCATION", "android.permission.CAMERA" ]

for perm in permissions: if perm in dangerous_perms: print(f"Dangerous permission found: \\{perm\\}") ```[No content provided]

Analisi Certificato

```python

Get certificate information

certificates = a.get_certificates() for cert in certificates: print(f"Certificate: \\{cert\\}") print(f"Subject: \\{cert.subject\\}") print(f"Issuer: \\{cert.issuer\\}") print(f"Serial: \\{cert.serial_number\\}") ```[No content provided]

Analisi Codice

Analisi Metodo

```python

Find specific methods

for cls in dx.get_classes(): for method in cls.get_methods(): if "crypto" in method.name.lower(): print(f"Crypto method: \\{cls.name\\}->\\{method.name\\}") ```[No content provided]

Analisi Stringhe

```python

Extract strings

strings = dx.get_strings() for string in strings: if "http" in string.get_value(): print(f"URL found: \\{string.get_value()\\}") ```[No content provided]

Analisi Riferimenti Incrociati

```python

Find method calls

for method in dx.get_methods(): if method.is_external(): continue

for ref in method.get_xref_from():
    print(f"\\\\{ref.class_name\\\\}->\\\\{ref.method_name\\\\} calls \\\\{method.name\\\\}")

```[No content provided]

Analisi Sicurezza

Analisi Crittografica

```python

Find crypto usage

crypto_methods = [ "javax.crypto.Cipher", "java.security.MessageDigest", "javax.crypto.spec.SecretKeySpec" ]

for method in dx.get_methods(): for crypto in crypto_methods: if crypto in str(method.get_method()): print(f"Crypto usage: \\{method.name\\}") ```[No content provided]

Analisi di Rete

```python

Find network operations

network_classes = [ "java.net.URL", "java.net.HttpURLConnection", "okhttp3.OkHttpClient" ]

for cls in dx.get_classes(): for net_class in network_classes: if net_class in str(cls): print(f"Network class: \\{cls.name\\}") ```[No content provided]

Analisi Reflection

```python

Find reflection usage

reflection_methods = [ "java.lang.Class.forName", "java.lang.reflect.Method.invoke" ]

for method in dx.get_methods(): for ref_method in reflection_methods: if ref_method in str(method.get_method()): print(f"Reflection usage: \\{method.name\\}") ```[No content provided]

Rilevamento Malware

Modelli Sospetti

```python

Check for suspicious patterns

suspicious_strings = [ "getDeviceId", "getSubscriberId", "sendTextMessage", "android.intent.action.BOOT_COMPLETED" ]

strings = dx.get_strings() for string in strings: for suspicious in suspicious_strings: if suspicious in string.get_value(): print(f"Suspicious string: \\{string.get_value()\\}") ```[No content provided]

Rilevamento Caricamento Dinamico

```python

Find dynamic loading

dynamic_methods = [ "dalvik.system.DexClassLoader", "dalvik.system.PathClassLoader" ]

for method in dx.get_methods(): for dyn_method in dynamic_methods: if dyn_method in str(method.get_method()): print(f"Dynamic loading: \\{method.name\\}") ```[No content provided]

Analisi Risorse

Analisi Manifest

```python

Parse AndroidManifest.xml

manifest = a.get_android_manifest_xml() print("Manifest content:") print(manifest.toprettyxml())

Get activities

activities = a.get_activities() for activity in activities: print(f"Activity: \\{activity\\}")

Get services

services = a.get_services() for service in services: print(f"Service: \\{service\\}") ```[No content provided]

Estrazione Risorse

```python

Extract resources

for file_name in a.get_files(): if file_name.endswith('.xml'): content = a.get_file(file_name) print(f"XML file: \\{file_name\\}") ```[No content provided]

Funzionalità Avanzate

Analisi Flusso di Controllo

If you would like me to translate the remaining sections, please provide the specific text for each numbered section.```python

Analyze control flow

for method in dx.get_methods(): if method.is_external(): continue

# Get basic blocks
for bb in method.get_basic_blocks():
    print(f"Basic block: \\\\{bb\\\\}")

### Analisi del Flusso di Datipython

Trace data flow

for method in dx.get_methods(): # Get method instructions instructions = method.get_instructions() for instruction in instructions: if instruction.get_name() == "const-string": print(f"String constant: \\{instruction\\}") ### Generazione del Grafo delle Chiamatepython

Generate call graph

import networkx as nx

G = nx.DiGraph() for method in dx.get_methods(): for ref in method.get_xref_from(): G.add_edge(f"\\{ref.class_name\\}.\\{ref.method_name\\}", f"\\{method.class_name\\}.\\{method.name\\}")

Export call graph

nx.write_gml(G, "call_graph.gml") ## Script di Automazionepython

!/usr/bin/env python3

import os import sys from androguard.misc import AnalyzeAPK

def analyze_apk_batch(directory): for filename in os.listdir(directory): if filename.endswith('.apk'): print(f"Analyzing \\{filename\\}") try: a, d, dx = AnalyzeAPK(os.path.join(directory, filename)) print(f"Package: \\{a.get_package()\\}") print(f"Permissions: \\{len(a.get_permissions())\\}") print("-" * 50) except Exception as e: print(f"Error analyzing \\{filename\\}: \\{e\\}")

if name == "main": analyze_apk_batch(sys.argv[1]) ### Analisi in Batchpython

!/usr/bin/env python3

from androguard.misc import AnalyzeAPK

def security_scan(apk_path): a, d, dx = AnalyzeAPK(apk_path)

# Check permissions
dangerous_perms = [
    "android.permission.READ_SMS",
    "android.permission.SEND_SMS",
    "android.permission.ACCESS_FINE_LOCATION"
]

found_perms = []
for perm in a.get_permissions():
    if perm in dangerous_perms:
        found_perms.append(perm)

# Check for crypto usage
crypto_usage = False
for method in dx.get_methods():
    if "crypto" in str(method.get_method()).lower():
        crypto_usage = True
        break

print(f"Dangerous permissions: \\\\{found_perms\\\\}")
print(f"Crypto usage detected: \\\\{crypto_usage\\\\}")

if name == "main": security_scan("app.apk") ### Scanner di Sicurezzabash

Launch GUI

androguard gui

Open APK in GUI

androguard gui app.apk ### AndroGuard GUIbash 1. Basic APK information 2. Permission analysis 3. Code structure review 4. Security pattern detection 5. Malware signature matching 6. Report generation ### Funzionalità - Analisi visiva del codice - Esplorazione interattiva - Visualizzazione di grafi - Capacità di esportazionepython

Use lazy loading for large APKs

from androguard.core.bytecodes.apk import APK a = APK("large_app.apk", raw=False)

Process in chunks for batch analysis

import multiprocessing pool = multiprocessing.Pool() results = pool.map(analyze_apk, apk_list) ```## Best Practice https://github.com/androguard/androguard##

Workflow di Analisi

https://androguard.readthedocs.io/##

Suggerimenti per le Prestazioni

https://owasp.org/www-project-mobile-security-testing-guide/#

Risorse

  • Documentazione Ufficiale: [AndroGuard GitHub](