MARA is a mobile application reverse engineering and analysis framework. It is a collection of commonly used mobile application reverse engineering and analysis tools integrated together to assist in testing mobile applications against the OWASP mobile security threats. Its primary objective is to make this task easier and friendlier to mobile application developers and security professionals.
- APK Reverse Engineering
- APK Analysis
- Parsing smali files for analysis via smalisca.
- Dump apk assets,libraries and resources.
- Extracting certificate data via openssl.
- Extract strings and app permissions via aapt.
- Identify methods and classes via ClassyShark.
- Scan for apk vulnerabilities via androbugs.
- Analyze apk for potential malicious behaviour via androwarn.
- Identify compilers, packers and obfuscators via APKiD.
- Extract execution paths, IP addresses, URL, URI, emails via regex.
- APK Manifest Analysis
- Extract Intents.
- Extract exported activities.
- Extract receivers.
- Extract exported receivers.
- Extract Services.
- Extract exported services.
- Check if apk is debuggable.
- Check if apk allows backups.
- Check if apk allows sending of secret codes.
- Check if apk can receive binary SMS.
Installing MARA on Linux/Nethunter
Watch the MARA install guide video:
In order to make updating MARA easier, it now ships with an update script that once executed, will pull the most recent version from github and replace the files the ones stored locally. The script will not interfere with the data folder where the analysis files reside. Simply execute ./update.sh and you are good to go. The update script will also run the new setup file that’s been downloaded to ensure that the dependencies for the new tools are met.
After meeting all the requirements. If you run ./mara.sh –help you should see the MARA help menu as shown below.
All the analysis data and file conversions are stored in the data folder i.e. /MARA_Framework/data/file_name. All the tools included in the Framework can be used standalone, they are all available in the tools folder i.e. /MARA_Framework/tools.
MARA ships with a SSL scanner script that makes use of pyssltest and testssl. The domain SSL scanning component requires an active internet connection. The standalone SSL scanner can be run using the command ./ssl_scanner.sh and follow the instructions displayed.
The findings from the scan are dumped in the domain scans folder i.e. /MARA_Framework/data/domain_scans/
While analyzing APK files, MARA provides the option of scanning domains found in the apk using the above mentioned tools. This scan runs in the background and can be skipped. In the event the scan is performed, the user is required to tail the two log files i.e pyssltest.log and testssl.log in /MARA_Framework/data/apk_name/analysis/static/ssl_scan/log/.
- Smali control flow graphs:
MARA is capable of generating control flow graphs from smali code. This is achieved by utilizing Smali-CFGs. The graph generation is optional and can be time consuming depending on the size of the android app being analyzed. The graphs are stored in two folders i.e. apktool_cfg and baksmali_cfg respectively in the location /MARA_Framework/data/file_name/smali/
The graph generation runs in the background and you can check its completion by tailing the log files apktool_cfg.log and baksmali_cfg.log in the location mentioned above.
- Progress monitoring:
- The analysis data dumped by MARA will be located at data/app_name folder.
- Where applicable, each space character on the provided file is replaced with a respective underscore character.
- You can monitor the APK deobfuscation process by tailing data/app_name/source/deobfuscated/deobf.log
- You can monitor the smali CFG generation by tailing these two files i.e. data/app_name/smali/apktool_cfg.log and data/app_name/smali/baksmali_cfg.log
- You can monitor the domain ssl scan by tailing these two log files data/app_name/analysis/dynamic/ssl_scan/logs/pyssltest.log and data/app_name/analysis/dynamic/ssl_scan/logs/testssl.log