• Stars
    star
    134
  • Rank 270,967 (Top 6 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 2 years ago
  • Updated 8 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A tool for automating interactions with Android devices - including ADB, AndroGuard, and Frida interactivity.

πŸ“± A tool for automating interactions with Android devices - including ADB, AndroGuard, and Frida interactivity. ⬇️


AutoDroid is a Python tool for programmatically scripting bulk interactions with one or more Android devices. Possible uses include:

  • Downloading and extracting all APKs from all connected devices. βš™οΈ
  • Testing a developed application on multiple devices at once. πŸ“²
  • Testing potential malware against a suite of AV products. ☒️

πŸ’ͺ Getting Started

To use AutoDroid you will need to install the dependencies, these are specified in the requirements file and can be installed by following the below command.

pip install -r REQUIREMENTS.txt

AutoDroid needs to be provided a valid Json configuration file as a command line argument. The below shows a simple configuration file example that will retrieve all applications from all connected devices one at a time and extract the APKs to zips using AndroGuard.

{
  "devices": ["*"],
    "apps": ["*"],
    "commands": ["adb pull !app_path !app_id.apk","reverse: !app_id.apk"]
}

Once you have created a valid AutoDroid configuration file you can begin device interaction by running the AutoDroid.py python file with the configuration file as it's command line parameter.

python AutoDroid.py example_config.json

🧱 Commands and blocks

The AutoDroid configuration file can be provided with a series of commands to execute on the target devices, these commands are run locally on your machine and so the programs and files being called must be present. These commands can be in either a list format (as can be seen in the example above) or as a key value pair map/ dict. These key value pairs are defined as blocks of commands, where the key is the block name and the value is a list of commands. The constant (described below) block:<block name> can be used to run a block and provides a simple loop/ call-back feature. An example of using blocks can be seen below.

{
  "devices": ["*"],
    "apps": ["*"],
    "commands": {
      "test_user_input":["adb -s !device_id shell monkey -v 5 -p !app_id"],
      "retrieve_apk":["adb -s !device_id pull !app_path !app_id.apk","sleep:5"]
    }
}

πŸ“± Devices and apps

Two additional fields that are instrumental to AutoDroid are the devices and apps fields. These fields define the adb device ID for the device(s) being targeted (a list of strings) and the application reverse domain notation name (i.e. com.example.application) for the applications being targeted on the device (a list of strings). Both of these fields can be empty, a list of strings, or defined as * where all available devices and apps will be targeted. In the backend the way this works is when a value is provided in these fields the program will loop through all commands in order for each application on each device. An example of specifying a specific device and app can be seen below:

{
  "devices": ["09261JEC216934"],
    "apps": ["com.google.android.networkstack.tethering"],
    "commands": ["adb -s !device_id pull !app_path !app_id.apk"]
}

When the devices field is not empty (i.e. not "devices":[],) a variable (see below) of !device_id is created. This variable can be used in your commands to denote the ADB device ID for the current targeted device. Similarly the variables !app_id, and !app_path are added when the app field is not empty and can be used in commands to define the app reverse domain notation name and the path to that application's APK file.

πŸ“£ Variables

To save time, AutoDroid allows for an infinite amount of variables to be set in a script. These variables are constructed in a key value pair format. When the key of a variable is located in a command it will be replaced for the value. An example configuration that utilises variables can be seen below, in this configuration file the variable !test has been added as short hand for a monkey adb command and the built-in variable !app_id is also used.

{
  "devices": ["*"],
    "apps": ["*"],
    "variables": {"!test": "adb -s !device_id shell monkey -v 500 -p"},
    "commands": ["!test !app_id"]
}

The preferred standard for using variables is to precede them with a ! and to use _ instead of spaces.

Setting variables at runtime

Variables can be set at runtime using the ? operator. Where the operator followed by a variable name is set to either what the following commands output is or if the command has no output the command itself. An example can be seen below:

{
  "devices": [],
    "apps": [],
    "commands": ["?!files dir", "print: !files"]
}

Reserved variables

The below is a list of reserved variables that are already used in AutoDroid and should be avoided from adding to your config file. If these variables are added they will be overwritten at runtime.

  • !device_id - When one or more devices are provided in the config, this variable is populated at runtime. And is set as the ADB device ID for the current device. Each device is looped through in turn with the configured commands being run for each device.
  • !adb_connect – This is a shorthand variable that translates to adb -s !device_id, using this instead of adb will insure that all adb commands are run on the correct device.
  • !app_id - When one or more apps are provided in the config, this variable is populated at runtime. And is set as the application reverse domain notation name (i.e. com.example.myapplication) for the current application. Each application is looped through in turn with the configured commands being run for each app.
  • !app_path - Similar to the above. When one or more apps are provided in the config, this variable is populated at runtime. And is set as the path to the current application APK file on the target device. Each application is looped through in turn with the configured commands being run for each app.

πŸ“’ Constants

Constants are commands specific to AutoDroid and relate to specific functionality. Normally broken down into a keyword followed by a : and then one or more parameters separated by a ;. These constants must be used at the start of a command and should always be in lower case. Examples will be given in the individual sections.

Frida

AutoDroid has built in functionality to run Frida JavaScript files as part of an AutoDroid run. This constant is defined as frida: and must be provided the path to the JavaScript file being used, followed by a ; and then the application reverse notation name of the application being targeted. In addition to applying variables to the command, variables are also applied to the contents of the file provided.

{
  "devices": ["*"],
    "apps": ["*"],
    "commands": ["frida:myJavascript.js;!app_id"]
}

note while the Frida integration is implemented, it is currently untested.

AndroGuard

AutoDroid supports reverse engineering APKs via AndroGuard. This constant is structured as reverse: and takes a path to a locally stored APK. Using this will save an unbundled version of the APK as a ZIP with the name <application name>.apk.

{
  "devices": ["*"],
    "apps": ["*"],
    "commands": ["adb -s !device_id pull !app_path !app_id.apk","reverse: !app_id.apk"]
}

When using the reverse constant the apk path can be followed by any number of paramiters (seperated by a ;), these including info (which will save a Json file of application information, decompile (which on Linux will save a txt summary of the decompiled methods), manifest (which will save the xml manifest file, and zip which will perform the same action as if no paramiters were provided and saves the unbundled APK to a zip file. An example of using these parameters can be seen below:

{
  "devices": ["*"],
    "apps": ["*"],
    "commands": {
      "get_app": ["adb -s !device_id pull !app_path !app_id.apk"],
      "reverse_app":["reverse: !app_id.apk;info",
                     "reverse: !app_id.apk;manifest;decompile"]
    }
}

Sleep

This constant provides simple functionality for pausing execution of the tooling for a specific amount of time. This constant is structured as sleep: followed by the amount of seconds to wait.

{
  "devices": ["*"],
    "apps": ["*"],
    "commands": ["adb pull !app_path !app_id.apk","sleep:5"]
}

Block

The block constant provides simple looping and call-back functionality. This constant is structured as block: followed by the name of the block of commands to execute. If no blocks have been provided (i.e. commands have been provided in a list format), then commands are added to a block called main.

{
  "devices": ["*"],
    "apps": ["*"],
    "commands": {
      "test_user_input":["adb shell monkey -v 5 -p !app_id"],
      "retrieve_apk":["adb pull !app_path !app_id.apk"],
      "test_again": ["block: test_user_input","sleep:5"]
    }
}

Find

The keyword 'find' followed by a path to an apk and a regex string to find will both print to the console the path to the apk and the string found if they are present in an APK. This can be used in conjunction with other commands to run the find strings in all processed apps. An example of this can be seen below:

{
  "devices": ["*"],
    "apps": ["*"],
    "commands": ["adb pull !app_path !app_id.apk","find: !app_id.apk;my_string"]
}

Print

Another simple constant. The print: constant can be used to print a message to the console. An example of using this can be seen below:

{
  "devices": ["*"],
    "apps": ["*"],
    "commands": ["print: device id !device_id, app id !app_id, app path !app_path"]
}

Write

The write constant allows for a variable or command to be written to a file. Used with the write: string followed by the file to write to, followed by a ;, and then the command or variable to write to the file.

{
  "devices": ["*"],
    "apps": ["*"],
    "commands": {
      "get_stats": ["?!stats device id !device_id, app id !app_id, app path !app_path"],
      "write_stats": ["write: !device_id-!app_id-stats.txt;!stats"]
    }
}

Read

The read: constant is provided a path to a file to read, followed by a ;, and then the variable to save the output to. This variable can be a newly declared or existing variable.

{
  "devices": [],
    "apps": [],
    "commands": ["read:test.txt;!data","print: !data"]
}

Append

Similar to write. The append constant allows for a variable or command to be written to a file. Used with the append: string followed by the file to write to, followed by a ;, and then the command or variable to write to the file. Unlike write which will create or write over an existing file, append will only add to an existing file. If the file does not exist then AutoDroid will error.

{
  "devices": ["*"],
    "apps": ["*"],
    "commands": ["append:test.txt;!app_id !app_path"]
}

πŸ“š More complex configs

Malware analysis

The below is an example of using AutoDroid to test potential malware on Android devices. This config installs the potential malware, records the screen, retrieves the screen capture, and uninstalls the application.

{
  "devices": ["*"],
    "apps": [],
    "commands": {
      "record_screen": ["adb shell screenrecord /data/local/tmp/test.mp4 --time-limit 120"],
      "install_eicar":["adb install com.fsecure.eicar.antivirus.test.apk"],
      "user_input":["adb shell monkey -p com.fsecure.eicar.antivirus.test -v 1","sleep: 20"],
      "uninstall": ["adb uninstall com.fsecure.eicar.antivirus.test"],
      "get_video": ["adb pull /data/local/tmp/test.mp4", "sleep: 20","adb shell rm /data/local/tmp/test.mp4"]
    }
}

Application reverse engineering

The below is an example of using AutoDroid's implementation of AndroGuard to reverse engineering an APK off a device and retrieve a json of info about the app, a decompiled summary of methods, the xml manifest file, and an unbundled zip file of the APK.

{
  "devices": ["*"],
    "apps": ["me.jamesstevenson.onelist"],
    "commands": {
      "get_app": ["adb pull !app_path !app_id.apk"],
      "reverse_app":["reverse: !app_id.apk;info;decompile;manifest;zip"]
    }
}

βž• More on AutoDroid

πŸ“œ License

GNU General Public License v3.0

More Repositories

1

Awesome-Android-Reverse-Engineering

A curated list of awesome Android Reverse Engineering training, resources, and tools.
705
star
2

Obfu-DE-Scate

Obfu[DE]scate is a de-obfuscation tool for Android APKs that uses fuzzy comparison logic to identify similarities between functions, even if they have been renamed as part of obfuscation. It compares two versions of an APK and generates a mapping text file and an interactive HTML file as outputs!
Python
157
star
3

Monocle

Tooling backed by an LLM for performing natural language searches against compiled target binaries. Search for encryption logic, password strings, vulnerabilities, etc.
Python
128
star
4

DroidDetective

A machine learning malware analysis framework for Android apps.
Python
112
star
5

PocketSmali

A modular and extendable Python tool for emulating simple SMALI code.
Python
83
star
6

DISintegrity

A tool for analysing Android APKs and extracting root, integrity, and tamper detection checks.
Python
57
star
7

Tweezer

A binary analysis tool for identifying unknown function names, using a word-2-vec model
Python
50
star
8

AutoCorpus

AutoCorpus is a tool backed by a large language model (LLM) for automatically generating corpus files for fuzzing.
Python
47
star
9

Broken-Droid-Factory

BDF is a Python tool designed to spin-up pseudo random vulnerable Android applications for training when it comes to vulnerability research, ethical hacking, and pen testing on Android apps.
Python
38
star
10

ThingFinder

ThingFinder is a tool designed to facilitate searching and analysing code, whether it's source code or compiled binary executables. It provides a modular interface for adding new parsers for identifying new 'things'.
Python
33
star
11

Awesome-Binary-Analysis-Automation

A curated list of awesome binary analysis automation training, resources, and tools.
19
star
12

Tamper

An Android application, designed as a reference point, that implements an array of tamper and root detection methods - inspired by Google Play Safety Net.
Java
13
star
13

RUNIC

πŸ“± RUNIC tamper detection demo - designed to serve as a parallel for understanding more complex tamper detection and integrity systems such as Google Play SafetyNet and Huawei Safety Detect.
Java
12
star
14

CyberTruck-2019-Android-CTF-Writeup

This is a write-up for the Now Secure Android reverse engineering CTF based on analysing a car key-less application. ... It has nothing to do with the Tesla CyberTruck.
JavaScript
11
star
15

GhidraBridge

A Python interface for automating Ghidra tasks.
Python
8
star
16

Hunch

A Predictive Policing and Threat Aggregation toolset. This modular toolset, powered by Natural Language Processing and Open Source Intelligence, is designed to provide the user with actionable data including: signals, pivots, and risk levels.
Python
6
star
17

user1342

5
star
18

Just-Another-Differ

πŸ”Ž Function Change Differ | A diffing tool for binary files when comparing obfuscated and changed function contents between versions πŸ› οΈ
Python
3
star
19

Secure-App-Demo

An Android application designed to demonstrate insecure application security issues.
Java
2
star
20

Storage

A simple file explorer app for viewing and sharing files on android external storage.
Java
1
star
21

Android-Messenger-App-CTF-Writeup

A write-up and guide on the Android CTF challenge created by Mason CC.
Smali
1
star
22

WargamesAI

Professional Wargaming LLM Toolbox
Python
1
star
23

SFC

Simple Folder Comparison
Python
1
star
24

One_List

A basic list making application written for Android. Saves list items to external storage as filenames and makes use of run time permissions.
Java
1
star
25

OWASP-MSTG-Android-CrackMe-Walkthrough

The OWASP MSTG Android CrackMe is a series of Android applications with hidden flags designed to develop Java and Native reverse engineering skills.
Smali
1
star
26

conjecture

Evaluating the likelihood of data points in a LLM's training set
Python
1
star