SUPER Android Analyzer

SUPER is a command-line application that can be used in Windows, MacOS X and Linux, that analyzes .apk files in search for vulnerabilities. It does this by decompressing APKs and applying a series of rules to detect those vulnerabilities.

But, why create a new analyzer? Is it not enough with MobSF, Qark, Androbugs…? Well, we think it’s not enough. All of them have two main issues we wanted to fix: They are written in Java or Python and they are not easily extensible. They are not meant to be used by businesses directly working in Android analysis and don’t put that kind of functionality first.

Our approach solves those issues in different ways: We first decided to use Rust as our programming language. The language developed openly by Mozilla Foundation gives us lots of utilities to work with regular expressions, files etc. and, most importantly, it enables us to create a secure software that does not depend in JVM or JIT compilers. With Rust, stack overflows, segmentation faults etc. are directly not possible, which makes sense in a security-centered application. And it also gives us enough power to do efficient analysis, giving us the option to automate it in high volume. This is given by Rust zero-cost abstractions, that gives us an efficiency only comparable to C/C++.

And secondly, we decided to make the software 100% extensible: All rules are centered in a rules.json file, and each company or tester could create its own rules to analyze what they need. It’s also modular so that new developments can easily add new functionality. Finally, a templating system for results reports gives users the ability to personalize the report.

It also gives great code review tools, directly in the HTML report, so that anyone can search through the generated code with syntax highlighting for even better vulnerability analysis.

Use

USAGE:

    super [FLAGS] [OPTIONS] <package>



FLAGS:

        --bench       Show benchmarks for the analysis

        --force       If you'd like to force the auditor to do everything from the beginning

    -h, --help        Prints help information

        --html        Generates the reults in HTML format

        --json        Generates the reults in JSON format

        --open        Open the report in a browser once it is complete

    -q, --quiet       If you'd like a zen auditor that won't output anything in stdout

    -a, --test-all    Test all .apk files in the downloads directory

    -V, --version     Prints version information

    -v, --verbose     If you'd like the auditor to talk more than necessary



OPTIONS:

        --dex2jar <dex2jar>                    Where to store the jar files

        --dist <dist>                          Folder where distribution files will be extracted

        --downloads <downloads>                Folder where the downloads are stored

        --jd-cmd <jd-cmd>                      Path to the jd-cmd file

        --min-criticality <min_criticality>    Set a minimum criticality to analyze (Critical, High, Medium, Low)

        --results <results>                    Folder where to store the results

        --rules <rules>                        Path to a JSON rules file

        --template <template>                  Path to a results template file

    -t, --threads <threads>                    Number of threads to use, by default it will use one thread per logical CPU core



ARGS:

    <package>    The package string of the application to test

Download

Copyright (C) 2016 SUPERAndroidAnalyzer