14 DAY TRIAL // Licensed under the GPL license, the AndroBugs Framework is a free tool developed by Taiwanese security researcher Yu-Cheng Lin, capable of scanning Android applications and uncovering various types of security-related vulnerabilities.
After discovering countless security flaws in the Android applications of some of the world's biggest tech companies, Mr. Lin decided to open-source his personal Android vulnerability scanner, which he had previously built as part of his master’s degree in 2014.
The scanner is called AndroBugs and is different from Android VTS, another vulnerability scanner that we wrote about two weeks ago.
Unlike Android VTS, which is a basic Android app that scans the phones it is run on, AndroBugs is a Python framework that targets app developers only.
AndroBugs makes scanning for security issues an easier, automated task
You can run it on your Windows or *NIX systems, it works via Python 2.7.x and MongoDB, and all you need to do is point it at the .apk file (Android app file) you want to test.
AndroBugs is based on AndroGuard, which it uses to decompile APKs. Based on a preset list of vulnerability vectors, it scans code hotspots to find any potentially vulnerable code, function calls or fields, and then goes to the source function of those issues and reanalyzes the code to confirm its findings.
Once it discovers security issues, AndroBugs will dump data inside the user's terminal, data that holds information on the vulnerability vector's type, code path inside the APK's source, severity level, detailed explanations, mitigation recommendations, and even some reference research papers, if available.
Lin says that the framework can easily be extended with new vulnerability checking routines and that it can also handle single-app or multi-app checking operations.
For more details, check out Lin's Black Hat Europe presentation, and grab the AndroBugs code from GitHub.
