Skip to content
This repository has been archived by the owner on Feb 16, 2024. It is now read-only.
/ super Public archive

Secure, Unified, Powerful and Extensible Rust Android Analyzer

superanalyzer.rocks/

License

GPL-3.0 license
422 stars 59 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

SUPERAndroidAnalyzer/super

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

541 Commits
.cargo
.cargo
 
 
.github/ISSUE_TEMPLATE
.github/ISSUE_TEMPLATE
 
 
rpmbuild
rpmbuild
 
 
src
src
 
 
templates/super
templates/super
 
 
vendor
vendor
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
DCO.txt
DCO.txt
 
 
LICENSE
LICENSE
 
 
PULL_REQUEST_TEMPLATE.md
PULL_REQUEST_TEMPLATE.md
 
 
README.md
README.md
 
 
build.rs
build.rs
 
 
centos_build.sh
centos_build.sh
 
 
clippy.toml
clippy.toml
 
 
config.toml
config.toml
 
 
config.toml.sample
config.toml.sample
 
 
contributing.md
contributing.md
 
 
debian_build.sh
debian_build.sh
 
 
fedora_build.sh
fedora_build.sh
 
 
rules.json
rules.json
 
 
travis-helper.sh
travis-helper.sh
 
 
ubuntu_build.sh
ubuntu_build.sh
 
 

Repository files navigation

SUPER Android Analyzer

Build Status codecov

SUPER Android Analyzer logo

Secure, Unified, Powerful and Extensible Rust Android Analyzer

SUPER is a command-line application that can be used in Windows, MacOS X and Linux, that analyzes .apk files in search for vulnerabilities. It does this by decompressing APKs and applying a series of rules to detect those vulnerabilities.

But, why create a new analyzer? Is it not enough with MobSF, Qark, Androbugs…? Well, we think it's not enough. All of them have two main issues we wanted to fix: They are written in Java or Python and they are not easily extensible. They are not meant to be used by businesses directly working in Android analysis, and don't put that kind of functionality first.

Our approach solves those issues in different ways: We first decided to use Rust as our programming language. The language developed openly by Mozilla Foundation gives us lots of utilities to work with regular expressions, files etc. and, most importantly, it enables us to create a secure software that does not depend in JVM or JIT compilers. With Rust, stack overflows, segmentation faults etc. are directly not possible, which makes sense in a security centered application. And it also gives us enough power to do efficient analysis, giving us the option to automate it in high volume. This is given by Rust zero-cost abstractions, that gives us an efficiency only comparable to C/C++.

And secondly, we decided to make the software 100% extensible: All rules are centered in a rules.json file, and each company or tester could create its own rules to analyze what they need. It's also modular, so that new developments can easily add new functionality. Finally, a templating system for results reports gives users the ability to personalize the report.

It also gives great code review tools, directly in the HTML report, so that anyone can search through the generated code with syntax highlighting for even better vulnerability analysis.

Installation

We have released some binaries in the download page for Windows (8.1+), Linux, and MacOS X. We only have 64-bit packages for now. If you need to use SUPER in a 32-bit system, you will need to compile SUPER from source. For that, you will need to install Rust with rustup.rs.

Note: It requires Java 1.7+ to run.

Usage

SUPER is very easy to use. Just download the desired .apk into the downloads folder (create that folder if necessary) and use the name as an argument when running the program. After the execution, a detailed report will appear in the results folder with that application name. There are a few usage options available: