MARA - A Mobile Application Reverse Engineering And Analysis Framework

MARA is a mobile application reverse engineering and analysis framework. It is a collection of commonly used mobile application reverse engineering and analysis tools integrated together to assist in testing mobile applications against the OWASP mobile security threats. Its primary objective is to make this task easier and friendlier to mobile application developers and security professionals.

MARA is developed and maintained by @xtian_kisutsa and @iamckn.

Features:

APK Reverse Engineering

Disassembling Dalvik bytecode to smali bytecode via baksmali and apktool.
Disassembling Dalvik bytecode to java bytecode via enjarify.
Decompiling APK to Java source code via jadx.

APK Deobfuscation

APK deobfuscation via [apk-deguard.com].

APK Analysis

Parsing smali files for analysis via smalisca.
Dump apk assets,libraries and resources.
Extracting certificate data via openssl.
Extract strings and app permissions via aapt.
Identify methods and classes via ClassyShark.
Scan for apk vulnerabilities via androbugs.
Analyze apk for potential malicious behaviour via androwarn.
Identify compilers, packers and obfuscators via APKiD.
Extract execution paths, IP addresses, URL, URI, emails via regex.

APK Manifest Analysis

Extract Intents.
Extract exported activities.
Extract receivers.
Extract exported receivers.
Extract Services.
Extract exported services.
Check if apk is debuggable.
Check if apk allows backups.
Check if apk allows sending of secret codes.
Check if apk can receive binary SMS.

Domain Analysis

Domain SSL scan via pyssltest and testssl
Website fingerprinting via whatweb

Security Analysis

Source code static analysis based on OWASP Top Mobile Top 10 and the OWASP Mobile Apps Checklist
MARA is capable of performing either single or mass analysis of apk, dex or jar files.

Installing MARA on Linux/Nethunter

Download MARA:

git clone --recursive https://github.com/xtiankisutsa/MARA_Framework

Installing Dependencies:

MARA ships with a script that assists in downloading and installing the dependencies for each of the tools and components it ships with. Simply run the setup.sh script with sudo privileges and it will install them. If you are using a Mac, simply run the setup_mac.sh script instead.

Watch the MARA install guide video:

Updating MARA:

In order to make updating MARA easier, it now ships with an update script that once executed, will pull the most recent version from github and replace the files the ones stored locally. The script will not interfere with the data folder where the analysis files reside. Simply execute ./update.sh and you are good to go. The update script will also run the new setup file that's been downloaded to ensure that the dependencies for the new tools are met.

After meeting all the requirements. If you run ./mara.sh --help you should see the MARA help menu as shown below.

All the analysis data and file conversions are stored in the data folder i.e. /MARA_Framework/data/file_name. All the tools included in the Framework can be used standalone, they are all available in the tools folder i.e. /MARA_Framework/tools.

APK Deobfuscation:

MARA facilitates the deobfuscation of APK files via apk-deguard.com. You can deobfuscate APKs of any file size without limitations. However, the larger the APK the longer the deobfuscation duration.

MARA ships with a stand alone deobfuscation script that could come in handy for analyzing individual APK files. Simply run ./deobfusctor.sh and point it the APK you would like to deobfuscate. This feature requires an active internet connection.

SSL Scanner:

MARA ships with a SSL scanner script that makes use of pyssltest and testssl. The domain SSL scanning component requires an active internet connection. The standalone SSL scanner can be run using the command ./ssl_scanner.sh and follow the instructions displayed.

The findings from the scan are dumped in the domain scans folder i.e. /MARA_Framework/data/domain_scans/<domain_name>. Please note that pyssltest scanner is intended to be used for scanning domains with SSL enabled. Do not scan IP addresses.

While analyzing APK files, MARA provides the option of scanning domains found in the apk using the above mentioned tools. This scan runs in the background and can be skipped. In the event the scan is performed, the user is required to tail the two log files i.e pyssltest.log and testssl.log in /MARA_Framework/data/apk_name/analysis/static/ssl_scan/log/.

Smali control flow graphs:

MARA is capable of generating control flow graphs from smali code. This is achieved by utilizing Smali-CFGs. The graph generation is optional and can be time consuming depending on the size of the android app being analyzed. The graphs are stored in two folders i.e. apktool_cfg and baksmali_cfg respectively in the location /MARA_Framework/data/file_name/smali/

The graph generation runs in the background and you can check its completion by tailing the log files apktool_cfg.log and baksmali_cfg.log in the location mentioned above.

Progress monitoring:

The analysis data dumped by MARA will be located at data/app_name folder.
Where applicable, each space character on the provided file is replaced with a respective underscore character.
You can monitor the APK deobfuscation process by tailing data/app_name/source/deobfuscated/deobf.log
You can monitor the smali CFG generation by tailing these two files i.e. data/app_name/smali/apktool_cfg.log and data/app_name/smali/baksmali_cfg.log
You can monitor the domain ssl scan by tailing these two log files data/app_name/analysis/dynamic/ssl_scan/logs/pyssltest.log and data/app_name/analysis/dynamic/ssl_scan/logs/testssl.log