guizos / saaf Goto Github PK

When analyzing Android Software (good and bad) it becomes apparent that many 
projects use libraries and frameworks for different purposes. 

SAAf should have the capability to efficiently identify these libraries in the 
analyzed apks. Some reasons:

 * False Positive Reduciton: Especially ad-frameworks expose features that might sometimes look suspicious such as access to internet and location. Realiable detection and filtering (if desired) may considerably reduce the number of false positives

 * Workload Reduction: Code that has been identified as belonging to a benign library can be excluded from further analysis improving the throughput of the system.


So far SAAF recognizes several ad-frameworks based on their package structure. 
A better approach would be to identify classes at least based on the pacakge 
name and some sort of hash.

When working with a the decompiled java source and the smali source it is 
really annoying to switch between them. 

This could be improved by having both smali and java open at the same time in 
two editor tabs.

SAAF should detect and report simple obfuscation/mangled classnames.

In order to integrate SAAF with existing infrastructure it must be possible to 
have it run as a daemon that watches a folder for new apks and kicks off an 
analysis for them.

The idea behind doing this via a watched folder and an output folder is that it 
requires far less effort than creating a full fledged client server design with 
an API. In addition it has very little requirements on the software that 
provides the samples.

Right now all lines are left aligned and it is hard to distinguish where a 
method starts or ends. Indentations and background colors on some lines with 
special keywords (eg, .method) would help.

It would be nice, if SAAF could detect that an APK tries to 
exploit a known bug in androids signing functionality:

http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/