Home
MARA is a Mobile Application Reverse engineering and Analysis Framework. It is a tool that puts together commonly used mobile application reverse engineering and analysis tools, to assist in testing mobile applications against the OWASP mobile security threats. Its objective is to make this task easier and friendlier to mobile application developers and security professionals.
- Disassembling Dalvik bytecode to smali bytecode via baksmali and apktool
- Disassembling Dalvik bytecode to java bytecode via enjarify
- Decompiling APK to Java source code via jadx
- APK deobfuscation via apk-deguard.com
- Parsing smali files for analysis via smalisca
- Dump apk assets,libraries and resources
- Extracting certificate data via openssl
- Extract strings and app permissions via aapt
- Identify methods and classes via ClassyShark
- Scan for apk vulnerabilities via androbugs
- Analyze apk for potential malicious behaviour via androwarn
- Identify compilers, packers and obfuscators via APKiD
- Extract execution paths, IP addresses, URL, URI, emails via regex
- Extract Intents
- Extract exported activities
- Extract receivers
- Extract exported receivers
- Extract Services
- Extract exported services
- Check if apk is debuggable
- Check if apk allows backups
- Check if apk allows sending of secret codes
- Check if apk can receive binary SMS
- Source code static analysis based on OWASP Top Mobile Top 10 and the OWASP Mobile Apps Checklist
- git clone --recursive https://github.com/xtiankisutsa/MARA_Framework
MARA ships with a script that assists in downloading and installing the dependencies for each of the tools and components it ships with. Simply run the setup.sh script with sudo privileges and it will install them. If you are using a Mac, simply run the setup_mac.sh script instead. To watch the MARA install guide video, please click on this link
In order to make updating MARA easier, it now ships with an update script that once executed, will pull the most recent version from github and replace the files the ones stored locally. The script will not interfere with the data folder where the analysis files reside. Simply execute ./update.sh and you are good to go. The update script will also run the new setup file that's been downloaded to ensure that the dependencies for the new tools are met.
After meeting all the requirements. If you run ./mara.sh --help you should see the MARA help menu as shown below.
All the analysis data and file conversions are stored in the data folder i.e. /MARA_Framework/data/file_name. All the tools included in the Framework can be used standalone, they are all available in the tools folder i.e. /MARA_Framework/tools.
MARA facilitates the deobfuscation of APK files via apk-deguard.com. You can deobfuscate APKs of any file size without limitations. However, the larger the APK the longer the deobfuscation duration.
MARA ships with a stand alone deobfuscation script that could come in handy for analyzing individual APK files. Simply run ./deobfusctor.sh and point it the APK you would like to deobfuscate. This feature requires an active internet connection.
MARA ships with a SSL scanner script that makes use of pyssltest and testssl. The domain SSL scanning component requires an active internet connection. The standalone SSL scanner can be run using the command ./ssl_scanner.sh and follow the instructions displayed.
The findings from the scan are dumped in the domain scans folder i.e. /MARA_Framework/data/domain_scans/<domain_name>. Please note that pyssltest scanner is intended to be used for scanning domains with SSL enabled. Do not scan IP addresses.
While analyzing APK files, MARA provides the option of scanning domains found in the apk using the above mentioned tools. This scan runs in the background and can be skipped. In the event the scan is performed, the user is required to tail the two log files i.e pyssltest.log and testssl.log in /MARA_Framework/data/apk_name/analysis/static/ssl_scan/log/
MARA is capable of generating control flow graphs from smali code. This is achieved by utilizing Smali-CFGs. The graph generation is optional and can be time consuming depending on the size of the android app being analyzed. The graphs are stored in two folders i.e. apktool_cfg and baksmali_cfg respectively in the location /MARA_Framework/data/file_name/smali/
The graph generation runs in the background and you can check its completion by tailing the log files apktool_cfg.log and baksmali_cfg.log in the location mentioned above.
- The analysis data dumped by MARA will be located at data/app_name folder.
- Where applicable, each space character on the provided file is replaced with a respective underscore character.
- You can monitor the APK deobfuscation process by tailing data/app_name/source/deobfuscated/deobf.log
- You can monitor the smali CFG generation by tailing these two files i.e. data/app_name/smali/apktool_cfg.log and data/app_name/smali/baksmali_cfg.log
- You can monitor the domain ssl scan by tailing these two log files data/app_name/analysis/dynamic/ssl_scan/logs/pyssltest.log and data/app_name/analysis/dynamic/ssl_scan/logs/testssl.log
MARA is still in the very early stages of development. We intend to work on the following features:
- Integrate dynamic mobile application analysis
- Rewrite the MARA Framework in python
- Integrate iOS, Blackberry and Windows phone application analysis
- Develop web panel to display data
- Include additional disassembly and analysis tools
These are the people who have assisted in ensuring the success of this tool's capabilities.
- Chrispus - @iamckn - https://www.ckn.io (co-developer)
- Ajin - @ajinabraham - Mobile Security Framework - MobSF
- Munir - @muntopia - http://munir.skilledsoft.com/
- Gabby - @_V1VI - https://thevivi.net
- AfricaHackOn Team - @AfricaHackon - http://africahackon.com
A lot of the tools integrated into MARA belong to their respective authors. We would like to thank each and every one of them for their amazing work. Developing MARA wouldn't be possible without your awesome tools :)
- Munir - @muntopia - [http://munir.skilledsoft.com/]
- Charles - @icrackthecode - [https://github.com/icrackthecode]
- Ruby - @PurpleR0b0t
MARA Framework is intended to be used for ethical hacking and educational purposes. Ensure consent is provided to allow reverse engineering of the various mobile applications as well as the scanning and interaction with the identified domains/IP addresses.
MARA framework is intended to be free to use by anyone. It is available here on github for contribution and collaboration. The tool is currently licensed under GNU GPL v3 license to allow interested users to copy, distribute and adapt it, provided that the work is attributed to the creators of the framework.