In this article we will learn about Automated Analysis with Inspeckage.
Introduction to Automated Analysis with Inspeckage:
In the previous article of this series, we discussed how to hook into the classes and methods of a given Android application using AndBug. In this article we will discuss another useful utility called Inspectage. Inspectage is an Xposed module that is useful for performing dynamic analysis of Android applications. Be it malware analysis or penetration test, Inspectage looks promising with its prominent features. Inspectage also comes with a built-in web server that can be used to do everything with a simple and nice GUI.
Setting up the review is straightforward if you’ve used the Xposed Framework before.
- Download and install Xposed Framework on your rooted device.
- Next, launch the Xposed app and it looks like the following image.
Click on the Modules button and there shouldn’t be anything here because we haven’t installed any modules yet.
Now we can simply download the Inspectage module from the link below and install it like any other application using adb.
Another way is to use Xposed’s download option and search for Inspectage as shown below.
- We can tap on the module, and we will be greeted with the following window.Click “Download” and “Install” button will appear if the download was successful. This is shown below.Clicking “Install” button, will install the application. You need to accept the permissions requested by Inspeckage during this process.The above figure shows that Inspeckage is successfully installed.
- Now, navigate to the Xposed app and click Modules once again and you should see a new module installed as shown in the figure below.Check the checkbox on the right side of the above picture and perform a soft reboot for the changes to take effect. We can do it by navigating to Framework function in Xposed and tapping on Soft Reboot button. This is shown below.
Finally, we are there! After the reboot, tap on the Inspeckage module under Modules section of Xposed and you should see the following window. Here, we can see the list of applications installed on the device.
We can also choose the application to be analyzed. I chose an application called “Secure Store,” which is an intentionally created vulnerable application by me.
Click on “Launch App” to go through the full functionality of the app. When the target application starts, Inspectage will monitor the calls made by the application. We can also hook into methods by specifying the class name and method name and then keep track of the arguments passed along with the return values. We will see how to do this later in this article.
In addition, the above window also displays the address that can be used to access the user interface. This is shown below.
Accessing the user interface we will be greeted with results with different sections as shown in the image above. In the next parts of the article, we will discuss some of the parts that are marked above.
We see basic information about the application, which includes the backup attribute, the package name, and the location of the data directory. Interestingly, clicking the “Tree View” button gives us a view of what’s available in the app’s application directory. This is shown below.
Then click on the “Package Information” section to see the list of application components used by the application. In our case, we have one exported activity and three unexported activities. We can also forcefully start activities using the “Start Activity” function available here.
Additionally, we can also see the permissions being used by the application as shown in the figure below.
Next, let us move on to SQLite section. This section shows if there are any SQLite queries executed by the application as shown in the figure below.
We may also query content providers using the “Query Provider” feature if any providers are available.
Another section that is highlighted is “Shared Preferences”. Inspectage shows read and write calls separately. The following image shows that the application stores the “auth token” in the userdata.xml file using shared preferences.
Later, the app is also reading the token stored earlier. This is shown in the figure below as entry 27.
If the API level of the application is targeted to be less than 17, this remote code execution vulnerability can be exploited.
Let’s go to the +Hooks tab. This section is interesting because we can add hooks to specific methods and watch what happens when that particular method is run.
Let’s add hooks to two different methods in our application and see how Inspection handles it.
We can get class and method names by reversing the application. “isUserAlreadyLoggedIn” is a method that seemed interesting when examining the source of this application. Add a hook as shown in the image below.
We entered the class name and method name. If you wish to attach constructors as well, you can do so.
Run the application now and if the application calls this method, you should see the arguments and return value as shown in the image below.
As you can see, the method returned “false” and has no arguments.
Now let’s look at an example with method arguments. We will remove the existing hook and add a new one as shown below (you can also have multiple hooks at the same time). “isLoggedIn” is the method name this time, and note that the class name is also different.
Once done, we need run through the application once again, and we should see the arguments as well as return values.
The above figure shows the arguments that are passed to the hooked method. We can also notice that there is a return value “true.”
Similarly, Inspeckage can spot issues under other sections if the app has features triggering those calls.
The Inspectekage module is undoubtedly a very useful tool for dynamic analysis of Android applications. If you are analyzing malware or performing a penetration test, Inspectage is a very good choice to speed up your work. As it is an Xposed module, the way Inspectage performs inspections is definitely powerful and reliable as it has full control over the device and the target app it is analyzing.