dotanuki-labs / android-archives-watchdog Goto Github PK

View Code? Open in Web Editor NEW

11.0 1.0 0.0 11.33 MB

A tool to shift-left sensitive changes on your Android deployable archives

License: MIT License

Kotlin 90.84% Shell 9.16%

android android-tools automation ci mobile-security

android-archives-watchdog's Introduction

Android Archives Watchdog 🐶

Overview

A tool to shift-left sensitive changes on your Android deployable archives

aaw is command-line tool and a cross-over between functionalities from apkanalyzer and bundletool.

This utility has as goal helping with detection of newly introduced Android frameworks components and permissions in your release archives (.apk or .aab), especially transitive ones brought by 3rd party project dependencies, following a shift-left approach.

aaw is distributed as a truly-executable fatjar, and it's tested against jdk11, jdk17 and jdk21 on Unix boxes. In addition, this project has end-to-end tests targeting the following Android products with public open-source releases on Github:

Requirements

This tool requires jdk11 or newer and a valid Android SDK installation. aaw inspects the following environment variables when locating your Android SDK installation folder:

$ANDROID_HOME
$ANDROID_SDK
$ANDROID_SDK_HOME

Installing

You can grab executables directly from Github releases. Unzip it and add it to your $PATH.

Alternatively, there is an asdf-plugin available as well.

Using

The following snippets use ProntonMail releases as examples, in particular versions 3.0.7 (November/2022) and 3.0.17 (October/2023)

Every command supports archives in .apk and .aab formats.

Getting an overview from an Android archive

$> aaw overview -a tmp/ProtonMail-3.0.7.apk

┌────────────────────────────┬───────────────────────┐
│ Attribute                  │ Evaluation            │
├────────────────────────────┼───────────────────────┤
│ Application Id             │ ch.protonmail.android │
├────────────────────────────┼───────────────────────┤
│ Minimum SDK                │ 23                    │
├────────────────────────────┼───────────────────────┤
│ Target SDK                 │ 31                    │
├────────────────────────────┼───────────────────────┤
│ Total Used Features        │ 2                     │
├────────────────────────────┼───────────────────────┤
│ Total Manifest permissions │ 14                    │
├────────────────────────────┼───────────────────────┤
│ Dangerous permissions      │ Yes                   │
├────────────────────────────┼───────────────────────┤
│ Activities                 │ 54                    │
├────────────────────────────┼───────────────────────┤
│ Services                   │ 14                    │
├────────────────────────────┼───────────────────────┤
│ Broadcast Receivers        │ 15                    │
├────────────────────────────┼───────────────────────┤
│ Content Providers          │ 4                     │
└────────────────────────────┴───────────────────────┘

This mimics functionally from apkanalyser and supports a --json switch for automation purposes.

Generating a baseline from an Android archive

$> aaw generate --archive=tmp/ProtonMail-3.0.7.apk

Baseline available at : ch.protonmail.android.toml

This command will produce a <applicationId>.toml file in the current directory, which is intended to be available in your VCS. This toml tracks a subset of information from the related merged AndroidManifest.xml, namely:

Optionally, you can generate a compact version of a baseline by passing "trusted" packages, usually the ones related to your project structure. Those must be passed in a single argument, comma (,) separated

$> aaw generate --archive=tmp/ProtonMail-3.0.7.apk --trusted='ch.protonmail,me.proton.core'

Baseline available at : ch.protonmail.android.toml

$> more ch.protonmail.android.toml

applicationId = "ch.protonmail.android"
permissions = [
    "android.permission.ACCESS_NETWORK_STATE",
    "android.permission.FOREGROUND_SERVICE",
    "android.permission.GET_ACCOUNTS",
    "android.permission.INTERNET",
    "android.permission.READ_CONTACTS",
    "android.permission.READ_EXTERNAL_STORAGE",
    "android.permission.RECEIVE_BOOT_COMPLETED",
    "android.permission.SCHEDULE_EXACT_ALARM",
    "android.permission.USE_BIOMETRIC",
    "android.permission.USE_FINGERPRINT",
    "android.permission.VIBRATE",
    "android.permission.WAKE_LOCK",
    "android.permission.WRITE_EXTERNAL_STORAGE",
    "com.google.android.c2dm.permission.RECEIVE"
]
features = [
    "android.hardware.faketouch",
    "android.hardware.screen.portrait"
]
trustedPackages = [
    "ch.protonmail",
    "me.proton.core"
]
activities = [
    "androidx.biometric.DeviceCredentialHandlerActivity",
    "com.google.android.gms.common.api.GoogleApiActivity"
]
 .
 .
 .

Comparing an archive against a baseline

# Considering the baseline file generated in the previous example
$> aaw compare -a tmp/ProtonMail-3.0.17.apk -b ch.protonmail.android.toml

Your baseline file does not match the supplied artifact.

┌─────────────┬───────────────────────────────────────────────────────────────────┬────────────┐
│ Category    │ Finding                                                           │ Missing at │
├─────────────┼───────────────────────────────────────────────────────────────────┼────────────┤
│ Permissions │ android.permission.POST_NOTIFICATIONS                             │ Baseline   │
├─────────────┼───────────────────────────────────────────────────────────────────┼────────────┤
│ Permissions │ android.permission.READ_MEDIA_AUDIO                               │ Baseline   │
├─────────────┼───────────────────────────────────────────────────────────────────┼────────────┤
│ Permissions │ android.permission.READ_MEDIA_IMAGES                              │ Baseline   │
├─────────────┼───────────────────────────────────────────────────────────────────┼────────────┤
│ Permissions │ android.permission.READ_MEDIA_VIDEO                               │ Baseline   │
├─────────────┼───────────────────────────────────────────────────────────────────┼────────────┤
│ Components  │ com.google.android.play.core.common.PlayCoreDialogWrapperActivity │ Baseline   │
├─────────────┼───────────────────────────────────────────────────────────────────┼────────────┤
│ Components  │ androidx.profileinstaller.ProfileInstallReceiver                  │ Baseline   │
└─────────────┴───────────────────────────────────────────────────────────────────┴────────────┘

This example illustrates how to track sensitive changes as part of your Continuous Integration, assuming that you have a snapshot of your releasable archive produced at CI runtime.

compare can also exit with a failure status if a fresh archive does not match an existing baseline, forcing a baseline update as part of pull/merge request.

$> aaw compare -a tmp/ProtonMail-3.0.17.apk -b ch.protonmail.android.toml --fail

In addition, compare can produce output in a json format as well

$> aaw compare -a tmp/ProtonMail-3.0.17.apk -b ch.protonmail.android.toml --json

Credits

This tool was inspired by the following blog posts and existing tools

License

android-archives-watchdog's People

Contributors

Stargazers

Watchers

android-archives-watchdog's Issues

Enhancement : support package patterns on baselines

Rather than listing and dumping everything we find inside an artifact, we'd like to trust a few package patterns in order to simplify the baseline with sensitive components to keep on track.

An example of such an extension:

applicationId = "com.my.product.android"
trustedPackages = [
  "com.android.*",
  "com.my.company.*"
]

# More configuration ....

Enhancement: additional output formats when comparing archives with baselines

Right now, compare will output differences between archives and baselines only to stdout and plain text.

However, it'd useful to have different (structured) formats - eg json- so the output can be post-processed afterward. That would enable an enriched PR decoration for example. On Github Actions:

aaw compare -a app/build/output/release/my.apk -b my.org.product.toml --json > comparison.json

# Convert with tools like https://github.com/haltcase/tablemark-cli or in bash with jq
markdown=$(convert_to_markdown comparison.json) 

gh pr comment ${{ github.event.pull_request.number }} --body "$markdown" --edit-last

In addition, we could output markdown directly.

Feature : support Android AppBundles

Right now, this tool only supports artifacts packaged in the apk format. In order to support the aab format we can take advantage of bundletool, either as a standalone binary or as dependency.

Testing : E2E tests against real Android projects

We'd like to have E2E tests as part of our test suite, using projects like

Enhancement : provide custom signing key when processing AppBundles

Right now, the approach of converting .aab to a universal .apk with bundletool has a few issues related to apk signing, which generates non-trivial CLI output as part of the execution.

For instance, the default debug.keystore may not be available in the CI environment at runtime, which generates:

WARNING: The APKs won't be signed and thus not installable unless you also pass a keystore via the flag --ks. 
See the command help for more information.

In addition, when available bundletool will also pollute the output with a log:

INFO: The APKs will be signed with the debug keystore found at '<path/to/home>/.android/debug.keystore'.

Eventually both issues can be tackled by suppling a custom signing key to bundletool.

Release : Open Source release

Release this project with proper OSS goodies

License
Documentation
Binaries
Examples
Etc

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Repository problems

These problems occurred while renovating this repository. View logs.

WARN: File contents are invalid JSON but parse using JSON5. Support for this will be removed in a future release so please change to a support .json5 file name or ensure correct JSON syntax.

This repository currently has no open or pending branches.

Detected dependencies

github-actions

.github/workflows/ci.yaml

actions/checkout v4.1.6

actions/checkout v4.1.6

actions/setup-java v4.2.1

gradle/actions v3.3.2

gradle/actions v3.3.2

actions/upload-artifact v4.3.3

actions/checkout v4.1.6

actions/setup-java v4.2.1

actions/download-artifact v4.1.7

actions/checkout v4.1.6

actions/upload-artifact v4.3.3

ubuntu 22.04

ubuntu 22.04

ubuntu 22.04

ubuntu 22.04

.github/workflows/publish.yaml

actions/checkout v4.1.6

actions/setup-java v4.2.1

softprops/action-gh-release v2.0.5

ubuntu 22.04

gradle

gradle.properties

settings.gradle.kts

org.gradle.toolchains.foojay-resolver-convention 0.8.0

com.gradle.develocity 3.17.4

build.gradle.kts

gradle/libs.versions.toml

com.github.ajalt.clikt:clikt 4.4.0

com.github.ajalt.mordant:mordant 2.6.0

io.arrow-kt:arrow-core 1.2.4

com.android.tools:sdklib 31.4.0

com.android.tools.apkparser:apkanalyzer 31.4.0

com.android.tools.apkparser:binary-resources 31.4.0

com.android.tools:repository 31.4.0

com.android.tools:sdk-common 31.4.0

com.android.tools:common 31.4.0

com.android.tools.build:bundletool 1.16.0

org.jetbrains.kotlinx:kotlinx-serialization-core 1.6.3

org.jetbrains.kotlinx:kotlinx-serialization-core-jvm 1.6.3

org.jetbrains.kotlinx:kotlinx-serialization-json 1.6.3

net.peanuuutz.tomlkt:tomlkt 0.3.7

junit:junit 4.13.2

com.google.guava:guava 33.2.0-jre

com.google.truth:truth 1.4.2

org.jetbrains.kotlin.jvm 1.9.24

org.jetbrains.kotlin.plugin.serialization 1.9.24

io.gitlab.arturbosch.detekt 1.23.6

org.jlleitschuh.gradle.ktlint 12.1.1

com.github.johnrengelman.shadow 8.1.1

com.adarshr.test-logger 4.0.0

Check this box to trigger a request for Renovate to run again on this repository

Project basics

Simple Gradle project for CLI app
Must use the latest version of Gradle
Must use the latest version of Kotlin
Must use Gradle Version Catalogs
Must use ktlint + detekt with standard setup
Must have a simple unit test (junit4 + truth)
Must have a simple GHA Workflow (with gradle-build-action)
Must have configuration for Renovate
Must have configuration for jEnv and/or JVM toolchains

Enhancement : improved troubleshooting with verbose executions

It would be nice having a --debug flag that allows this automation to output every meaningful information related to the processing, especially everything related to analyzing Android archives, eg

$> aaw compare -a my.apk -b my.product.android.toml --verbose

Feature : compare a releasable artifact with a baseline

We want a CLI interface like

$> arw --apk path/to/some/app.apk --baseline path/to/arw.toml

which will

evaluate information from a releasable artifact (as per #2)
compare it with the baseline defined by a .toml file
point out critical differences (like new permissions requests or new packages being added)

Open questions

what should we do when we detect changes that actually improve on Security (eg, the app now requests less Android permissions?)

Feature : evaluate what is inside a releasable artifact

Provide CLI to extract from an .apk or an .aab, so we can list

Android permissions used by the app
Java packages composing the app
Minimum and target Android SDK
Etc

$> arw overview --target=path/to/myapp.aab

We'd like to also generate a configuration file arw.toml as long as we can have information about what's inside a releasable:

$> arw generate --target=path/to/myapp.aab

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.