Indicators Module
- apkInspector.indicators.apk_tampering_check(apk_file, strict: bool)
Method to combine the check for tampering in the zip structure and in the AndroidManifest and return the results.
- Parameters:
apk_file (bytesIO) – The apk file to check
strict (bool) – A boolean to strictly check all fields or not. Suggested value: False
- Returns:
Returns a combined dictionary with the results from the zip_tampering_indicators and the manifest_tampering_indicators
- Return type:
dict
- apkInspector.indicators.count_eocd(apk_file)
Counter for the number of time the end of central directory record was found.
- Parameters:
apk_file (bytesIO) – The APK file e.g. with open(‘test.apk’, ‘rb’) as apk_file
- Returns:
The count of how many times the end of central directory record was found
- Return type:
int
- apkInspector.indicators.local_and_central_header_discrepancies(dict1, dict2, strict: bool)
Checking discrepancies between local header values and central directory values
- Parameters:
dict1 (dict) – the central directory dictionary
dict2 (dict) – the local headers dictionary
strict (bool) – Boolean for strict checking the headers or not
- Returns:
Returns a list with the common keys between the dictionaries that have different values.
- Return type:
list
- apkInspector.indicators.manifest_tampering_indicators(manifest)
Method to check for indicators of tampering in the AndroidManifest.xml
- Parameters:
manifest (bytesIO) – The AndroidManifest file to check
- Returns:
Returns a dictionary with the indicators of tampering for the AndroidManifest
- Return type:
dict
- apkInspector.indicators.process_elements_indicators(file)
It starts processing the remaining chunks after the resource map chunk. It also returns whether dummy data have been found between the elements, so it can be reported that the apk employed this evasion technique. The difference between the process_elements method found in the axml module is that in this case it does not take into account the total size of the element as stated in the header, but tries to parse the contents regardless. This means that it will detect any dummy data injected after the actual data.
- Parameters:
file (BytesIO) – the axml that will be processed
- Returns:
Returns all the elements found as their corresponding classes and whether dummy data were found in between.
- Return type:
set(list, set(bool, bool))
- apkInspector.indicators.zip_tampering_indicators(apk_file, strict: bool)
Method to check the for indicators of tampering in the ZIP structure of the APK. These tamperings in the ZIP structure, serve as a method of evasion against static analysis tools.
- Parameters:
apk_file (bytesIO) – The APK file e.g. with open(‘test.apk’, ‘rb’) as apk_file
strict (bool) – Whether to be checking strictly or not. Utilizing the application set that was used also for the tests here https://github.com/erev0s/apkInspector/tree/main/tests/top_apps, we tested what kind of indicators would be returned. It turns out that in some cases the local header and the central directory entry for the same file do not have the same values for some keys. So the strict checking was added, to be able to exclude these rare but possible occasions.
- Returns:
Returns a dictionary with the detected indicators.
- Return type:
dict