how can ioc.yaml be used

[crispin75]

Please could you provide instructions on how to use ioc.yaml? In a blog post check_apk.py file is mentioned, but seems no longer belongs to the repository. :-(

[jvoisin]

It would be nice indeed to have a check_apk.py --rules ioc.json --yara ioc.yar file1.apk file2.apk … tool.

[emdete]

yes, some documentation would be really nice. the name generated sounds like there are scripts to generate the files contained, could these scripts be included? it could serve as documentation as well. is the main file (ioc.yaml) somehow generated too? if so - how?

[emdete]

i wrote a flow to check for installed apps: ioc - is this a correct understanding of the yaml file?

[kpcyrd]

There are two integrations here you might be interested in:

• https://github.com/spytrap-org/spytrap-wifi
• https://github.com/spytrap-org/spytrap-adb

The adb integration is similar to what you wrote plus it checks some often-abused android settings, but it had no field-testing yet and parsing the settings output across a wide range of android versions/variants is difficult because there's no machine-readable format (you can donate data to the test_data/ folder to make the parser more robust).

[Te-k]

Hi, thanks for providing feedback, indeed how to use the ioc.yaml is not fully clear. I have pushed a python script allowing to check an APK using androguard. In order to check a phone, it is possible to use MVT even if it doesn't provide a full check of all the indicators, or to get a pcap of the traffic and check it with the suricata rules, or the spytrap tools shared by @kpcyrd above.

The script you shared looks good to me but it doesn't use all the ways to check apks like yara rules and certificates. I would recommend to download the apks with adb pull (or mvt) and then check with check_apks.

Overall there is likely a need for better tools, but in order to make them really usable outside of tech spheres, it would require investing time to develop a graphical interface that is easy to use, which I don't have resources for right now

[emdete]

@Te-k : your link to the script is a 404 :( can you correct that link?

[Te-k]

Indeed, workflow issue, here it is