Closed MuntashirAkon closed 4 years ago
MuntashirAkon
commented
4 years ago @IzzySoft, libsmali.txt seems to have multiple types that could've been merged into one:
2
Ads 1
Advertisement 43
Advertising 11
Advertizing 2
Analytics 2
App Market 4
Development Aid 13
Development Framework 50
Indicator 1
Map 25
Mobile Analytics 138
Mobile analytics 1
Payment 12
Social Network 15
UI Component 521
Utility 1302
IzzySoft
commented
4 years ago Oh – thanks for pointing out! That's not intended (but happens when doing things manually) :see_no_evil: Here's the original definition (from LibRadar, which my library scanner started with and still builds upon):
library_type = {
"ui": "UI Component", # GUI support.
"df": "Development Framework", # bigger frameworks
"ut": "Utility", # other components to support a functional things like AWS support, video player.
"da": "Development Aid", # fallback for dev stuff that doesn't fit in above or is unknown where to fit
"sn": "Social Network",
"ad": "Advertisement",
"am": "App Market",
"ma": "Mobile Analytics",
"pa": "Payment",
"ge": "Game Engine",
"mp": "Map"
}So:
I'll fix that ASAP. And see to update my "lib verificator" to include checking the types.
IzzySoft
commented
4 years ago Fixed, please fetch the update :smiley: And thanks again. Now I only need to remember always to run lib_verificator before commit/push of libsmali.txt…
MuntashirAkon
commented
4 years ago Thanks 👍
MuntashirAkon
commented
4 years ago @IzzySoft I've found some issues with libradar.txt and libradar_wild.text:
libradar.txt
diff --git a/libs/libradar.txt b/libs/libradar.txt
index 77397e9..9298b63 100644
--- a/libs/libradar.txt
+++ b/libs/libradar.txt
@@ -1,8 +1,8 @@
{"pn":"com/getjar/sdk/vending/billing/","lib":"GetJar Billing","tp":"Payment","ch":"http://www.getjar.com/","dn":906,"cpn":"com/android/"}
{"pn":"org/mapsforge/android/maps/mapgenerator/tiledownloader/","lib":"MapsForge","tp":"Map","ch":"https://github.com/mapsforge/mapsforge","dn":396,"cpn":"org/mapsforge/android/maps/mapgenerator/a/"}
{"pn":"com/securepreferences/util/","lib":"secure-preferences","tp":"Utility","ch":"https://github.com/scottyab/secure-preferences","dn":146,"cpn":"com/google/ads/util/"}
-{"pn":"com/sun/activation/registries/","lib":"JavaBeans(TM) Activation Framework","tp":"Development Framework","ch":"http://java.sun.com/javase/technologies/desktop/javabeans/jaf/index.jsp","dn":,"cpn":"com/sun/activation/"}
-{"pn":"myjava/awt/datatransfer/","lib":"Transferable (Java Platform)","tp":"Utility","ch":"","dn":,"cpn":"myjava/"}
+{"pn":"com/sun/activation/registries/","lib":"JavaBeans(TM) Activation Framework","tp":"Development Framework","ch":"http://java.sun.com/javase/technologies/desktop/javabeans/jaf/index.jsp","dn":0,"cpn":"com/sun/activation/"}
+{"pn":"myjava/awt/datatransfer/","lib":"Transferable (Java Platform)","tp":"Utility","ch":"","dn":0,"cpn":"myjava/"}
{"pn":"com/mindprod/ledatastream/","lib":"LEDataStream","tp":"Utility","ch":"http://mindprod.com/products1.html","dn":125,"cpn":"com/mindprod/"}
{"pn":"com/google/protobuf/","lib":"Protocol Buffers","tp":"Utility","ch":"https://github.com/google/protobuf","dn":185,"cpn":""}
{"pn":"org/jraf/android/backport/switchwidget/","lib":"Android Switch Preference Backport","tp":"Utility","ch":"https://github.com/BoD/android-switch-backport","dn":217,"cpn":"org/"}libradar_wild.txt
diff --git a/libs/libradar_wild.txt b/libs/libradar_wild.txt
index 966b127..f5c4fdb 100644
--- a/libs/libradar_wild.txt
+++ b/libs/libradar_wild.txt
@@ -38,5 +38,5 @@
{"pn":"com/facebook/ads/","lib":"Facebook Ads","tp":"Advertisement","ch":"https://developers.facebook.com/"}
{"pn":"com/flurry/android/ads/","lib":"Flurry Ads","tp":"Advertisement","ch":"http://www.flurry.com/"}
{"pn":"com/mopub/mobileads/","lib":"MoPub","tp":"Advertisement","ch":"http://www.mopub.com/"}
-{"pn":"com/vividsolutions/jtsexample","lib":"JTS Topology Suite Examples","tp":Development Framework","ch":";http://sourceforge.net/projects/jts-topo-suite"}
+{"pn":"com/vividsolutions/jtsexample","lib":"JTS Topology Suite Examples","tp":"Development Framework","ch":";http://sourceforge.net/projects/jts-topo-suite"}
{"pn":"com/itextpdf/text/","lib":"iText","tp":"Utility","ch":"https://api.itextpdf.com/"}Please fix them.
MuntashirAkon
commented
4 years ago I also suggest you to add this built-in package: https://developer.android.com/reference/dalvik/system/package-summary. It lets an app to execute arbitrary code. Like others, devs can use it for good purpose or bad purpose.
IzzySoft
commented
4 years ago Ugh, well spotted, thanks! Those where in there from the beginning, at least 3+ years, and I never noticed… Fixed and pushed.
As for "this package": would that be /dalvik/system, or /com/android/dalvik/system? Seems like I never encountered it in any app, or it would probably be listed – either in one of the library definitions, or at least in bin/locallibs.php's ignore list :wink:
MuntashirAkon
commented
4 years ago As for "this package": would that be
/dalvik/system, or/com/android/dalvik/system? Seems like I never encountered it in any app, or it would probably be listed – either in one of the library definitions, or at least inbin/locallibs.php's ignore list 😉
/dalvik/system. DexClassLoader that I was talking about belongs to this package (ie. dalvik.system.DexClassLoader). AFAIK, F-Droid explicitly checks for this class.
IzzySoft
commented
4 years ago Yes, I remember having heard of that here and there (indeed scanner.py looks for DexClassLoader and reports iit if found). So I'm adding /dalvik/system/DexClassLoader with the description provided by you, thanks!
MuntashirAkon
commented
4 years ago Added support of lib scanning via b345ee2 and 230e944. The next task is to display anti-features.
@IzzySoft one question: Do you use only the libraries located in your repo for scanning apks or do you have other resources (such as exodus, F-Droid, etc.)?
IzzySoft
commented
4 years ago @MuntashirAkon this is answered in the place you've got the library definitions from. The database of LibRadar is used as well, though it wasn't updated for a while (not counting the updates I supplied). For my app lists, I also use Exodus and Appbrain. Both require an API key; freely available for Exodus, with Appbrain this requires a (usually paid) account with them.
MuntashirAkon
commented
4 years ago Closing in favour of #133.
MuntashirAkon
commented
4 years ago Hi @IzzySoft, I've found some libs that are not in your repo, I've listed them about 2 weeks ago. So, they could be a bit outdated:
org.brotli https://github.com/google/brotli/tree/master/java/org/brotliorg.jsondalvik.systemim.dacer.androidcharts https://github.com/HackPlan/AndroidChartscom.google.firebase.injectorg.jetbrains.annotationscom.xwray.groupie https://github.com/lisawray/groupieorg.h2 https://github.com/h2database/h2databasecom.hbb20 https://github.com/hbb20/CountryCodePickerProject/tree/master/ccpio.michaelrocks.libphonenumber.android https://github.com/MichaelRocks/libphonenumber-androidio.lbry.lbrysdk https://github.com/lbryio/lbry-android-sdkorg.chromium.support_lib_boundaryjoptsimple https://github.com/jopt-simple/jopt-simplecom.arthenica.mobileffmpeg https://github.com/tanersener/mobile-ffmpegorg.apache.sanselan http://sanselan.apache.org/com.pixplicity.htmlcompat https://github.com/Pixplicity/HtmlCompatMuntashirAkon
commented
4 years ago And these:
com.google.vr.sdk https://github.com/googlevr/gvr-android-sdkcom.avito.android.krop https://github.com/avito-tech/kropcom.tiper.MaterialSpinner https://github.com/tiper/MaterialSpinnerorg.eclipse.jgit http://www.eclipse.org/jgit/de.cotech.hw https://github.com/cotechde/hwsecurityde.cotech.sweetspot https://github.com/morristech/nfc-sweetspotorg.apache.xpath http://xml.apache.org/xalan-j/apidocs/org/apache/xpath/package-summary.html#package_descriptioncom.github.oxo42.stateless4j https://github.com/stateless4j/stateless4jio.noties.prism4j https://github.com/noties/Prism4jcom.googlecode.javaewah (and com.googlecode.javaewah32) https://github.com/lemire/javaewahcom.hierynomus.asn1 https://github.com/hierynomus/asn-oneIzzySoft
commented
4 years ago Thanks! Actually I add libraries when encountering them in apps – i.e. when I need them for my repo listings. My goal is not to have all libraries existing worldwide added here :wink: Maybe you could merge them on your end?
Besides: To make sure I don't bring in "broken entries" again, I've now established a pre-commit trigger on my end (basically calling libs_verificator.php – which then exits with a non-zero RC, thus stopping the commit from taking place if something is wrong). Seems to work fine so far.
MuntashirAkon
commented
4 years ago Maybe you could merge them on your end?
I've suggested because these libraries were extracted from apps on F-Droid.
To make sure I don't bring in "broken entries" again, I've now established a pre-commit trigger on my end (basically calling
libs_verificator.php– which then exits with a non-zero RC, thus stopping the commit from taking place if something is wrong). Seems to work fine so far.
My current policy is to keep everything in one place (may change in future depending on the height of the project). I'm currently using add_lib.php to add libraries interactively without touching the libsmali.txt file (I don't need libinfo.txt for AM).
IzzySoft
commented
4 years ago My current policy is to keep everything in one place
Hm, looks like our policies contradict slightly then…
I'm currently using add_lib.php to add libraries interactively
Nice! But I need to care for both files. And multiple paths. I was too lazy setting up some script/GUI for that yet…
I'll be using @IzzySoft's repo (https://gitlab.com/IzzyOnDroid/repo/-/blob/master/libs/) for this. However, this won't be much helpful in most cases since it still relies on the class list loaded via DexFile. I, for example, cannot detect the presence of DexClassLoader which is heavily exploited by apps to install malware or even worse, trojan. But I'll look into it again when I finally implement #6.