Proj 15: AndroBugs (10 pts)
What You Need for This Project
- A Kali virtual machine
- You should have that already set up from previous projects
To practice using AndroBugs,
a really fast Android vulnerability scanner.
On Kali, in a Terminal,
execute these commands, to install
AndroBugs and scan the GenieMD APK file.
The scanner starts,
as shown below.
git clone https://github.com/AndroBugs/AndroBugs_Framework.git
python androbugs -f genie.apk
Within a minute, the scan finishes.
It prints out a long report
filename. Carefully copy the whole report name,
which is highlighted in the image below.
Viewing the Report
On Kali, in a Terminal, execute this command,
replacing filename with the correct filename
on your system:
[Critical] <Command> Runtime Command Checking
This is the first vulnerability found, and it's
These functions use Java to construct
Android shell commands, which frequently leads
to command injection flaws.
SSL Validation Flaws
Scroll down to find the SSL validation
error we exploited in a previous project.
This scanner provides a lot of information about
flaw, as shown below.
You should see your Genymotion device in the
"List of devices attached",
as shown below.
Saving a Screen Image
you can see "[Critical] <SSL_Security>"
as shown above.
Save a full-desktop image. On a Mac, press Shift+Commmand+3. On a PC, press Shift+PrntScrn and paste into Paint.
YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!
Save the image with the filename "YOUR NAME Proj 15", replacing "YOUR NAME" with your real name.
Turning in your Project
Email the image to
to email@example.com with the subject line:
Proj 15 from YOUR NAME
Posted 2-8-19 by Sam Bowne