Truegaze is a static analysis tool for Android and iOS applications focusing on security issues outside the source code such as resource strings, third party libraries and configuration files.
Requirements
Python 3 is required and you can find all required modules in the requirements.txt file. Only tested on Python 3.7 but should work on other 3.x releases. No plans to 2.x support at this time.
Also Read – Dow Jones Hammer : Protect The Cloud With The Power Of The Cloud(AWS)
You can install this via PIP as follows:
pip install truegaze
truegaze
To download and run manually, do the following:
git clone https://github.com/nightwatchcybersecurity/truegaze.git
cd truegaze
pip -r requirements.txt
python -m truegaze.cli
To list modules:
truegaze list
To scan an application:
truegaze scan test.apk
truegaze scan test.ipa
Listing modules:
user@localhost:~/$ truegaze list
Total active plugins: 1
+----------------+------------------------------------------+---------+------+
| Name | Description | Android | iOS |
+----------------+------------------------------------------+---------+------+
| AdobeMobileSdk | Detection of incorrect SSL configuration | True | True |
| | in the Adobe Mobile SDK | | |
+----------------+------------------------------------------+---------+------+
Scanning an application:
user@localhost:~/$ truegaze scan ~/test.ipa
Identified as an iOS application via a manifest located at: Payload/IPAPatch-DummyApp.app/Info.plist
Scanning using the “AdobeMobileSdk” plugin
— Found 1 configuration file(s)
— Scanning “Payload/IPAPatch-DummyApp.app/Base.lproj/ADBMobileConfig.json’
—- FOUND: The [“analytics”][“ssl”] setting is missing or false – SSL is not being used
—- FOUND: The [“remotes”][“analytics.poi”] URL doesn’t use SSL: http://assets.example.com/c234243g4g4rg.json
—- FOUND: The [“remotes”][“messages”] URL doesn’t use SSL: http://assets.example.com/b34343443egerg.json
—- FOUND: A “templateurl” in [“messages”][“payload”] doesn’t use SSL: http://my.server.com/?user={user.name}&zip={user.zip}&c16={%sdkver%}&c27=cln,{a.PrevSessionLength}
—- FOUND: A “templateurl” in [“messages”][“payload”] doesn’t use SSL: http://my.43434server.com/?user={user.name}&zip={user.zip}&c16={%sdkver%}&c27=cln,{a.PrevSessionLength}
Done!
Display installed version:
user@localhost:~/$ truegaze version
Current version: v0.2
The application is command line and will consist of several modules that check for various vulnerabilities. Each module does its own scanning, and all results get printed to command line.
Overview WhatsMyName is a free, community-driven OSINT tool designed to identify where a username exists…
Managing disk usage is a crucial task for Linux users and administrators alike. Understanding which…
Efficient disk space management is vital in Linux, especially for system administrators who manage servers…
Knowing how to check directory sizes in Linux is essential for managing disk space and…
Managing user accounts is a core responsibility for any Linux administrator. Whether you’re securing a…
Linux offers powerful command-line tools for system administrators to view and manage user accounts. Knowing…