A set of scripts to check Android device security configuration.
The check-device-props.py
script checks security configuration based on system properties
and some basic system commands.
Requires ADB connection.
Set ANDROID_SERIAL
and/or ADB_VENDOR_KEYS
if more than one device is connected to host,
or if ADB authentication is required.
- build type (userdebug, user, eng)
- signing keys
- SELinux availability and mode
- debugging-related properties
- Bluetooth configuration
- USB/ADB configuration
- 3G/telephony availability
- enabled network interfaces
- listening TCP services
- ADB authentication
- SUID binaries
- AIDL services
- disk encryption (FDE/FBE) availability
- dm-verity availability and mode
- Connect to target device via ADB and run the script:
./check-device-props.py
- Report is output to stdout, redirect as needed.
WARN
messages mark potential configuration issues.
A simple script to check security configuration of system APKs for Android-based devices. Mainly targeted towards IoT-style devices, probably not that useful for phones/tablets. Not meant to be a replacement for CTS or other extensive test suites.
Checks are focused on permissions, code signing and component configuration. This script does not attempt to perform static analysis of executable code.
The following assumptions are made:
- device software is based on AOSP
- device vendor components/apps all live under the same top-level package
- system APKs from
system/
andsystem-priv/
are accessible (either by downloading from live device or from build output)
The following security configuration is tested:
- usage of shared user ID, esp.
android.uid.system
- whether 3rd-party (non-AOSP, not under top-level package) are running as
android.uid.system
- debuggable applications
- whether custom (not defined in AOSP) permissions are signature-protected
- whether protected broadcasts are used
- whether APKs are signed with widely-known keys/certificates ('testkeys')
- optionally prints all permissions and components declared in the APK (detailed mode)
- Androguard >= 3.2.1
- Python 2.7.x (for now)
- Obtain system APKs to test, usually all APKs under
/system/app
and/system/priv-app
- if you can connect to a live device via ADB, you can use the
download-apks.py
helper script:
$ ./download-apks.py apks/
- Run the
check-system-apps.py
script against the APK directory from 1.
- (optional) specify the
--show-apk-details
flag to show permissions and components declared in each APK.
./check-system-apps.py apks/ com.example.package
- Report is output to stdout, redirect as needed.