SUPER Android Analyzer Downloads News

SUPER 0.2.0 released!

As promised, here we have SUPER 0.2.0 after 6 weeks since the 0.1.0 release. SUPER 0.2.0 is our second release, and it makes a big step forward in analysis report customization. The main characteristic of this release is the new templating system, that will enable users total customization of reports. We will in fact create a better template for future releases. The templating system will be explained in the templates section of this release announcement. As an extra, we made a MacOS X package so that you can easily install SUPER on Macs.

But first, lets talk about the new CLI:

USAGE:
    super [FLAGS] [OPTIONS] <package>

FLAGS:
        --bench       Show benchmarks for the analysis
        --force       If you'd like to force the auditor to do everything from the beginning
    -h, --help        Prints help information
        --open        Open the report in a browser once it is complete
    -q, --quiet       If you'd like a zen auditor that won't output anything in stdout
    -a, --test-all    Test all .apk files in the downloads directory
    -V, --version     Prints version information
    -v, --verbose     If you'd like the auditor to talk more than necessary

OPTIONS:
        --apktool <apktool>        Path to the apktool file
        --dex2jar <dex2jar>        Where to store the jar files
        --dist <dist>              Folder where distribution files will be extracted
        --downloads <downloads>    Folder where the downloads are stored
        --jd-cmd <jd-cmd>          Path to the jd-cmd file
        --results <results>        Folder where to store the results
        --rules <rules>            Path to a JSON rules file
        --template <template>      Path to a results template file
    -t, --threads <threads>        Number of threads to use

ARGS:
    <package>    The package string of the application to test

As you can see, the CLI has been completely redesigned to enable further customization of the analysis. Users can now specify most of the configuration options that would be in the config.toml file as command arguments. This can be great for software that could require specific automation of analysis for each batch or application, we need to remember that this software is intended to be used for massive analysis.

We have also added a --test-all flag that does not require a <package> to be specified, since it will search for all applications in the downloads folder and analyze all of them. This was a port of a small shell script we had that we were using many times, and now it’s done in the core of SUPER, which makes it multi-platform and really fast. About that downloads folder, it’s no longer required to have an actual downloads named folder, and .apk files can be in any place (by default, the current directory). We now also support relative paths to .apk files too.

Another useful option we have added is the --open option. This option will open the HTML report in your usual browser once it’s finished. It could be a pain in the ass to search for it in the tree.

In the report generation we have added vulnerable line highlighting, which makes it easier to spot issues, and we also improved some exported attributes searching, which, BTW, still requires improvements.

We have of course made a ton of under-the-hood improvements with a total of 106 commits from 7 contributors. We want to specially thank all the help we have received from the community, with contributions from @pocket7878, @VoltBit, @b52, @nxnfufunezn and @atk. This version has seen 95 changed files with 3,506 lines added and 1,800 lines deleted. It has been a real challenge that raises the total LOC of the project to 12,070.

Complete changelog can be read here.

Templates

The big rework for this release has been the new templating system. Now templates are stored in their own folder in the templates folder (that will be in a different place depending on the OS and can be configured via config.toml). For example, the default template, super is stored in templates/super. Templates are written in Handlebars, and we offer some helpers that we’ll explain next. A template must have at least code.hbs, report.hbs and src.hbs files. Other .hbs files in the template root directory can be used with template inclusion, the same way super template does with its vulnerability template. To include it, we use ``.

We have added some cool helpers to make the HTML code generation easier:

There are also some variables available for each template. For the main report.hbs template, we have added the following variables:

For the src.hbs template:

For the code.hbs template:

You can download the package for your distribution at the downloads page.

Fork me on GitHub