-
Notifications
You must be signed in to change notification settings - Fork 272
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #85 from Fuzion24/feature/run_test_results_from_br…
…oadcast_receiver Run test results from broadcast receiver and serialize to user provided file path
- Loading branch information
Showing
4 changed files
with
153 additions
and
42 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
85 changes: 85 additions & 0 deletions
85
...ain/java/fuzion24/device/vulnerability/broadcastreceiver/ScanRunnerBroadcastReceiver.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| package fuzion24.device.vulnerability.broadcastreceiver; | ||
|
|
||
| import android.content.BroadcastReceiver; | ||
| import android.content.Context; | ||
| import android.content.Intent; | ||
| import android.content.pm.ApplicationInfo; | ||
| import android.os.AsyncTask; | ||
| import android.os.Bundle; | ||
| import android.util.Log; | ||
|
|
||
| import org.json.JSONObject; | ||
|
|
||
| import java.io.FileOutputStream; | ||
| import java.util.ArrayList; | ||
| import java.util.List; | ||
|
|
||
| import fuzion24.device.vulnerability.test.VulnerabilityTestResult; | ||
| import fuzion24.device.vulnerability.util.DeviceInfo; | ||
| import fuzion24.device.vulnerability.vulnerabilities.VulnerabilityOrganizer; | ||
| import fuzion24.device.vulnerability.vulnerabilities.VulnerabilityResultSerialzier; | ||
| import fuzion24.device.vulnerability.vulnerabilities.VulnerabilityTest; | ||
|
|
||
| /** | ||
| * Created by fuzion24 on 11/25/15. | ||
| */ | ||
| public class ScanRunnerBroadcastReceiver extends BroadcastReceiver { | ||
| private static final String TAG = "ScanRunnerReceiver"; | ||
| @Override | ||
| public void onReceive(final Context context, Intent intent) { | ||
|
|
||
| Log.d(TAG, "Received broadcast for scanrunner"); | ||
| //Only allow this code to be ran on debug builds, since it accepts and writes to arbitrary file | ||
| //paths, which would allow another app to arbitrarily write anywhere in this app's context. | ||
| // http://android-developers.blogspot.com/2010/09/securing-android-lvl-applications.html | ||
| boolean isDebuggable = ( 0 != ( context.getApplicationInfo().flags & ApplicationInfo.FLAG_DEBUGGABLE ) ); | ||
| if(!isDebuggable){ | ||
| Log.d(TAG, "Not running the tests because the app is not debuggable"); | ||
| return; | ||
| } | ||
|
|
||
| Bundle intentExtras = intent.getExtras(); | ||
| if(intentExtras == null){ | ||
| Log.d(TAG, "There were no extras with the broadcast. Include RESULT_PATH"); | ||
| return; | ||
| } | ||
|
|
||
| final String writeResultPath = intentExtras.getString("RESULT_PATH"); | ||
| if(writeResultPath == null || writeResultPath.equals("")){ | ||
| Log.d(TAG, "Result write path is null or empty"); | ||
| } | ||
|
|
||
| Log.d(TAG, "Results will be written to: " + writeResultPath); | ||
|
|
||
| new AsyncTask<Void,Void,Void>(){ | ||
| @Override | ||
| protected Void doInBackground(Void... params) { | ||
| List<VulnerabilityTest> tests = VulnerabilityOrganizer.getTests(context); | ||
| List<VulnerabilityTestResult> results = new ArrayList<VulnerabilityTestResult>(); | ||
| for(VulnerabilityTest vt : tests){ | ||
| Log.d(TAG, "Running: " + vt.getCVEorID()); | ||
| boolean vulnerable = false; | ||
| Exception x = null; | ||
| try { | ||
| vulnerable = vt.isVulnerable(context); | ||
| }catch(Exception e){ | ||
| x = e; | ||
| } | ||
| results.add(new VulnerabilityTestResult(vt, vulnerable, x)); | ||
| } | ||
|
|
||
| try { | ||
| JSONObject jobj = VulnerabilityResultSerialzier.serializeResultsToJson(results, DeviceInfo.getDeviceInfo()); | ||
| FileOutputStream fos = new FileOutputStream(writeResultPath); | ||
| fos.write(jobj.toString(2).getBytes()); | ||
| fos.close(); | ||
| }catch(Exception e){ | ||
| e.printStackTrace(); | ||
| } | ||
|
|
||
| return null; | ||
| } | ||
| }.execute(); | ||
|
|
||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
60 changes: 60 additions & 0 deletions
60
...ain/java/fuzion24/device/vulnerability/vulnerabilities/VulnerabilityResultSerialzier.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| package fuzion24.device.vulnerability.vulnerabilities; | ||
|
|
||
| import com.nowsecure.android.vts.BuildConfig; | ||
|
|
||
| import org.json.JSONArray; | ||
| import org.json.JSONException; | ||
| import org.json.JSONObject; | ||
|
|
||
| import java.util.List; | ||
|
|
||
| import fuzion24.device.vulnerability.test.VulnerabilityTestResult; | ||
| import fuzion24.device.vulnerability.util.DeviceInfo; | ||
|
|
||
| /** | ||
| * Created by fuzion24 on 11/25/15. | ||
| */ | ||
| public class VulnerabilityResultSerialzier { | ||
|
|
||
| public static JSONObject serializeResultsToJson(List<VulnerabilityTestResult> results, DeviceInfo devInfo) throws JSONException { | ||
| // not sure if this is too intense to do on the main thread... | ||
| JSONArray testResults = new JSONArray(); | ||
| JSONObject buildInfo = new JSONObject(); | ||
| JSONObject combinedResults = new JSONObject(); | ||
|
|
||
| buildInfo.put("fingerprint", devInfo.getBuildFingerPrint()); | ||
| buildInfo.put("kernelVersion", devInfo.getKernelVersion()); | ||
| buildInfo.put("brand", devInfo.getBuildBrand()); | ||
| buildInfo.put("manufacturer", devInfo.getBuildManufacturer()); | ||
| buildInfo.put("model", devInfo.getBuildModel()); | ||
| buildInfo.put("release", devInfo.getBuildRelease()); | ||
| buildInfo.put("sdk", devInfo.getBuildSDK()); | ||
| buildInfo.put("builddate", devInfo.getBuildDateUTC()); | ||
| buildInfo.put("id", devInfo.getBuildID()); | ||
| buildInfo.put("cpuABI", devInfo.getBuildCpuABI()); | ||
| buildInfo.put("cpuABI2", devInfo.getBuildCpuABI2()); | ||
|
|
||
| JSONArray supportedABIs = new JSONArray(); | ||
| for(String abi : devInfo.getSupportedABIS()){ | ||
| supportedABIs.put(abi); | ||
| } | ||
|
|
||
| buildInfo.put("supportedABIs", supportedABIs); | ||
| buildInfo.put("versionCode", BuildConfig.VERSION_CODE); | ||
| buildInfo.put("versionName", BuildConfig.VERSION_NAME); | ||
|
|
||
| for (VulnerabilityTestResult s : results) { | ||
| JSONObject res = new JSONObject(); | ||
| res.put("name", s.getCVEorID()); | ||
| res.put("isVulnerable", s.isVulnerable()); | ||
| res.put("exception", s.getException()); | ||
| testResults.put(res); | ||
| } | ||
|
|
||
| combinedResults.put("buildInfo", buildInfo); | ||
| combinedResults.put("results", testResults); | ||
|
|
||
| return combinedResults; | ||
| } | ||
|
|
||
| } |