Skip to content
A tool to find security vulnerabilities in Xamarin.Android apps.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Docs Add logo designed by Marco Kuiper (marcofolio) Jun 10, 2019
VulnerableApps/BankingApp Initial commit May 30, 2019
XamarinSecurityScanner Update Microsoft.CodeAnalysis.CSharp library from 3.0.0 to 3.1.0 Jun 10, 2019
.gitignore
LICENSE.txt
NOTICE.txt Initial commit May 30, 2019
README.md Add logo designed by Marco Kuiper (marcofolio) Jun 10, 2019
pipeline-simulation.ps1 Initial commit May 30, 2019

README.md

header

A tool to find security vulnerabilities in Xamarin.Android apps. It finds vulnerabilities by analyzing the source code (SAST).

It is inspired by and contains code from QARK (Quick Android Review Kit).

Getting Started

The quickest way to get started is to use Docker.

git clone <project_url>
cd xamarin-security-scanner
docker build ./XamarinSecurityScanner -t xamarin-security-scanner
docker run -v <absolute_path_to_project>:/project xamarin-security-scanner

Another option is to install .NET Core 2.2, and run the following commands:

git clone <project_url>
cd xamarin-security-scanner
dotnet run --project .\XamarinSecurityScanner\XamarinSecurityScanner.App --path <path_to_project>

Example output:

screenshot

Usage

Usage: XamarinSecurityScanner.App [options]

Options:
  -p|--path <PATH>                Path to scan
  -t|--threshold <THRESHOLD>      Vulnerability threshold
  -e|--enable-logging             Enable logging
  -i|--ignore-file <IGNORE_FILE>  Path to ignore file
  -?|-h|--help                    Show help information

For more information on how to use the Xamarin Security Scanner, see the configuration docs.

Functionality

The tool reports the following issues:

  • Certificate validation overwritten
  • Permissions may not be enforced
  • Unsafe cipher mode used
  • External storage is used
  • Hardcoded HTTP URL found
  • JavaScript enabled in WebView
  • JavascriptInterface is added to a WebView
  • Logging was found
  • Access to phone number
  • WorldReadable file found
  • Backups are enabled
  • App has debugging enabled
  • App supports outdated Android version
  • App contains a private key

Credits

Marco Kuiper (@marcofolio) - For the logo.

You can’t perform that action at this time.