Blog Posts

Tracking Android Security Update across Devices

When you want to work with any android device there are always some questions in back of our mind.

1) Does the OEM provides OS updates
2) Does the OEM provides android security patches
3) How fast do they update the devices.

However so far we have attempted many times but always failed to identify any consolidated list of such data. Hence we decided that its time we build something.

We have created a tracker page which we intent to keep up to date with the help of readers and viewers.

Android Device Security Patch tracker

You can contribute to the database via multiple ways

1) Add a comment to this post.
2) Create a pull request with changes on the github page here
3) send us an email at devicesecupdate at androidtamer dot com
4) Create a new issue in https://github.com/AndroidTamer/KnowledgeBase/ Repository and we will update the details.

Note: as this data reveals security posture of devices hence we have made an intentional decision not to credit any individual for specific data. however if you want your name to be credited please specify and we will add the name under credit section on the page.

Do you like what you read, What to share it

AndroidTamer : Future

AndroidTamer started out as a VirtualMachine for Android (Security) Professionals, however we are not the only ones doing this bit, there are many more solutions, most of them offered by companies / corporates who have a paid product around it or have atleast a commercial angle. AndroidTamer at this point remains the only fully non-commercial non-sponsored entity in this space.

However is that all the differentiator that AndroidTamer is bringing, frankly that’s not enough for us. So we cameup with a plan. Today I am going to discuss the plan.

TLDR

We are slowly making Android Tamer a single point of reference for all Android Professionals.

Large/Detailed

We Want to make AndroidTamer a one stop location for Android (Security) Professionals

We will be diversifying our offerings but will be also at the same time trying to automate most of the stuff and easy out any pain point that Android Professionals face on regular basis.

This is the outline of how AndroidTamer will be looking in future. each project will be detailed out in seperate posts in near future.

AndroidTamer Debian based VM (Version 4 Released)

Customized to the core, Debian 8 based virtual machine environment is preloaded with tools for Android Pentesting.
AndroidTamer Virtual Machine has been our main identity and is something we will keep producing, only constraint being that we will do a build (with all latest tools, scripts and exploits) once every 6 month and will publish it out, however anyone using any older version of AndroidTamer should be able to use apt-get to keep themselves up-to-date. Any questions or concerns can be directed to us via various media’s github issues or Twitter or Release page comment

DEB / YUM Repository for Tools / Software Distribution (Available)

This is the heart of our evil-plan, with this repository fully working (right now its apt only) we will have the capability to allow people to directly use tools in their own distribution. and not download the very large vm that we provide.
https://repo.androidtamer.com : Aim is to be the only repository which is actively maintained and support both debian and Redhat distributions and maintain tools specific to android security / development. You can suggest new packages here also Build scripts used to create packages are also public and listed here

Android-Emulator customised for Pentesting (both x86 and arm version) (W.I.P.)

Customized emulator to be used in place of a device in both x86 and arm version which can be coupled with Tamer VM.
Most of the pentesters / developers require a virtual machine to test the tools, apk files, etc., hence we are going to create an android-x86 based VM (not genymotion because of license and cost restrictions) and a custom arm emulator image set which has patches to ensure all things in android pentests work with them. If you have any suggestions or tools which you want to be added you can add an issue here

Extensive Tools Documentation (W.I.P.)

Developing a distro is one thing, ensuring people use it properly is another. A lot of times we write shim / wrappers to ensure people don’t waste time however due to lack of official documentation people do endup wasting time and hence we created https://tools.androidTamer.com : Aim is to host extensive single location documentation for largest array of tools needed for android security and available inside AndroidTamer. Source is available here

Knowledge Base

Tools and how to use it one thing but knowledge about various things android like how does the file system looks like, or details of various security fixes in android core over various versions, for storing such kind of information we are launching https://kb.androidtamer.com : It contains various documentation around android which is useful to many people around the world. It also includes our very famous “Android Security Enhancement” sheet. Source is available here

Android Tools Repository

A large number of Android Tools are useful for various android tasks but are mostly available as source code. This repository will bring them out for everyone to use. This will be F-Droid compatible and will be at the heart of our Tamer-Emulator and will allow us to push latest version of various Open Source security tools like, just trust me, sslcatcher etc. If you have any suggestions or tools which you want to be added you can add an issue here

Question:

Q: Why not also focus on other OS ?

A: OSX support via homebrew is something We am thinking hard but let’s see how the future rolls out. If you want to use tools on any other Distro, our apt/yum repository is working in that direction. If you want to use tools on windows Appie seems to be the best option available.

Q: Why not support iOS, BlackBerry, Windows Phone stuff, make AndroidTamer a mobile tamer ?

A: While it all looks fancy and very interesting, fact of life if you want to do everything on iOS you need a Mac, if you want to work properly on Windows Mobile use Windows. There is no escaping that fact. By putting minimal tools and claiming that we support yet another platform is something that doesn’t sit well with us and hence We don’t claim nor support that.

How can i help

The project needs constant support from volunteers and hence any and all help is welcome. It should be clear that writing code is not the only way you can help the project. I am outlining multiple ways in which androidtamer can benefit from volunteers

  1. Test the Build, suggest changes or improvements / enhancements. Please raise an issue here
  2. Promote the Distribution, via writing blogpost or creating video’s or presenting sessions using this tool.
  3. Help with bringing in new tools in the distribution. Writing Build scripts: Sample apktool build and dex2jar build
  4. Test the repository on other distributions like Kali or Ubuntu or other pentest distributions and report issues : To configure repo on other distro Follow the guide
  5. Help us in solving issues by tracking them and contributing back via patches or fixes or suggestions. One major issue list to keep an eye will be the Tools Repository

Do you like what you read, What to share it

How we build Android Tamer

For first three releases we experimented with multiple methods and expreiments doesn’t stop this time around also.

This time we wanted to see if we can automated most of the stuff that we do. so we looked at existing processes and we identified that best combination for us could be to use a combination of vagrant and ansible playbooks.

So we first build a basebox of ubuntu 14.04LTS with bare minimums and used that as base box. (Just for the heck of it, but we also customized the username and hostname of the instance since we were anyways modifying stuff.)

After delibrating for a couple of day and based on various internet chatter we decided to shift our base to Debian 8 and hence another base box was created with bare minimum’s but this time using debian 8 as base.

This box was then used to couple with ansible scripts and the final product is what you see now.

Entire Vagrant Ansible configuration is available here

The base box used for all the activities

With more delibration about the future of AndroidTamer we decided to opensource every single bit of whatever we are doing in AndroidTamer project.

All the projects are hosted at Github

Feel free to contribute / curse / raise questions

Do you like what you read, What to share it

AndroidTamer 4 : Released

We are glad to announce the official release of AndroidTamer 4

Whats new

TLDR: Everything

Details

  • Debian 8 Base
  • Own repository of tools (repo.androidtamer.com)
  • Signed packages and repository
  • additional Wrappers around useful tools to make life easier
  • everything in path

Following are the details

Download Links (5.1 GB OVA File):
1) Google Drive: http://bit.ly/AndroidTamer4-GD (this link might go down if downloaded more then 500 times a day)
2) Sourceforge: http://bit.ly/AndroidTamer4-SF

Compatibility: VirtualBox is prefered but the OVA can also be imported in VMWare Player / Workstation / Fusion

5 GB, 5 FREAKING GB MAN, I don’t want to download that

If you don’t want to download this whole bloated software package but want to get the software’s inside it. We have a debian 8 compatible repository at https://repo.androidtamer.com. Follow instructions here to configure your system to recieve android tamer tools.

However not everything will be same as AndroidTamer VM. For Example, We don’t yet have packages to automated sdk, ndk and studio installation and addition to path. At this point this part is handled by a Vagrant Script we are working on putting this out as a package which will enable seemless working. However for now you can just install SDK/NDK/Studio manually and add them to path.

Repositories Compatibility: We have tested the repository on Debian 8 however it should ideally also work on Kali Linux and Ubuntu 14.04 or 16.04. However we have not tested kali or ubuntu. In next few days we will try to do that and update the status here.

checksum are as listed below.

MD5 (AndroidTamer4.ova) = 98ced8bfc3c8d46a0600b377569dc722
SHA1 (AndroidTamer4.ova) = 3c3b6b053135456938d749d8536da4dbf1ba1a16
SHA256 (AndroidTamer4.ova) = e4f823baee3565b0871ec0865d1da0aad1f058665b7a212a326d85110a817164

Show me the view

Do you like what you read, What to share it