Inspeckage - Android Package Inspector
Inspeckage is a tool developed to offer dynamic analysis of Android applications. By applying hooks to functions of the Android API, Inspeckage will help you understand what an Android application is doing at runtime.
Inspeckage will let you interact with some elements of the app, such as activities and providers (even unexported ones), and apply some settings on Android.
Why would you develop another tool?
Since dynamic analysis of Android applications (usually through hooks) is a core part of several mobile application security tests, the need of a tool that can help us do said tests is real. Even though there are other tools that promise to help you do that, I've run across some limitations when testing them:
- Lack of interaction with the user doing the tests;
- Only work in emulators;
- Plenty of time to update the tool after an Android update;
- Very poor output;
- Very costly setup.
Inspeckage (Package Inspector) is a simple application (apk) with an internal HTTP server providing a friendly web interface, developed as an Xposed Framework Module. You can run it without Xposed, but 80% of its features depends on the Xposed Framework so it's recommended that the framework is present on the device / emulator.
Inspeckage running on Android:
Inspeckage web interface:
With Inspeckage, we can get a good amount of information about the application's behavior:
- Information gathering
- Requested Permissions;
- App Permissions;
- Shared Libraries;
- Exported and Non-exported Activities, Content Providers,Broadcast Receivers and Services;
- Check if the app is debuggable or not;
- Version, UID and GIDs;
- Hooks (so far)
With the hooks, we can see what the application is doing in real time:
- Shared Preferences (log and file);
- HTTP (an HTTP proxy tool is still the best alternative);
- File System;
- Miscellaneous (Clipboard, URL.Parse());
With Xposed it's possible to perform actions such as start a unexported activity and much else:
- Start any activity (exported and unexported);
- Call any provider (exported and unexported);
- Disable FLAG_SECURE;
- SSL uncheck;
- Start, stop and restart the application.
- APK Download;
- View the app's directory tree;
- Download the app's files;
- Download the output generated by hooks in text file format;
- Take a screen capture;
Even though our tool has some hooks to the HTTP libraries, using an external proxy tool is still the best option to analyze the app's traffic. With Inspeckage, you can:
- Add a proxy to the target app;
- Enable and disable proxy;
- Add entries in the arp table.
GitHub, Xposed Module, XDA
This project is open source and it's available on GitHub:
The tool is also available in Xposed Modules Repository:
You can also download this tool directly from your device, through Xposed:
A thread was created in the XDA Developers forum:
Genymotion + Xposed + Inspeckage
For anyone who does not have an Android phone, I recommend using Genymotion.
I made a small tutorial on how to get it ready for Inspeckage.
The used files can be found here:
This is the first version, which I still consider a beta version, it is just the tip of the iceberg!
Future versions In addition to bug fixing and improving how the information is displayed, some of the features that may be added in future versions include:
- Show the application's code (reverse engineering);
- Add hooks to other libraries;
- Add Android hooks: sms, call, google service push, etc;
- Match-replace shared_prefs and clipboard;
- Show Logcat and other log libraries' output;
- Bypass root detection;
- Output in JSON format;
- Add fake location;
- And much more...
Remember, this is an open source project, feel free to contribute.