Releases: SUPERAndroidAnalyzer/super
SUPER 0.5.1
This release is the first SUPER release targeting Rust 2018 edition. It contains some internal improvements that will make future development easier and more efficient. It also has some internal enhancements. Additionally, we have fixed a bunch of spelling mistakes and upgraded some dependencies.
Changelog
Internal Changes
-
SUPER now requires Rust 1.31.0 (Rust 2018 edition) to be built.
-
Upgraded dependencies:
lazy_static
: 1.1 => 1.2md5
: 0.5 => 0.6regex
: 1.0 => 1.1abxml
: 0.6 => 0.7- Some other minor upgrades.
-
Multiple syntax changes to adapt the codebase to Rust 2018.
SUPER 0.5.0
The 0.5.0 release of SUPER, with one year of improvements merged to bring a new release. This release has mainly brought internal changes, that have made the code quality of this release improve drastically. We have also included performance improvements and mostly a huge upgrade of our dependencies to bring more stable versions.
This release contains multiple improvements that have been accumulated in the last year. We also improved our repository by adding a Code of Conduct and templates for issues and pull requests. Packages for Ubuntu, Debian, Fedora and CentOS are now generated automatically in each build, and deployed in each release. Here you can find the rest of the changes for this version.
Changelog
Features
- Added SDK version strings to Android versions. Reports will now show the Android version of the
target and minimum SDKs. - SUPER logo is now an SVG, so that it looks great in multiple resolutions.
- All icons in the source tree viewer are now SVGs too.
Internal Changes
- SUPER now requires Rust 1.30.0 to be built.
- Removed
error-chain
dependency in favor offailure
. - Upgraded dependencies:
clap
: 2.25 => 2.32xml-rs
: 0.4 => 0.8serde
: 0.9 => 1.0chrono
: 0.3 => 0.4toml
: 0.3 => 0.4regex
: 0.2 => 1.0lazy_static
: 0.2 => 1.1bytecount
: 0.1 => 0.4log
: 0.3 => 0.4env_logger
: 0.4 => 0.5sha1
: 0.2 => 0.6sha2
: 0.5 => 0.8abxml
: 0.2 => 0.6handlebars
: 0.25 => 1.1- Some other minor upgrades.
- New dependencies:
failure
: 0.1semver
: 0.9hex
: 0.3num_cpus
: 1.8
- Multiple documentation improvements.
- Code quality improved by using new syntax.
- Fixed multiple performance bottlenecks.
- Switched to library/binary architecture.
Bug Fixes
- Fixed decompilation of badly formatted APK files.
- Fixed strange characters in Windows Console.
SUPER 0.4.1
Fixed a small issue that prevented results
and dist
directory creation if they didn't exist.
Changelog
Internal Changes
- Upgraded
abxml
to 0.2.0.
Bug Fixes
- SUPER now properly creates
dist
andresults
directories if they do not exist.
SUPER 0.4.0
The 0.4.0 release of SUPER, with 20% to 50% analysis speed improvements thanks to removing the ApkTool Java dependency.
Changelog
Features
- Removed ApkTool dependency, analysis are now about 20% - 50% faster.
- Removed all ApkTool related configuration and CLI directives.
- The
--force
flag is now less aggressive. It won't remove a JSON report if only the HTML report
is being generated, and the other way around: it won't remove the HTML report if only the JSON
report is being generated.
Internal Changes
- SUPER now requires Rust 1.16.0.
- Errors moved to their own module.
- Upgraded dependencies:
clap
: 2.20 => 2.23xml-rs
: 0.3 => 0.4
And some other minor upgrades.
- Dependency in
yaml-rust
has been removed. - Dependency in
error-chain
0.10 has been added. - Dependency in
rust-crypto
has been removed and dependencies inmd5
,sha1
andsha2
have been added. - Dependency in
abxml
has been added to remove the ApkTool dependency. - Added more documentation for some modules.
Bug Fixes
- Fixed error when adding
--open
flag on JSON-only reports.
SUPER 0.3.1
Fixed compatibility with Debian-based distributions.
Changelog
Bug Fixes
- SUPER will now have
super-analyzer
as package name. This avoids conflicts with Debian repositories.
SUPER 0.3.0
Third release of SUPER, with many changes and bug fixes.
Changelog
Features
- You can now specify the minimum criticality of a vulnerability for being reported. Using the
--min-criticality
CLI option, you can specify if the minimum reported criticality should be warning, low, medium, high or critical. - Optional JSON and HTML reports: By default, SUPER will generate an HTML report, but no JSON report. This behaviour can be changed either by changing two configuration options in the config.toml file
html_report
andjson_report
) or by invoking the script with--json
or--html
parameters. By default, if--json
is used, the HTML report won't get generated, but if you want both, you can specify so by using both options:--json --html
. - Tab completions: If you now install SUPER using one of the provided packages for UNIX, you will get tab completions. So, anytime you don't exactly know the command, you can simply press TAB and you will get suggestions or even command completions. This works for Bash, Fish and ZSH.
Internal Changes
- SUPER now requires Rust 1.15.1.
- Converted all
try!()
statements to use the new?
Rust operator. - Reduced cyclomatic complexity of Config::load_from_file() (#78): This makes configuration loading
faster and easily maintainable. - Improved logging using the
log
crate. - Upgraded dependencies:
clap
: 2.18 => 2.20colored
: 1.3 => 1.4serde
: 0.8 => 0.9handlebars
: 0.22 => 0.25chrono
: 0.2 => 0.3regex
: 0.1 => 0.2
And some other minor upgrades. Both theregex
and theserde
dependencies have been the major upgrades and should improve our future releases.
Changes in Rules
- Changed some regular expressions to match the new
regex
crate classes. - The files to be searched with a given rule can now be filtered by two new fields:
include_file_regex
: A regex that all tested files will match.exclude_file_regex
: A regex that will whitelist files matched by the previous regex.
This enables much better file searching: If you need to search forR
class variables, no need to search other files thanR.java
.
Bug Fixes
- SUPER no longer prints to
stderr
on tests. - Finally fixed all output coloring errors.
Contributions
Apart from the core team, the following people have contributed to this release:
SUPER 0.2.0
Second release of SUPER, with a ton of changes and new contributors!
Changelog
Features
- SUPER now uses templates for report generation. This is one of the biggest changes of the release, and enables users to create their own report templates.
- Installation package for Mac OS.
- Line highlighting is now shown in the vulnerable line of the code in found vulnerabilities, colored depending on the criticity of the vulnerability.
- Reports now show the version of SUPER used to generate them.
- SUPER now supports analysis of applications placed anywhere instead of having to place them in a folder.
- Added the
--open
option to automatically open reports. - Added the
--test-all
option to the CLI, that will test all .apk files in the downloads folder. - Added options to the CLI to modify the properties in the config file. We now have
--downloads
,--threads
,--dist
,--results
,--apktool
,--dex2jar
,--jd-cmd
,--rules
or--template
options in the CLI.
Changes in rules
- SUPER now detects
exported
attributes in<provider>
,<receiver>
,<activity>
,<activity-alias>
and<service>
tags in the AndroidManifest.xml, and reports potential vulnerabilities. This still needs work since we still don't have all the required information to show real vulnerabilities.
Bug Fixes
- Changed paths for better multi-platform support.
- Regular Expressions:
- URL Disclosure no longer detects content providers (
content://...
).
- URL Disclosure no longer detects content providers (
- Solved some coloring errors when combining styling and color in the same print.
Contributions
SUPER 0.1.0
This is the first release of the SUPER Android Analyzer. In this first version, basic report styling, 37 analysis rules and really fast performance have been achieved. For more information, you can check the release announcement.
Changelog
Features
- Release of 64-bit packages for Linux (Debian 8.6, Ubuntu 16.04, CentOS 7, Fedora 24) and Windows (8.1+).
- AndroidManifest.xml analysis (Dangerous permission checks).
- Certificate analysis (Certificate validity checks).
- Code analysis (37 rules for checking the source code):
- SQLi
- XSS
- URL Disclosure
- Weak algorithms
- Insecure WebViews
- Generic exceptions
- Root detection
- ...
- HTML and JSON report generation.
- Classification of vulnerabilities (Critical, High, Medium, Low, Info).
- Application related info.
- File fingerprinting.