Introducing Scrounger – iOS and Android mobile application penetration testing framework

Scrounger is a modular tool designed to perform the routine tasks required during a mobile application security assessment.  Scrounger conveniently brings together both major mobile operating systems – Android and iOS – into a single tool, in a way that is easy use, well documented, and easily extensible.

Where it differs

Scrounger consists on a number of modules that were built on top of a strong core. The rationale is to allow easy extensibility, just like Metasploit does. As a result, if you want Scrounger to perform additional checks, you can simply add a new module that can then be executed either through Scrounger’s interactive console or its command line interfaces.

Furthermore, it contains both Android and iOS modules, so, instead of using multiple tools to help you during a mobile application assessment, Scrounger offers you the possibility to use only one tool and learn only one set of commands, that will work for both operating systems.

Scrounger already comes bundled with several modules that can be run to perform several checks against mobile applications.

Requirements

Scrounger has a few requirements, such as the installation of certain packages on the host and certain iOS binaries.

However, it already packs most of the iOS binaries and offers a module that installs them on the device. The package requirements are also specified on the Scrounger GitHub page.

If the prerequisites are not satisfied, Scrounger will simply not run certain modules. All the modules with prerequisites that are satisfied will run without any problems.

The other main requirement is to have jailbroken and rooted devices.

Usage

There are two main ways of using Scrounger: command line or interactive console.

The command line will be used mainly when performing all checks or making any automation scripts. On the other hand, the console will be used to run only a certain number of modules or when performing specific actions such as, decompiling, recompiling and signing applications, extracting certain files, etc.

Command line options

When using the command line, you can list the available modules and their arguments, list the available devices, run a full analysis (which runs all the modules for a certain type of application – Android or iOS) and run a specific module while passing the required arguments.

Here is an example of running a specific module, using the command line Scrounger, on an Android application.

First, we start by listing the required options for the module that we want to run and then we run it.

Console Examples

The console is the main attraction. It is packed with several powerful options and there is plenty of room for further improvements. The console already offers autocomplete (including file path autocomplete), module search, the ability to re-use results from other modules as arguments, command history between usages and the ability to reverse search the used commands.

Here is an example of the console listing specifically the available modules for iOS.

When listing modules, a brief description of what the module does will also be displayed. For both iOS and Android there are two main types of module, misc and analysis. The misc modules are auxiliary modules that perform several actions against the applications, their files and/or devices. In order to assess if there are any security flaws, the analysis modules analyses either the application files, the application itself or the application-generated files.

First, we run the command options to show the required arguments for the specific module (as you would when using Metasploit). The options command also shows the global options. If this is set and a module with the same argument is used, its value will be automatically set. Once the required arguments are set, we run options again to make sure that everything is set properly and run the module using the command run.

As we can see, Scrounger will generate some output and results from running certain modules. These results can then later be used by other modules.

We can use the command show results to see all stored results returned by the execution of other modules. The print command can be used to show the value stored on a certain result, but also to print values stored in global or module arguments. If a result is of interest to run in another module, it can be used by setting the required argument with the desired result starting with the result: keyword. When setting these arguments, autocomplete will also look in the saved results table and suggest them. Once everything is set, we can simply run the module.

Device Examples

Several modules will require interaction with either an iOS or Android device. It is quite easy to add a device both in the command line or in console.

In this example, an Android device is added to the console using the add_device command (this also offers autocomplete: it will try to get the connected devices and show them as an option). Then, using the set global command, we set the device to be device 1 . When using the misc/list_apps command, since the global option is already set and there is a module argument with the same name, it will automatically fill in the value for that argument.

Extensibility

Scrounger can also be easily extended to include custom modules and perform custom checks depending on the pentesters preference (and we welcome submissions to be included in future releases of Scrounger). When installing Scrounger, all the necessary directories will be created for you. It creates a custom modules directory under ~/.scrounger/modules/custom.
In the following example, a custom module was created under custom/analysis/ios/false_positive, meaning that this false_positive module is run against iOS applications.

Creating your own module

To create a custom module is quite simple and requires only three steps: creating a file under the correct module directory depending on what your module is looking to do, creating two variables meta and options, as well as a function run.

Here is an example.

 

The newly created file will be automatically added to the list of available modules the next time scrounger-console is launched. There are a few more elements to consider when it comes to creating the modules, especially analysis modules. For full details, Scrounger offers comprehensive documentation on all the available modules and a detailed explanation on how to create custom ones: https://github.com/nettitude/scrounger/docs

Real life case scenario

On a typical mobile application assessment, we would try to run as many modules as possible. To facilitate that, there is a module that runs all modules called full_analysis in the console and an option -f in the command line.

This option/module will decompile the application and run all the necessary auxiliary modules and run all the other available modules. It then creates a JSON file that contains the results and details of each module that returned report=True. The command line executable also has an option ( -p) that will read a JSON file and print all the results and details to the console.

Future work, feedback & special thanks

There is a lot in store for Scrounger’s future.

The next features to be implemented are included in the last section of the README in Scrounger’s GitHub: https://github.com/nettitude/scrounger.

Any feedback, ideas or bugs can be submitted over on GitHub.

Additionally, a special thanks to all the existing tools and their developers, as they have contributed to bringing Scrounger to life. Just to mention a few:

Download

github GitHub: https://github.com/nettitude/scrounger