Juan Heguiabehere
Juan Heguiabehere
Hi, The idea is that Marvin-Toqueton inputs those values when an app asks for a password or email, or even reads data from the phone such as the phone number....
Hi, Have you installed Cydia Substrate? The FuzzingHelper needs it to work properly. The values are in the file assets/privacy.json. client.sh will ask the server for a vulnerability to check,...
Hi, The values in FUZZER_VALUES don't show up in privacy.json because they are hardcoded (sorry). As for the dynamic analysis, sometimes the custom trust manager is only for debug mode...
Well, you can't run mitmproxy when the client is running because the client is already running mitmproxy, so that's not the problem. Thing is, the emulator's traffic has to be...
It does seem that traffic isn't reaching the analyzer. Run mitmproxy -T (the client should not be running), start a browser in the emulator, and try to access some HTTP...
Try running the application with mitmproxy running. If nothing shows up, it could be that the app communicates exclusively via https, and does proper certificate validation. In that case, no...
What it means is that the dynamic analyzer could not confirm the vuln. It could still be there. Although all the traffic I see is HTTP: you can't verify correct...
It only means the analyzer was not able to trigger the vuln; it could still be there. Tomorrow I can send you some apps with vulns that should get triggered...
It looks like Androguard was looking at a method and couldn't figure out where it was called from. (The name comes from "cross reference" and "from"). Does the static analysis...
Hi! Severity goes from 1 to 9, with 9 being the most dangerous. It is assigned by vulnerability type. Cheers, Juan 2016-12-07 7:17 GMT-03:00 cnscyy : > Thank you for...