from libmproxy.protocol.http import decoded error

[cnscyy]

I have install mitmproxy using apt-get mitmproxy, the version is 0.15.1. it don't work when i install mitmproxy using pip install. Then i run python VMclient.py Traceback ImportError: cannot import name decoded. The linux OS is Ubunt16.4

This is an error in mitmproxy, i want ask what envirment do you use? do you meet the same question?

[jheguia]

Hi, We're using mitmproxy version 0.11.3. They've been changing the API, so it's very likely that newer versions will not work with the dynamic analyzer. I'll try and change it to the new version, but I can't give you time estimates for that.

Cheers, Juan

2016-12-01 5:18 GMT-03:00 cnscyy [email protected]:

I have install mitmproxy using apt-get mitmproxy, the version is 0.15.1. it don't work when i install mitmproxy using pip install. Then i run python VMclient.py Traceback ImportError: cannot import name decoded. The linux OS is Ubunt16.4

This is an error in mitmproxy, i want ask what envirment do you use? do you meet the same question?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/programa-stic/Marvin-dynamic-Analyzer/issues/1, or mute the thread https://github.com/notifications/unsubscribe-auth/AIB9qiGGhWuXH_t5dMh0Ap1kaX3hJelmks5rDoK_gaJpZM4LBHMD .

[cnscyy]

Thanks for answer my question. I use the same version of mitmproxy as yours, it did not appear this question. Than you a lot.

[cnscyy]

hello，in the dynamic analyzer, can i use android X86 4.4 or higher version？

[jheguia]

There are two problems with that: Cydia Substrate support and fixed network support. I was able to make a version of Toqueton that uses Xposed Framework instead of Cydia Substrate, but the newer images insisted on raising the dhcp daemon and changing the routes, thus evading the proxy. I haven't found a way to get the network interface to use fixed address and routes.

Best regards, Juan

2016-12-16 2:30 GMT-03:00 cnscyy [email protected]:

hello，in the dynamic analyzer, can i use android X86 4.4 or higher version？

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/programa-stic/Marvin-dynamic-Analyzer/issues/1#issuecomment-267520276, or mute the thread https://github.com/notifications/unsubscribe-auth/AIB9qjobZXLl4wQpfPiOrglKSy4PNfMKks5rIiHZgaJpZM4LBHMD .

[cnscyy]

Thank you for your patience！ I have another question about this project. the VM_MANAGER_IP、REPORTER_IP、DOWNLOAD_APK_SITE and frontpage ip are the same or different? if they are the same, is just the port number different?

[cnscyy]

this project--Marvin-dynamic-Analyzer can run in the windows? it can be achieved with serveral vms instead of OpenNebula?

[jheguia]

Hi, VM_MANAGER_IP is the address where the server is running. REPORTER_IP is where the client is running, and DOWNLOAD_APK_SITE is where the Marvin front-end is running. You can run the different parts of Marvin in different machines, or in the same machine.

Cheers, Juan

2016-12-22 6:25 GMT-03:00 cnscyy [email protected]:

Thank you for your patience！ I have another question about this project. the VM_MANAGER_IP、REPORTER_IP、DOWNLOAD_APK_SITE and frontpage ip are the same or different? if they are the same, is just the port number different?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/programa-stic/Marvin-dynamic-Analyzer/issues/1#issuecomment-268756194, or mute the thread https://github.com/notifications/unsubscribe-auth/AIB9qmis3EhXJW_VzjHxuHvPRfWWIl9Hks5rKkIdgaJpZM4LBHMD .

[jheguia]

It will not work "out of the box": it will require minor modifications to the startup scripts, figuring out how to redirect traffic to the proxy, and maybe do some changes to the calls to "sys" and the threads part. I think it's better if you run it in a Linux VM. As for replacing OpenNebula, any VM solution that lets you restore "live" snapshots programmatically should work fine.

Best regards, Juan

2016-12-22 7:20 GMT-03:00 cnscyy [email protected]:

this project--Marvin-dynamic-Analyzer can run in the windows? it can be achieved with serveral vms instead of OpenNebula?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/programa-stic/Marvin-dynamic-Analyzer/issues/1#issuecomment-268768581, or mute the thread https://github.com/notifications/unsubscribe-auth/AIB9qtemgBFNvS4TEIAIxGOJFj-fa5jtks5rKk7xgaJpZM4LBHMD .

[cnscyy]

Hello，thanks a lot. I will run it in Linux VMs. when i use emulator_setup.sh to root the android-x86 4.3, it always prompts "Permission denied":

mount: Permission denied

mkdir failed for /system/bin/.ext, Read-only file system

Unable to chmod /system/xbin/su: Read-only file system

remount failed: Permission denied

what should i do about this?

./emulator_setup.sh SSL 192.168.137.102 192.168.137.1 Run with {SSL/NOSSL} {EMULATOR-IP} {GATEWAY-IP-FOR-EMULATOR} as args SSL 192.168.137.102 192.168.137.1 Using emulator address 192.168.137.102:5556

connected to 192.168.137.102:5556 192.168.137.102:5556 adb connect 192.168.137.102:5556 adbd is already running as root adb -s 192.168.137.102:5556 root already connected to 192.168.137.102:5556 adb connect 192.168.137.102:5556 push: emulator_support_files/Android-x86-RootScript-4.3/system/etc/init.sh -> /data/local/system/etc/init.sh push: emulator_support_files/Android-x86-RootScript-4.3/system/bin/.ext/.su -> /data/local/system/bin/.ext/.su push: emulator_support_files/Android-x86-RootScript-4.3/system/bin/README -> /data/local/system/bin/README push: emulator_support_files/Android-x86-RootScript-4.3/system/app/Superuser.apk -> /data/local/system/app/Superuser.apk push: emulator_support_files/Android-x86-RootScript-4.3/system/xbin/su -> /data/local/system/xbin/su push: emulator_support_files/Android-x86-RootScript-4.3/system/xbin/daemonsu -> /data/local/system/xbin/daemonsu push: emulator_support_files/Android-x86-RootScript-4.3/install-device.sh -> /data/local/install-device.sh 7 files pushed. 0 files skipped. 3413 KB/s (2628119 bytes in 0.751s)

---

Root script for Android 4.3 By Quinny899 @ XDA Root by Chainfire @ XDA

Script loaded Installing to device from device Mounting... mount: Permission denied Removing old files... rm failed for /system/xbin/daemonsu, Read-only file system rm failed for /system/xbin/su, Read-only file system rm failed for /system/app/Superuser.apk, Read-only file system Copying files... mkdir failed for /system/bin/.ext, Read-only file system cp: /system/bin/.ext is not a directory cp: /system/xbin/su: Read-only file system cp: /system/xbin/daemonsu: Read-only file system cp: /system/app/Superuser.apk: Read-only file system install-device.sh[25]: can't create /system/etc/init.sh: Read-only file system Setting permissions... Unable to chmod /system/xbin/su: Read-only file system Unable to chmod /system/xbin/daemonsu: No such file or directory Unable to chmod /system/bin/.ext/.su: No such file or directory Unable to chmod /system/bin/.ext: No such file or directory Unable to chmod /system/etc/init.sh: Read-only file system Cleaning up... Finished. You need to reboot for root to be available remount failed: Permission denied sed: can't create temp file '/system/etc/init.shac2367': Read-only file system /system/bin/sh: can't create /system/etc/init.sh: Read-only file system /system/bin/sh: can't create /system/etc/init.sh: Read-only file system /system/bin/sh: can't create /system/etc/init.sh: Read-only file system /system/bin/sh: can't create /system/etc/init.sh: Read-only file system /bin/.ext is not a directory cp: /system/xbin/su: Read-only file system cp: /system/xbin/daemonsu: Read-only file system cp: /system/app/Superuser.apk: Read-only file system install-device.sh[25]: can't create /system/etc/init.sh: Read-only file system Setting permissions...

[cnscyy]

the android x86 system is android-x86-4.3-20130725.iso

[cnscyy]

Hello，sorry for bother you again! the question of rooting android x86 4.3 has been solved. now, i still have some question to ask you. is the front-end combine the static-analyzer with dynamic-analyzer? i have not find link for dynamic-analyzer in the front pages.now the static-analyzer and dynamic-analyzer use the same database, but work independently at the same ip but different ports.

[jheguia]

The front end, the static analyzer and the dynamic analyzer all use the same DB backend, so you can see the results from the front end. The dynamic analyzer runs as stand alone; in fact you can have several clients for a server (as well as several Android VMs). The static analyzer is run from the front end, but is quite self-contained.

Cheers, Juan

2017-01-10 23:44 GMT-03:00 cnscyy [email protected]:

Hello，sorry for bother you again! the question of rooting android x86 4.3 has been solved. now, i still have some question to ask you. is the front-end combine the static-analyzer with dynamic-analyzer? i have not find link for dynamic-analyzer in the front pages.now the static-analyzer and dynamic-analyzer use the same database, but work independently at the same ip but different ports.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/programa-stic/Marvin-dynamic-Analyzer/issues/1#issuecomment-271762795, or mute the thread https://github.com/notifications/unsubscribe-auth/AIB9qifLBQIgPuPJMh__S45VOv_z0v6uks5rREIFgaJpZM4LBHMD .

[cnscyy]

hello，again. now, i have run the VMmanage.py and VMclient.py. the REPORTER_IP='localhost:8081', i haven't see any code about the REPORTER_IP, when VMclient.py is running, it cann't send report to the ip, is there something i ignore? when VMclient.py running, usingTrigger.py and Analyzer.py to analyze the apk, i cann't see anything in the results, the report: {'trigger': {}, 'analyzer': {}} is still empty. i want to ask it will feedback the results when testing in the android system. and is there something more i shoud do? thanks for your patient!

[jheguia]

Hi, REPORTER_IP is used by Utils.get_reporter(), which itself is called by functions in Trigger.py and Analyzer.py. Perhaps you don't have forwarding enabled, or the iptables set? Check client/client_setup.sh and check that: a) You ran it as root b) The network interface mentioned (eth0) is the one your machine uses and there are no more network interfaces. c) The Android emulator routing tables have as default gateway the machine where you're running the client.

You can check if everything works by running mitmproxy -T and accessing some unencrypted page from the Android browser: if it's working, the traffic should show up in mitmproxy.

Cheers, Juan

2017-01-19 7:18 GMT-03:00 cnscyy [email protected]:

hello，again. now, i have run the VMmanage.py and VMclient.py. the REPORTER_IP='localhost:8081', i haven't see any code about the REPORTER_IP, when VMclient.py is running, it cann't send report to the ip, is there something i ignore? when VMclient.py running, usingTrigger.py and Analyzer.py to analyze the apk, i cann't see anything in the results, the report: {'trigger': {}, 'analyzer': {}} is still empty. i want to ask it will feedback the results when testing in the android system. and is there something more i shoud do? thanks for your patient!

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/programa-stic/Marvin-dynamic-Analyzer/issues/1#issuecomment-273734685, or mute the thread https://github.com/notifications/unsubscribe-auth/AIB9qvgDaD3w88G0RwFZaVN224iOKuoLks5rTzhygaJpZM4LBHMD .

[cnscyy]

hi, thanks again! through Analyzer.py call the StorageAnalyzer(self).analyze_storage(), in StorageAnalyzer.py for keyword, value in self.sensitiveValues().iteritems(): if value in content: self.analyzer.add_to_report(self.get_filter_id(), "Found plaintext {0} (value {1}) in file {2}".format(keyword, value, file)) the self.sensitiveValues().iteritems() is the FUZZER_VALUES in the settings.py, FUZZER_VALUES={ 'PASSWORD': 's3cr3tpass', 'MAIL' : '[email protected]', 'PHONE' : '1112341234', 'CONTACTNAME' : 'C0ntactFuzz', 'CONTACTPHONE' : '1107060504' } for every time to compare the value with content, it is always different, so it never add anything to the report. does the FUZZER_VALUES should be configed in some rules? and in the project, i only see the Analyzer.py call the StorageAnalyzer, don't find the call to other analyzer file? is the something i don't do correctly?

[cnscyy]

hi, thanks again! through Analyzer.py call the StorageAnalyzer(self).analyze_storage(), in StorageAnalyzer.py for keyword, value in self.sensitiveValues().iteritems(): if value in content: self.analyzer.add_to_report(self.get_filter_id(), "Found plaintext {0} (value {1}) in file {2}".format(keyword, value, file)) the self.sensitiveValues().iteritems() is the FUZZER_VALUES in the settings.py, FUZZER_VALUES={ 'PASSWORD': 's3cr3tpass', 'MAIL' : '[email protected]', 'PHONE' : '1112341234', 'CONTACTNAME' : 'C0ntactFuzz', 'CONTACTPHONE' : '1107060504' } for every time to compare the value with content, it is always different, so it never add anything to the report. does the FUZZER_VALUES should be configed in some rules? and in the project, i only see the Analyzer.py call the StorageAnalyzer, don't find the call to other analyzer file? is the something i don't do correctly?

[jheguia]

Hi, The idea is that Marvin-Toqueton inputs those values when an app asks for a password or email, or even reads data from the phone such as the phone number. If those values are found in the storage files, we flag the app as having insecure storage. Maybe the app you're analyzing doesn't do that. What you should probably see if the Fuzzing Helper is installed, is these values being used as input to the app in the emulator, and the URLs it accesses in the shell where you run the client.

Cheers, Juan

2017-01-20 7:52 GMT-03:00 cnscyy [email protected]:

hi, thanks again! through Analyzer.py call the StorageAnalyzer(self).analyze_storage(), in StorageAnalyzer.py for keyword, value in self.sensitiveValues().iteritems(): if value in content: self.analyzer.add_to_report(self.get_filter_id(), "Found plaintext {0} (value {1}) in file {2}".format(keyword, value, file)) the self.sensitiveValues().iteritems() is the FUZZER_VALUES in the settings.py, FUZZER_VALUES={ 'PASSWORD': 's3cr3tpass', 'MAIL' : '[email protected]', 'PHONE' : '1112341234', 'CONTACTNAME' : 'C0ntactFuzz', 'CONTACTPHONE' : '1107060504' } for every time to compare the value with content, it is always different, so it never add anything to the report. does the FUZZER_VALUES should be configed in some rules? and in the project, i only see the Analyzer.py call the StorageAnalyzer, don't find the call to other analyzer file? is the something i don't do correctly?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/programa-stic/Marvin-dynamic-Analyzer/issues/1#issuecomment-274044017, or mute the thread https://github.com/notifications/unsubscribe-auth/AIB9qmnVC0cDrT0ns3rD45wqScAGv-61ks5rUJHwgaJpZM4LBHMD .

[cnscyy]

hello, the Fuzzing Helper is installed well. maybe the values is not used as input to the app in emulator. using the values as input to the app is automatic or manual？？？ when i run ./client. sh, it is in a loop to do python VMClient.py. this will analyze the vulnerabilities again and again, even to the same vulnerability, is this all right？？？

[jheguia]

Hi, Have you installed Cydia Substrate? The FuzzingHelper needs it to work properly. The values are in the file assets/privacy.json. client.sh will ask the server for a vulnerability to check, and the server will choose one at random, so it is perfectly possible that it checks the same vuln repeatedly (especially if there is only one). Since the search has a random component, it might be that the fuzzer needs to check an app several times before it finds a way to exploit the vuln. There is a limit to the number of times it will do the test: it's hardcoded in client.py.

Cheers, Juan

2017-01-22 23:04 GMT-03:00 cnscyy [email protected]:

hello, the Fuzzing Helper is installed well. maybe the values is not used as input to the app in emulator. using the values as input to the app is automatic or manual？？？ when i run ./client. sh, it is in a loop to do python VMClient.py. this will analyze the vulnerabilities again and again, even to the same vulnerability, is this all right？？？

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/programa-stic/Marvin-dynamic-Analyzer/issues/1#issuecomment-274380703, or mute the thread https://github.com/notifications/unsubscribe-auth/AIB9qks1AocpG31SZVvQnTUjPNh3hOYlks5rVArGgaJpZM4LBHMD .

[cnscyy]

hi, thanks again. i have installed Cydia Substrate. In assets/privacy.json, the content is the same as FUZZER_PRIVACY_VALUES. but there is no FUZZER_VALUES in assets/privacy.json. In StorageAnalyzer.py, it compares the FUZZER_VALUES, should i add the FUZZER_VALUES to assets/privacy.json ??? In static analyzer, there are vulnerabilities SSL_CUSTOM_TRUSTMANAGER. when tested in dynamic analyzer, there is no vulnerability. didn't call handle_request() in SSLAnalyzer.py. is there something wrong?

[jheguia]

Hi, The values in FUZZER_VALUES don't show up in privacy.json because they are hardcoded (sorry). As for the dynamic analysis, sometimes the custom trust manager is only for debug mode or works well anyway (such as when you do certificate pinning). Dynamic analysis is there precisely because static analysis gives too many false positives. That said, handle_request() not being called could mean that either the certificates are being properly validated or that the forwarding isn't working: did you see mention of any traffic when running the client?

Cheers, Juan

2017-02-07 0:35 GMT-03:00 cnscyy [email protected]:

hi, thanks again. i have installed Cydia Substrate. [image: image] https://raw.githubusercontent.com/cnscyy/image/master/image/20170206180608.png In assets/privacy.json, the content is the same as FUZZER_PRIVACY_VALUES. but there is no FUZZER_VALUES in assets/privacy.json. In StorageAnalyzer.py, it compares the FUZZER_VALUES, should i add the FUZZER_VALUES to assets/privacy.json ??? In static analyzer, there are vulnerabilities SSL_CUSTOM_TRUSTMANAGER. when tested in dynamic analyzer, there is no vulnerability. didn't call handle_request() in SSLAnalyzer.py. is there something wrong?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/programa-stic/Marvin-dynamic-Analyzer/issues/1#issuecomment-277892198, or mute the thread https://github.com/notifications/unsubscribe-auth/AIB9qr-RQvinw0zgHMKu3T090dmkF6XEks5rZ-aNgaJpZM4LBHMD .

[cnscyy]

hi, thanks again. i run the client and server in the same VM. when i run ./client.sh, i can see the traffic in VMmanage and VMclient, such as: but when i run ./client.sh and VMmanage.py, it can't run mitmproxy -T properly. is there someting wrong in forwarding?

[jheguia]

Well, you can't run mitmproxy when the client is running because the client is already running mitmproxy, so that's not the problem. Thing is, the emulator's traffic has to be routed via the machine where client.sh runs, and that machine has to have forwarding enabled and the 80 and 443 ports forwarded to port 8080. When you run client.sh, after "connected to adb as root", the messages on screen should read:

Installing app App installed Setting gateway Gateway set Running FuzzingTrigger

and then there should be a list of URIs visited, maybe with some lines starting with "request path".

Then some messages about POST requests and "already closed trigger", "already closed analyzer", "already closed reporter".

Do you see all of that? If there isn't a list of URIs, you can try not running the client and checking that mitmproxy captures regular HTTP traffic. Do make sure the time on the emulator is correctly set or the browser will drive you crazy with messages about invalid certificates.

Cheers, Juan

2017-02-08 3:06 GMT-03:00 cnscyy [email protected]:

hi, thanks again. i run the client and server in the same VM. when i run ./client.sh, i can see the traffic in VMmanage and VMclient, such as: [image: image] https://raw.githubusercontent.com/cnscyy/image/master/image/20170208111334.png [image: image] https://raw.githubusercontent.com/cnscyy/image/master/image/20170208112736.png but when i run ./client.sh and VMmanage.py, it can't run mitmproxy -T properly. [image: image] https://raw.githubusercontent.com/cnscyy/image/master/image/20170208135113.png is there someting wrong in forwarding?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/programa-stic/Marvin-dynamic-Analyzer/issues/1#issuecomment-278237813, or mute the thread https://github.com/notifications/unsubscribe-auth/AIB9qulPcV49NtN1ygRQ8a-LQKZxbuBTks5raVtNgaJpZM4LBHMD .

[cnscyy]

when i run ./client.sh, the message on the screen is: the trigger and analyzer are empty. i found that it didn't call the handle_request in SSLAnalyzer.py is there some question?

[jheguia]

It does seem that traffic isn't reaching the analyzer. Run mitmproxy -T (the client should not be running), start a browser in the emulator, and try to access some HTTP page. mitmproxy should show you the requests and responses, at least for the nonencrypted accesses. If it doesn't, it could be several things:

• Packet routing isn't enabled (try "cat /proc/sys/net/ipv4/ip_forward", answer should be 1)
• Ports 80 and/or 443 are not forwarded (try running "iptables -L -t nat" as root, should show something like Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8080 REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 8080

If this is not the case, perhaps you didn't run client_setup.sh as root before starting the client for the first time.

• The emulator doesn't have the client as default gateway. In this case, you should start a terminal and run "busybox route -n" and see what is the default gateway for it.

Tell me what results you get.

Cheers, Juan

2017-02-09 3:16 GMT-03:00 cnscyy [email protected]:

when i run ./client.sh, the message on the screen is: [image: image] https://raw.githubusercontent.com/cnscyy/image/master/image/20170209135823.png the trigger and analyzer are empty. i found that it didn't call the handle_request in SSLAnalyzer.py is there some question?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/programa-stic/Marvin-dynamic-Analyzer/issues/1#issuecomment-278557079, or mute the thread https://github.com/notifications/unsubscribe-auth/AIB9qmwCtVvvWffoHRSkRBJxuZRDS9qGks5raq8_gaJpZM4LBHMD .

[cnscyy]

Hello， i have run client_setup.sh as root. before i run client.sh, the route about emulator is: when i run client.sh, it will excute set_localhost_as_gateway, the route about emulator is: the ip of the client is:192.168.137.111 when i run mitmproxy -T and try to access some HTTP page, the result is:

i also find that: when excute the cmd of monkey, the emulator will always do the monkey test and never stopped. the result of the dynamic analyze is still empty. thanks again!

[jheguia]

Try running the application with mitmproxy running. If nothing shows up, it could be that the app communicates exclusively via https, and does proper certificate validation. In that case, no traffic should show up.

Cheers, Juan

2017-02-10 6:52 GMT-03:00 cnscyy [email protected]:

Hello， i have run client_setup.sh as root. [image: image] https://raw.githubusercontent.com/cnscyy/image/master/image/20170210095035.png before i run client.sh, the route about emulator is: [image: image] https://raw.githubusercontent.com/cnscyy/image/master/image/20170210172235.png when i run client.sh, it will excute set_localhost_as_gateway, the route about emulator is: [image: image] https://raw.githubusercontent.com/cnscyy/image/master/image/20170210173309.png the ip of the client is:192.168.137.111 when i run mitmproxy -T and try to access some HTTP page, the result is: [image: image] https://raw.githubusercontent.com/cnscyy/image/master/image/20170210155400.png

i also find that: when excute the cmd of monkey, the emulator will always do the monkey test and never stopped. the result of the dynamic analyze is still empty. thanks again!

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/programa-stic/Marvin-dynamic-Analyzer/issues/1#issuecomment-278902105, or mute the thread https://github.com/notifications/unsubscribe-auth/AIB9qiRgPPsW9axFQestGRlThQdO0pflks5rbDNwgaJpZM4LBHMD .

[cnscyy]

when the app was tested by monkey test, there is some http information in mitmproxy. but it is still empty after run dynamic analyze, does this means the vuln analyzed by static analyzer is not realy existed? thanks again!

[jheguia]

What it means is that the dynamic analyzer could not confirm the vuln. It could still be there. Although all the traffic I see is HTTP: you can't verify correct certificate treatment from plaintext traffic. Check if you have a file called "[package_name]_network_traffic" and whether it's empty or not.

Cheers, Juan

2017-02-13 7:02 GMT-03:00 cnscyy [email protected]:

when the app was tested by monkey test, there is some http information in mitmproxy. [image: image] https://raw.githubusercontent.com/cnscyy/image/master/image/20170213152727.png but it is still empty after run dynamic analyze, does this means the vuln analyzed by static analyzer is not realy existed? thanks again!

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/programa-stic/Marvin-dynamic-Analyzer/issues/1#issuecomment-279342345, or mute the thread https://github.com/notifications/unsubscribe-auth/AIB9qjd4XDREaJTJn5f_xpa-52PUz4B0ks5rcCosgaJpZM4LBHMD .

[jheguia]

It only means the analyzer was not able to trigger the vuln; it could still be there. Tomorrow I can send you some apps with vulns that should get triggered easily.

Cheers, Juan

2017-02-13 22:16 GMT-03:00 cnscyy [email protected]:

when the app was tested by monkey test, there is some http information in mitmproxy. [image: image] https://raw.githubusercontent.com/cnscyy/image/master/image/20170213152727.png but it is still empty after run dynamic analyze, does this means the vuln analyzed by static analyzer is not realy existed? thanks again!

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/programa-stic/Marvin-dynamic-Analyzer/issues/1#issuecomment-279577029, or mute the thread https://github.com/notifications/unsubscribe-auth/AIB9qg1A_Z4ngPKrJ_273eSbntXGH7uJks5rcQCHgaJpZM4LBHMD .