MiniScope is a framework for detecting privacy violations using hybrid analysis. It introduces a novel topological structure named MDG (MiniApp Dependency Graph) to guide dynamic testing. At the same time, MiniScope monitors privacy practices by hooking sensitive APIs, and cross-validates with privacy policies to detect violations.
- Ubuntu 20.04
- Rooted Android Device (Physical or Virtual)
- Local area network (Android device and Laptop could connect to each other)
-
Install requirements for
pdg_jsandwxappUnpacker# Make sure that node.js and npm are available sudo apt update && sudo apt install nodejs npm node --version && cd src/static/pdg_js && npm i cd src/static/utils/wxappUnpacker && npm i
-
Install requirements for python
# Make sure that python3.7+ and pip are available sudo apt install python3 python3-pip # Install requirements pip3 install -r requirements.txt
-
Install Android SDK Platform-Tools
Android SDK is needed to run Appium and connect the android device.
https://developer.android.google.cn/studio/releases/platform-tools
-
Install Appium and UIautomator2
# Make sure that AndroidSDK is available npm i --location=global appium # Install Appium appium # make sure appium server is started appium driver install uiautomator2 # Install uiautomator2 driver
-
Root device firstly, and Magisk is recommended.
https://github.com/topjohnwu/Magisk https://topjohnwu.github.io/Magisk/install.html https://magiskcn.com/
-
Check the Xweb Kernel Version(Tested on 107.0.5304.141) and enable kernel debug of WeChat(Tested on 8.37).
# Enter the following URL from the WeChat chat box and click httpbin.org/user-agent # Check Xweb Kernel Version https://sites.google.com/chromium.org/driver/downloads # Download ChromeDriver of the appropriate version into minidroid/drivers http://debugxweb.qq.com/?inspector=true # Enable Xweb Kernel Debugging
-
Install Frida-server for sensitive API hooking.
-
Install with Magisk Plugin (Recommended).
https://github.com/ViRb3/magisk-frida
-
Install manually.
# Make sure that adb is available https://github.com/frida/frida/releases # Download frida-server adb [your-frida-server-path]./frida-server # Start frida-server frida-ps -U # Make sure that the frida-server is available now
-
-
Install Objection to bypass ssl pinning.
# Objection: https://github.com/sensepost/objection # SSL pinning: https://www.thesslstore.com/blog/an-introduction-to-pinning/ pip3 install objection # Manually objection -g com.tencent.mm explore android sslpinning disable # But code will run above automatically.
-
Install mitmproxy certificates for web packet capturing.
https://docs.mitmproxy.org/stable/concepts-certificates/ # Install mitmproxy certificates-
Android version below 8 (included)
Device trust imported certificate. Download the certificate, and click it to install.
-
Android version above 9 (included)
Device doesn’t trust user imported certificate. It’s needed to place the certificate in
/system/etc/security/cacerts. If/systemis unreadable and cannot be remounted, a customed Magisk plugin is needed.# Plugin modules: https://github.com/Magisk-Modules-Repo/energizedprotection git clone https://github.com/Magisk-Modules-Repo/energizedprotection.git # Modify ./module.prop as below id=Certs name=Certs version=*** versionCode=*** author=*** description=mitmproxy and Fiddler Certs. # Place cert into ./system/etc/security/cacerts # Install the Magisk module. # Reboot, and the cert is installed.
If you want to add your own packet filtering rules, add filter class to
./src/monitor/addons.pyand add the class name toaddonsvariable. -
Connect the device with Ubuntu via Android SDK platform-tools (remote or usb).
#! /bin/bash
export ANDROID_HOME=/usr/lib/android-sdk
echo $ANDROID_HOME
/usr/local/bin/appiumTo obtain the current page path during dynamic testing
# Obtain page path copy permissions based on the following URL
https://kf.qq.com/faq/180725biaAn2180725VnQjYF.html
# Capture network packets(POST request)
https://mp.weixin.qq.com/cgi-bin/copywxapath?action=sendmsg_of_copywxapath
# Replace Token and Cookie in the following config
minidroid/src/dynamic/config/token/token.tomlTo obtain the privacy policy of the MiniApp
# Access the following URL and capture network packets for WeChat PC
https://mp.weixin.qq.com/wxawap/waprivacyinfo?appid=wx210963174dd44184&action=show
# Replace the UIN, KEY, and WAP_SID2 in the following config
minidroid/src/static/pp_crawler/config.pyHere're arguments:
-
-c/--config: specify the config file path. Here's a config example.localChrome = # path to chrome driver appName = # name of miniapp appID = # appid of miniapp [capabilities] deviceName = # device name(remote or usb) for test platformName = "Android" appPackage = "com.tencent.mm" appActivity = "com.tencent.mm.ui.LauncherUI" automationName = "uiautomator2" noReset = true unicodeKeyboard = true resetKeyboard = true chromedriverExecutable = # path to chrome driver
-
-id/--AppId: specify the app id of miniapp. -
-n/--AppName: specify the app name of miniapp. -
-pkg/--package: specify the package file path or folder path. -
-pp/--privacypolicy: specify the privacy policy file path. -
-sa/--staticAnalyzed: specify the static analyzed file path. -
-da/--dynamicAnalyzed: specify the static analyzed file path. -
-ca/--combinedAnalyzed: specify the combined analyzed file path.
Example:
python3 main.py -n 遂川旅游景点 -id wx4938079035028687 -pkg data/data_runtime/wx4938079035028687 -sa data/data_runtime/wx4938079035028687/StaticAnalyzer.pkl -da data/data_runtime/wx4938079035028687/DynamicAnalyzer.pkl This project is licensed under the terms of the AGPLV3 license.
- pdg_js is credit to DoubleX