Secure, Unified, Powerful, and Extensible Rust Android Analyzer
SUPER is a command-line application that can be used in Windows, macOS X, and Linux, that analyzes .apkfiles in search for vulnerabilities. It does this by decompressing APKs and applying a series of rules to detect those vulnerabilities.
But why create a new analyzer? Is it not enough with MobSF, Qark, Androbugs…? Well, we think it's not enough. All of them have two main issues we wanted to fix: They are written in Java or Python, and they are not easily extensible. They are not meant to be used by businesses directly working in Android analysis and don't put that kind of functionality first.
Our approach solves those issues differently: We first used Rust as our programming language. The language developed openly by Mozilla Foundation gives us lots of utilities to work with regular expressions, files, etc.; most importantly, it enables us to create secure software that does not depend on JVM or JIT compilers. With Rust, stack overflows, segmentation faults, etc., are impossible, which makes sense in a security-centered application. And it also gives us enough power to do efficient analysis, allowing us to automate it in high volume. This is given by Rust zero-cost abstractions, which gives us an efficiency only comparable to C/C++.
And secondly, we decided to make the software 100% extensible: All rules are centered in a rules.JSON file, and each company or tester could create its own rules to analyze what they need. It's also modular so that new developments can easily add new functionality. Finally, a templating system for results reports allows users to personalize the report.
It also gives excellent code review tools directly in the HTML report so anyone can search through the generated code with syntax highlighting for even better vulnerability analysis.
Source code and additional information can be found here: https://github.com/SUPERAndroidAnalyzer/super