I have an .apk file and want to check wheter the res/xml/network_security_config.xml [1] trusts user supplied certificates.
I read into the androguard docuemntation and I think it should be able to do what I want. However I am confused on how to run code like this from the documentation on an .apk file instead of the already extracted resources.arsc
from androguard.core.bytecodes.axml import ARSCParser
with open("resouces.arsc", "rb") as fp:
res = ARSCParser(fp.read())
# Now you can resolve IDs:
name = res.get_resource_xml_name(0x7F040001)
if name:
print(name)
# To get the content of an ID, you need to iterate over configurations
# You need to decide which configuration to use...
for config, entry in res.get_res_configs(0x7F040001):
# You can query `config` for specific configuration
# or check with `is_default()` if this is a default configuration.
print("{} = '{}'".format(config.get_qualifier() if not config.is_default() else "<default>", entry.get_key_data()))
How would I check whether the res/xml/network_security_config.xml file exists in an .apk file without extracting it and how would I check if it trusts user certificates? This is all I could figure out so far:
from androguard.core.bytecodes import apk
apk_file = apk.APK(app_path)
if 'res/xml/network_security_config.xml' in apk_file.files.keys():
print("found network_security_config.xml")
example network_security_config.xml:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true">
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</base-config>
</network-security-config>
Edit: found out how to check for the presence of the .xml file and edited my code
[1] https://developer.android.com/training/articles/security-config.html
I figured it out: