This release is the first SUPER release targeting Rust 2018 edition. It contains some internal improvements that will make future development easier and more efficient. It also has some internal enhancements. Additionally, we have fixed a bunch of spelling mistakes and upgraded some dependencies.
-
SUPER now requires Rust 1.31.0 (Rust 2018 edition) to be built.
-
Upgraded dependencies:
lazy_static
: 1.1 => 1.2md5
: 0.5 => 0.6regex
: 1.0 => 1.1abxml
: 0.6 => 0.7- Some other minor upgrades.
-
Multiple syntax changes to adapt the codebase to Rust 2018.
This release contains multiple improvements that have been accumulated in the last year. We also improved our repository by adding a Code of Conduct and templates for issues and pull requests. Packages for Ubuntu, Debian, Fedora and CentOS are now generated automatically in each build, and deployed in each release. Here you can find the rest of the changes for this version.
- Added SDK version strings to Android versions. Reports will now show the Android version of the target and minimum SDKs.
- SUPER logo is now an SVG, so that it looks great in multiple resolutions.
- All icons in the source tree viewer are now SVGs too.
- SUPER now requires Rust 1.30.0 to be built.
- Removed
error-chain
dependency in favor offailure
. - Upgraded dependencies:
clap
: 2.25 => 2.32xml-rs
: 0.4 => 0.8serde
: 0.9 => 1.0chrono
: 0.3 => 0.4toml
: 0.3 => 0.4regex
: 0.2 => 1.0lazy_static
: 0.2 => 1.1bytecount
: 0.1 => 0.4log
: 0.3 => 0.4env_logger
: 0.4 => 0.5sha1
: 0.2 => 0.6sha2
: 0.5 => 0.8abxml
: 0.2 => 0.6handlebars
: 0.25 => 1.1- Some other minor upgrades.
- New dependencies:
failure
: 0.1semver
: 0.9hex
: 0.3num_cpus
: 1.8
- Multiple documentation improvements.
- Code quality improved by using new syntax.
- Fixed multiple performance bottlenecks.
- Switched to library/binary architechture.
- Fixed decompilation of badly formatted APK files.
- Fixed strange characters in Windows Console.
- Upgraded
abxml
to 0.2.0.
- SUPER now properly creates
dist
andresults
directories if they do not exist.
- Removed ApkTool dependency, analysis are now about 20% - 50% faster.
- Removed all ApkTool related configuration and CLI directives.
- The
--force
flag is now less aggressive. It won't remove a JSON report if only the HTML report is being generated, and the othey way around: it won't remove the HTML report if only the JSON report is being generated.
- SUPER now requires Rust 1.16.0 to be built.
- Errors moved to their own module.
- Upgraded dependencies:
clap
: 2.20 => 2.23xml-rs
: 0.3 => 0.4- And some other minor upgrades.
- Dependency in
yaml-rust
has been removed. - Dependency in
error-chain
0.10 has been added. - Dependency in
rust-crypto
has been removed and dependencies inmd5
,sha1
andsha2
have been added. - Dependency in
abxml
has been added to remove the ApkTool dependency. - Added more documentation for some modules.
- Fixed error when adding
--open
flag on JSON-only reports.
- SUPER will now have
super-analyzer
as package name. This avoids conflicts with Debian repositories.
- You can now specify the minimum criticality of a vulnerability for being reported. Using the
--min-criticality
CLI option, you can specify if the minimum reported criticality should be warning, low, medium, high or critical. - Optional JSON and HTML reports: By default, SUPER will generate an HTML report, but no JSON
report. This behaviour can be changed either by changing two configuration options in the
config.toml file (
html_report
andjson_report
) or by invoking the script with--json
or--html
parameters. By default, if--json
is used, the HTML report won't get generated, but if you want both, you can specify so by using both options:--json --html
. - Tab completions: If you now install SUPER using one of the provided packages for UNIX, you will get tab completions. So, anytime you don't exactly know the command, you can simply press TAB and you will get suggestions or even command completions. This works for Bash, Fish and ZSH.
- SUPER now requires Rust 1.15.1.
- Converted all
try!()
statements to use the new?
Rust operator. - Reduced cyclomatic complexity of Config::load_from_file() (#78): This makes configuration loading faster and easily maintainable.
- Improved logging using the
log
crate. - Upgraded dependencies:
clap
: 2.18 => 2.20colored
: 1.3 => 1.4serde
: 0.8 => 0.9handlebars
: 0.22 => 0.25chrono
: 0.2 => 0.3regex
: 0.1 => 0.2 And some other minor upgrades. Both theregex
and theserde
dependencies have been the major upgrades and should improve our future releases.
- Changed some regexes to match the new
regex
crate classes. - The files to be searched with a given rule can now be filtered by two new fields:
include_file_regex
: A regex that all tested files will match.exclude_file_regex
: A regex that will whitelist files matched by the previous regex. This enables much better file searching: If you need to search forR
class variables, no need to search other files thanR.java
.
- SUPER no longer prints to
stderr
on tests. - Finally fixed all output coloring errors.
Apart from the core team, the following people has contributed to this release:
- SUPER now uses templates for report generation. This is one of the biggest changes of the release, and enables users to create their own report templates.
- Installation package for Mac OS.
- Line highlighting is now shown in the vulnerable line of the code in found vulnerabilities, colored depending on the criticality of the vulnerability.
- Reports now show the version of SUPER used to generate them.
- SUPER now supports analysis of applications placed anywhere instead of having to place them in a folder.
- Added the
--open
option to automatically open reports. - Added the
--test-all
option to the CLI, that will test all .apk files in the downloads folder. - Added options to the CLI to modify the properties in the config file. We now have
--downloads
,--threads
,--dist
,--results
,--apktool
,--dex2jar
,--jd-cmd
,--rules
or--template
options in the CLI.
- SUPER now detects
exported
attributes in<provider>
,<receiver>
,<activity>
,<activity-alias>
and<service>
tags in the AndroidManifest.xml, and reports potential vulnerabilities. This still needs work since we still don't have all the required information to show real vulnerabilities.
- Changed paths for better multiplatform support.
- Regular Expressions:
- URL Disclosure no longer detects content providers (
content://...
).
- URL Disclosure no longer detects content providers (
- Solved some coloring errors when combining styling and color in the same print.
Apart from the core team, the following people has contributed to this release:
- Release of 64-bit packages for Linux (Debian 8.6, Ubuntu 16.04, CentOS 7, Fedora 24) and Windows (8.1+).
- AndroidManifest.xml analysis (Dangerous permission checks).
- Certificate analysis (Certificate validity checks).
- Code analysis (37 rules for checking the source code):
- SQLi
- XSS
- URL Disclosure
- Weak algorithms
- Insecure WebViews
- Generic exceptions
- Root detection
- ...
- HTML and JSON report generation.
- Classification of vulnerabilities (Critical, High, Medium, Low, Info).
- Application related info.
- File fingerprinting.