birmehto/DexRay

GitHub: birmehto/DexRay

DexRay 是一款 Android APK 静态安全分析工具,内置 100+ 密钥模式检测和 50+ 漏洞检查,对齐 OWASP Mobile Top 10 与 MASVS 标准,提供 CLI 和 Web 多种交互界面。

Stars: 0 | Forks: 0

# 🔒 DexRay — APK 安全扫描器 [![Python](https://img.shields.io/badge/python-3.12+-blue?logo=python&logoColor=white)](https://python.org) [![License](https://img.shields.io/badge/license-MIT-green)](LICENSE) [![CLI](https://img.shields.io/badge/CLI-Typer+Rich-9cf)](https://typer.tiangolo.com) [![Web](https://img.shields.io/badge/Web-FastAPI+Dark--Mode-009688)](https://fastapi.tiangolo.com) [![OWASP](https://img.shields.io/badge/OWASP-Mobile%20Top%2010-red)](https://owasp.org/www-project-mobile-top-10/)

DexRay Banner

## ✅ 概述 DexRay 是一款针对 Android APK 的静态安全分析工具 —— 包含 100+ 密钥模式、50+ 漏洞检查,以及符合 OWASP Mobile Top 10 和 MASVS 的多种交互界面。 ## 🚀 快速开始 ``` pip install -e . && pip install -e ".[dev]" ``` | 界面 | 命令 | |-----------|---------| | **CLI** | `dexray scan app.apk` | | **Web** | `uvicorn web.main:app` | | **Docker** | `docker compose up` | ## 🧪 CLI 用法 ``` dexray scan app.apk # Full analysis + reports dexray quick app.apk # Quick overview dexray manifest app.apk # Manifest details dexray strings app.apk --search "api" --count 100 dexray permissions app.apk --dangerous dexray info app.apk ``` ## ✅ 功能 - 🔐 **100+ 密钥模式** – Cloud token、身份验证密钥、API key - 🛡️ **50+ 漏洞检查** – 符合 OWASP Mobile Top 10 - 🌐 **多种交互界面** – CLI、Web 仪表盘、Docker - 📸 **暗色主题 UI** – 现代响应式设计 - 📄 **三种报告格式** – JSON、HTML、PDF - 🔌 **插件系统** – 使用自定义扫描器进行扩展 - 📊 **实时分析** – 实时进度跟踪 - 🌐 **详细结果** – 严重程度图表、证据、建议 ## 📁 项目结构 ``` dexray/ ├── assets/ # App icon, splash screen, screenshots ├── BRANDING.md # Brand asset generation guide ├── cli/main.py # Typer CLI ├── web/main.py # FastAPI ├── config/settings.py # Configuration ├── core/ │ ├── models.py # Data models │ └── analysis_engine.py # Async orchestrator ├── scanner/modules/ # 17 scanner modules │ ├── manifest_scanner.py # AndroidManifest.xml │ ├── certificate_scanner.py # TLS/SSL cert extractor │ ├── strings_scanner.py # DEX/XML/SO strings │ ├── security_checker.py # 50+ checks │ ├── secret_scanner.py # 100+ patterns │ ├── network_config_scanner.py │ ├── asset_scanner.py # Assets listing │ ├── native_scanner.py # .so libraries │ ├── url_scanner.py # URL extraction │ ├── env_scanner.py # .env files │ ├── build_config_scanner.py # Gradle config │ ├── debug_tools_scanner.py # Stetho, Flipper │ ├── tracking_scanner.py # Analytics SDKs │ ├── firebase_scanner.py # Firebase config │ ├── deep_link_scanner.py # URL schemes │ ├── permission_audit_scanner.py │ └── apk_signer_scanner.py # Signing detection ├── reports/ # Report generators ├── tests/ # 43+ tests └── scanner/plugins/ # Plugin framework ``` ## 🌐 API Endpoint | 方法 | 路径 | 描述 | |--------|------|-------------| | POST | `/upload` | 上传 APK | | POST | `/analyze/{scan_id}` | 触发分析 | | GET | `/status/{scan_id}` | 检查扫描状态 | | GET | `/scan/{scan_id}` | HTML 结果页面 | | GET | `/report/{scan_id}` | 查看 HTML 报告 | | GET | `/download/{scan_id}/{format}` | 下载 JSON/HTML/PDF | | GET | `/api/scan/{scan_id}` | 完整扫描结果 | | GET | `/api/scan/{scan_id}/vulnerabilities` | 筛选出的漏洞 | | GET | `/api/scan/{scan_id}/secrets` | 发现的密钥 | ## ⚙️ 配置 ``` APK_UPLOAD_DIR=/tmp/apk-analyzer/uploads APK_OUTPUT_DIR=/tmp/apk-analyzer/reports APK_TEMP_DIR=/tmp/apk-analyzer/temp APK_SERVER_HOST=0.0.0.0 APK_SERVER_PORT=8000 APK_SERVER_WORKERS=4 ``` ## 🛡️ 标准 - **OWASP:** Mobile Top 10, MASVS (STORAGE, CRYPTO, NETWORK, PLATFORM, RESILIENCE, PRIVACY, AUTH) - **CWE:** 89, 200, 250, 259, 295, 312, 319, 321, 327, 347, 470, 489, 494, 532, 656, 798, 923, 925, 926, 927, 1021, 1104 ## 📄 许可证 MIT
标签:Android, AV绕过, DSL, FastAPI, Python, StruQ, 安全扫描, 无后门, 时序注入, 网络测绘, 请求拦截, 错误基检测, 静态代码分析