DOCS.md

Fufluns Internals

The software is written in a way which allows you to add security tests as "plugins".

Each test has to be placed in the appropriate folder:

• Android: /android/tests
• iOS: /ios/tests

Writing a test for Android

This is the template of a plugin for android

def run_tests(apk, pipes, utils, rzhelper, android_utils):
	for rz in pipes:
        pass

def name_test():
	return "My Test Name"

APK object

The apk python object contains the following data:

• apk.apktool Temp folder where the apktool has unpacked the app (contains the *.smali)
• apk.unzip Temp folder where the unzip has unpacked the app (contains the *.dex)
• apk.binary BinDetails object
• apk.extra Extra object
• apk.issues Issues object
• apk.logger WebLogger object
• apk.permis Permissions object
• apk.srccode SourceCode object
• apk.strings Strings object

Writing a test for iOS

This is the template of a plugin for android

## fufluns - Copyright 2019-2021 - deroad

def run_tests(ipa, pipe, utils, rzhelper):
    pass

def name_test():
	return "My Test Name"

IPA object

The ipa python object contains the following data:

• ipa.directory Temp folder where the unzip has unpacked the app
• ipa.binary BinDetails object
• ipa.extra Extra object
• ipa.issues Issues object
• ipa.logger WebLogger object
• ipa.permis Permissions object
• ipa.srccode SourceCode object
• ipa.strings Strings object

Create a test

The easiest way to create a test is to use the method test available in utils.

utils.test(ipa_or_apk, boolean_value, detail, description, severity)

where:

• ipa_or_apk (object) is the ipa or apk object
• boolean_value (bool) if the test has failed (i.e. False) the detail, descr and severity will be added to the list of the security issues.
• detail (string) shortly describes the security issue
• description (string) is the full description of the issue.
• severity (float) is the CVSS score of the vulnerability; you can use the CVSS calculator.