Search Sets - Nuvolect/DeepDive-Android GitHub Wiki
Search Set
DeepDive includes four default search sets. The user can create additional search sets by using the UI or by editing JSON files directly.
Default Search Set
This basic search set exposes code fundamental to application security.
| Query | Description |
|---|---|
| password | Common security key |
| passphrase | Common security key |
| keystore.bks | Bouncy Castle Keystore |
| keystore.bc | Bouncy Castle Keystore |
| CertAndKeyGen | Method for storing private key |
| KeyPairGenerator | Android keystore |
| CipherOutputStream | Javax.crypto library |
| whitelist | Key for tracking users |
| blacklist | Key for tracking users |
| AES/CBC/PKCS5Padding | Encryption methodology |
| SecretKeySpec | Java crypto |
| crypto | Common search for crypto |
Editing
Any of the default search sets can be modified by selecting the "Edit" checkbox at the bottom of the page. This will expose plus (+) and minus (-) characters allowing for the addition or deletion of set items and entire sets. The only way to edit a specific search item from the UI is to delete it and create it again. Alternatively JSON can be edited directly.
Search Set JSON Files
Search set files are copied from the app into the .search_set folder upon installation. The example DIVA search set is shown as an example the JSON structure in addition showing how to search for single and multiple keywords.
[
{
"query": "\"transaction with credit card\"",
"description": "Challenge 1 - Insecure Logging"
},
{
"query": "vendorSecretKey",
"description": "Challenge 2 - Hardcoding issues"
},
{
"query": "\"putString(\\\"password\\\"\"",
"description": "Challenge 3, Insecure Data Storage - Part 1"
},
{
"query": "+\"insert into\" +\"credentials saved\"",
"description": "Challenge 4, Insecure Data Storage - Part 2"
},
{
"query": "+getApplicationInfo +credentials",
"description": "Challenge 5, Insecure Data Storage - Part 3"
},
{
"query": "+getExternalStorageDirectory +\"credentials saved\"",
"description": "Challenge 6, Insecure Data Storage - Part 4"
},
{
"query": "+execSql +\"credit card\"",
"description": "Challenge 7, Input Validation Issues"
},
{
"query": "+webview +loadurl +edittext",
"description": "Challenge 8, Input Validation Issues"
},
{
"query": "\"api key\"",
"description": "Challenge 9 - 11, Access Control Issues"
},
{
"query": "\"see you in hell\"",
"description": "Challenge 12, Hardcoding Issues"
},
{
"query": "+\"access denied\" +Toast",
"description": "Challenge 13, Hardcoding Issues"
}
]
Analytics
| Query | Description |
|---|---|
| "com.google.analytics" | Google Analytics |
| EasyTracker | Google Analytics |
| "com.crashlytics" | Crashlytics |
| localytics | www.localytics.com/ |
| "org.piwik.sdk" | Piwik Tracking SDK |
| "com.segment.analytics.Analytics" | Segment Analytics |
| "com.mparticle" | mParticle |
| "react.native.google.analytics.bridge" | Google Analytics Bridge |
| "com.github.florent37.androidanalytics" | Florent37 Analytics |
| "ly.count.android.sdk" | Countly Mobile Analytics |
HummingWhale
This attack, described by Check Point and Theo Thimou at clark.com, is distributed in 40 apps. This Search Set will detect the app by searching for offending package names.
The HummingWhale family of malware allows hackers to turn your phone into a remote cash-generating machine for them by allowing other fraudulent apps on your device without permission.
HummingWhale malware @ Check Point HummingWhale malware @ Clark Howard