SUPER 0.5.0 released!

03 Nov 2018

SUPER is an Android application analysis tool that tries to detect potential security vulnerabilities and create nice reports so that analysts can get help while doing their checks. It’s available in Windows, Mac OS X and Linux, and it’s highly accurate and performant thanks to it’s rule system and it’s use of the Rust programming language for most of the logic.

A lot has been going on this last year, both for SUPER and Rust. Many libraries SUPER depends on released their first stable versions, and we had to adapt a lot of our code to be compatible. Not only that, the syntax of Rust itself has brought many new features that we wanted to take advantage of. We can say that this release was the release that brought the code quality of SUPER to a proper level.

Not only that, one of the main changes in the project has been to adopt better development and community standards, so that more contributors feel free to join. We have a new code of conduct that ensures that contributors to SUPER will always be treated properly, and that everyone should feel safe and welcomed to participate in the project. We also have templates for issues and pull requests so that contributors know what information we as core developers need to keep working on the given task.

Packages for our 4 supported Linux distributions now get generated automatically each release, which eases our deployment difficulties. This was a great achievement that took us a lot of time, but we really believe it will make things much easier. The packaging for those distribution is also checked in each commit, to make sure we are not doing anything incompatible with any Linux distribution.

You can download SUPER 0.5.0 in the downloads page or in GitHub!

Features and bug fixes

This has not only been a completely internal enhancement. It has brought improved performance and stability, and we fixed multiple bugs in the process. Windows console will no longer have strange characters, and badly formatted APK files will be properly handled. We still have some known issues though, that we will try to fix before the next release. Feel free to help!

There have been a couple of improvements for end users too, apart from the bug fixing. All icons in the reports will now be SVG, so that they look great in all resolutions, and Android SDK versions will now have the name of the related Android version in the reports. This will make the reports more complete and easier to manage.

Development notes

Here is where SUPER 0.5.0 is really shining. The first clear change is that SUPER now requires Rust 1.30.0 to be built. This is because it uses the latest features in the module system and because we are using newer syntax. Another big change came from removing the error-chain dependency and using failure instead. This made us modify a lot of the code, but finally brought nicer and more fine grained error messages.

Another big change in how the architechture of the program looks like came from switching to binary / library architechture. This means that we now have a main.rs file with all the logic SUPER needs to run the CLI, and a lib.rs file with all the internal functions to check the actual applications.

The ABXML library, in charge of decompiling Android applications and getting XML file information, and also maintained by the SUPER team, improved it’s internal code a lot. It’s now compliant with all Rust coding standards and the performance is also better. This new updated library was also brought to SUPER 0.5.0.

We upgraded all of our dependencies to their latest versions, with regex , serde , lazy_static and handlebars reaching 1.0+ stable versions. For the full list of changes, you can check the change log.

We also want to thank the contributions by Charlie Bouthoorn, @gnieto and Amal Krishnan. This release wouldn’t have been so great without you!