An Open Source Tool to Improve Android Application Security (2024)

Last week, at DefCon 23 and BlackHat USA 2015, LinkedIn's House Security team announced the release of an alpha version of QARK, the Quick Android Review Kit, a new open-source project aimed at improving Android application security.

Tushar Dalvi and I originally conceived of and created QARK outside of our normal House Security development processes. QARK was developed as part of our internal “HackDay” events, when employees take the day to work on anything they want. This is part of the reason you will find that QARK attempts to review applications in a manner meant to emulate the human review process, more so than a rigorous scientific approach.

What is QARK?

At its core, QARK is a static code analysis tool, designed to recognize potential security vulnerabilities and points of concern for Java-based Android applications. QARK was designed to be community based, available to everyone and free for use. QARK educates developers and information security personnel about potential risks related to Android application security, providing clear descriptions of issues and links to authoritative reference sources. QARK also attempts to provide dynamically generated ADB (Android Debug Bridge) commands to aid in the validation of potential vulnerabilities it detects. It will even dynamically create a custom-built testing application, in the form of a ready to use APK, designed specifically to demonstrate the potential issues it discovers, whenever possible.

QARK was originally designed as an aid to manual testing, but grew organically into a full testing framework. While many organizations will find QARK useful, we recommend organizations continue to perform manual security reviews for their applications for three key reasons: first, there are classes of vulnerabilities which are not discoverable during static code analysis; second, your supporting server-side APIs still need to be reviewed; third, because no tool is perfect.

How It Works

Along with the customized tests, the testing application generated by QARK provides many features useful for enhancing manual security testing of Android applications.

QARK's features include:

  • Simple installation and setup
  • An extremely simple interactive command line interface
  • Robust output detailing potential issues, including links to “Learn More”
  • A headless mode for easy integration into any organization’s SDLC (Software Development Lifecycle)
  • Reporting functionality for historical tracking of issues
  • The ability to inspect raw Java source or compiled APKs
  • Version specific results for the API versions supported
  • Parsing of the AndroidManifest.xml to locate potential issues
  • Source to sink mapping; following potentially tainted flows through the Java source code
  • Automatic issue validation via dynamically generated ADB commands or a custom APK

Given that reviewing an APK allows you to get the true view of an application, including testing all the included libraries and exactly what the build process produces, QARK completely automates the APK retrieval, decompiling the APK and extracting a human readable manifest file. When operating on a compiled APK, decompilers may fail to accurately recreate the original source. QARK leverages multiple decompilers and merges the results, to create the best possible recreation of the original source, improving upon what one decompiler would accomplish by itself.

Why Open-Source?

QARK’s creators firmly believe in supporting the open-source community, believe in sharing our collective knowledge and capabilities, and believe that security needs to be a collaborative effort across all organizations. Helping to improve Android security ultimately helps us all.

What’s Next for QARK

QARK will be undergoing very active development in the days and weeks to come. These improvements are specifically designed to minimize any false positives/negatives, complete the ability to automatically verify additional vulnerabilities via the testing APK it creates, implement important capability enhancements, bug fixes and, finally, add support for Windows operating systems, as only Mac and Linux are currently supported. We encourage users to pull from our GitHub repo, using a Git client, so they can easily keep their code up-to-date with these improvements. If you decided instead to download an untracked copy, please check back frequently to download an updated version (especially in the early days as the project is gaining momentum) to get all the latest features and bug fixes.

We are actively soliciting contributions to improve QARK. If you would like to contribute by alerting us to a vulnerability, correcting any of our detection rules, improving the underlying code or libraries, making QARK more extensible or perform better in any way, please either submit your feedback on GitHub or feel free to connect with us on LinkedIn! We hope you enjoy using QARK and look forward to helping make the Android ecosystem a safer place!

An Open Source Tool to Improve Android Application Security (2024)
Top Articles
Walden Ehub
Jetnet Retirees Aa
Craigslist San Francisco Bay
San Angelo, Texas: eine Oase für Kunstliebhaber
Parke County Chatter
Using GPT for translation: How to get the best outcomes
Urist Mcenforcer
Air Canada bullish about its prospects as recovery gains steam
Practical Magic 123Movies
Doublelist Paducah Ky
Holly Ranch Aussie Farm
Gw2 Legendary Amulet
Swimgs Yung Wong Travels Sophie Koch Hits 3 Tabs Winnie The Pooh Halloween Bob The Builder Christmas Springs Cow Dog Pig Hollywood Studios Beach House Flying Fun Hot Air Balloons, Riding Lessons And Bikes Pack Both Up Away The Alpha Baa Baa Twinkle
Degreeworks Sbu
Ree Marie Centerfold
Gas Station Drive Thru Car Wash Near Me
2016 Ford Fusion Belt Diagram
Love In The Air Ep 9 Eng Sub Dailymotion
Unit 33 Quiz Listening Comprehension
Voy Boards Miss America
Parentvue Clarkston
Best Mechanics Near You - Brake Masters Auto Repair Shops
Juicy Deal D-Art
Maxpreps Field Hockey
Seeking Arrangements Boston
Gs Dental Associates
Tire Plus Hunters Creek
Lovindabooty
Claio Rotisserie Menu
Gillette Craigslist
130Nm In Ft Lbs
Guinness World Record For Longest Imessage
Little Einsteins Transcript
Airg Com Chat
UPC Code Lookup: Free UPC Code Lookup With Major Retailers
Ripsi Terzian Instagram
Wcostream Attack On Titan
Skroch Funeral Home
Pensacola 311 Citizen Support | City of Pensacola, Florida Official Website
Merge Dragons Totem Grid
Mandy Rose - WWE News, Rumors, & Updates
All Characters in Omega Strikers
5A Division 1 Playoff Bracket
Chathuram Movie Download
Ghareeb Nawaz Texas Menu
Vérificateur De Billet Loto-Québec
Best Suv In 2010
Craigslist Houses For Rent Little River Sc
8 4 Study Guide And Intervention Trigonometry
Call2Recycle Sites At The Home Depot
Game Akin To Bingo Nyt
Download Twitter Video (X), Photo, GIF - Twitter Downloader
Latest Posts
Article information

Author: Lidia Grady

Last Updated:

Views: 5235

Rating: 4.4 / 5 (45 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Lidia Grady

Birthday: 1992-01-22

Address: Suite 493 356 Dale Fall, New Wanda, RI 52485

Phone: +29914464387516

Job: Customer Engineer

Hobby: Cryptography, Writing, Dowsing, Stand-up comedy, Calligraphy, Web surfing, Ghost hunting

Introduction: My name is Lidia Grady, I am a thankful, fine, glamorous, lucky, lively, pleasant, shiny person who loves writing and wants to share my knowledge and understanding with you.