Discover QARK: The Automated Tool for Android App Assessments (2024)

Application security

There has been a need for automated tools for Android Application Assessments for quite some time. Though there are some frameworks here and there, most of them don't look promising when it comes to performing app security assessments in corporate environment. Drozer has greatly fulfilled this gap. QARK (Quick Android Review Kit) is a tool that grabbed my attention. Though this tool performs source code analysis, it is worth checking it out for identifying useful information about the target.

This article introduces readers to a new tool for Android assessments rather discussing Android-specific vulnerabilities. Hence, this article assumes that readers have a basic knowledge of performing Android App assessments. If you are new to this, please have a look at my previous articles.

What is QARK

I always like to write the definitions from the original sources to make sure that the original meaning isn't changed. According to one of its original sources, "At its core, QARK is a static code analysis tool, designed to recognize potential security vulnerabilities and points of concern for Java-based Android applications. QARK was designed to be community based, available to everyone and free for use. QARK educates developers and information security personnel about potential risks related to Android application security, providing clear descriptions of issues and links to authoritative reference sources. QARK also attempts to provide dynamically generated ADB (Android Debug Bridge) commands to aid in the validation of potential vulnerabilities it detects. It will even dynamically create a custom-built testing application, in the form of a ready to use APK, designed specifically to demonstrate the potential issues it discovers, whenever possible."

Getting ready

As of now, QARK supports only Linux and Mac.

  • QARK can be downloaded here:

[download]

  • Extract QARK contents as shown below.

Discover QARK: The Automated Tool for Android App Assessments (2)

Make sure that you have all the dependencies mentioned in this Github page to run QARK.

  • Get the sample application provided in the downloads section

Android app assessments with QARK

This section shows how to use QARK to perform Android app assessments.

QARK works in two modes.

  1. Interactive mode
  2. Seamless mode

Interactive mode enables the users to choose the options interactively one after the other. Whereas seamless mode allows us to do the whole job with one single command.

Let us first see the Interactive mode in action.

Navigate to the QARK directory and type in the following command:

python qark.py

This will launch an interactive QARK console as shown below.

Discover QARK: The Automated Tool for Android App Assessments (3)

We can choose between APK and source code based on what we want to scan. I am going with the APK option, which allows us to see the power of QARK in decompiling the APK files. Once after choosing APK option [1], we need to provide the path to an APK file sitting on our PC or pull an existing APK from the device. Let's choose the APK file location from the PC. In my case, I am going to give the path of the APK file(testapp.apk) that we used in PART-1 of this Android Hacking series [The same app is provided in the downloads section].

Discover QARK: The Automated Tool for Android App Assessments (4)

After providing the path of the target APK file, it is going to extract the AndroidManifest.xml file as shown below.

Discover QARK: The Automated Tool for Android App Assessments (5)

We can inspect the extracted Manifest file by choosing "Y" above.

Discover QARK: The Automated Tool for Android App Assessments (6)

It first displays the manifest file and waits for the user to continue. Press "Enter" to start analyzing the manifest file as shown below.

Discover QARK: The Automated Tool for Android App Assessments (7)

As we can see in the figure above, QARK has identified several issues among which one is a potential vulnerability due to the fact that "android:debuggable" value is set to true. QARK also has provided a warning that the activities shown above are exported.

Once after finishing the analysis of manifest file, QARK begins with decompilation, which is required for Source Code Analysis. By pressing the "Enter" key, we can begin with the decompilation process as shown below.

Discover QARK: The Automated Tool for Android App Assessments (8)

For some reason, if this decompilation process takes longer time we can press "C" to continue with the analysis of whatever the code that was extracted during the decompilation process. QARK uses various tools to do the decompilation process.

Once after finishing the decompilation process, we can press "ENTER" to start the source code analysis.

Discover QARK: The Automated Tool for Android App Assessments (9)

Let's start the Source Code Analysis:

Discover QARK: The Automated Tool for Android App Assessments (10)

As we can see in the figure above, the source code analysis has been started to identify the vulnerabilities in the code. This provides a lengthy output on the screen with all the possible findings. This looks as shown below.

====================================================================================================

INFO - This class is exported from a manifest item: MainActivity

INFO - Checking this file for vulns: /Users/srini0x00/Downloads/testapp/classes_dex2jar/com/isi/testapp/MainActivity.java

entries:

onCreate

INFO - No custom imports to investigate. The method is assumed to be in the standard libraries

INFO - No custom imports to investigate. The method is assumed to be in the standard libraries

INFO - No custom imports to investigate. The method is assumed to be in the standard libraries

INFO - No custom imports to investigate. The method is assumed to be in the standard libraries

INFO - No custom imports to investigate. The method is assumed to be in the standard libraries

INFO - No custom imports to investigate. The method is assumed to be in the standard libraries

INFO - No custom imports to investigate. The method is assumed to be in the standard libraries

INFO - No custom imports to investigate. The method is assumed to be in the standard libraries

INFO - No custom imports to investigate. The method is assumed to be in the standard libraries

INFO - No custom imports to investigate. The method is assumed to be in the standard libraries

INFO - No custom imports to investigate. The method is assumed to be in the standard libraries

INFO - No custom imports to investigate. The method is assumed to be in the standard libraries

INFO - No custom imports to investigate. The method is assumed to be in the standard libraries

INFO - No custom imports to investigate. The method is assumed to be in the standard libraries

====================================================================================================

INFO - This class is exported from a manifest item: Welcome

INFO - Checking this file for vulns: /Users/srini0x00/Downloads/testapp/classes_dex2jar/com/isi/testapp/Welcome.java

entries:

onCreate

INFO - No custom imports to investigate. The method is assumed to be in the standard libraries

ISSUES - CRYPTO ISSUES

INFO - No issues to report

ISSUES - BROADCAST ISSUES

INFO - No issues to report

ISSUES - CERTIFICATE VALIDATION ISSUES

INFO - No issues to report

ISSUES - PENDING INTENT ISSUES

POTENTIAL VULNERABILITY - Implicit Intent: localIntent used to create instance of PendingIntent. A malicious application could potentially intercept, redirect and/or modify (in a limited manner) this Intent. Pending Intents retain the UID of your application and all related permissions, allowing another application to act as yours. File: /Users/srini0x00/Downloads/testapp/classes_dex2jar/android/support/v4/app/TaskStackBuilder.java More details: https://www.securecoding.cert.org/confluence/display/android/DRD21-J.+Always+pass+explicit+intents+to+a+PendingIntent

ISSUES - FILE PERMISSION ISSUES

INFO - No issues to report

ISSUES - WEB-VIEW ISSUES

INFO - FOUND 0 WEBVIEWS:

WARNING - Please use the exploit APK to manually test for TapJacking until we have a chance to complete this module. The impact should be verified manually anyway, so have fun...

INFO - Content Providers appear to be in use, locating...

INFO - FOUND 0 CONTENTPROVIDERS:

ISSUES - ADB EXPLOIT COMMANDS

INFO - Until we perfect this, for manually testing, run the following command to see all the options and their meanings: adb shell am. Make sure to update qark frequently to get all the enhancements! You'll also find some good examples here: http://xgouchet.fr/android/index.php?article42/launch-intents-using-adb

==>EXPORTED ACTIVITIES:

1com.isi.testapp.MainActivity

adb shell am start -a "android.intent.action.MAIN" -n "com.isi.testapp/com.isi.testapp.MainActivity"

2com.isi.testapp.Welcome

adb shell am start -n "com.isi.testapp/com.isi.testapp.Welcome"

To view any sticky broadcasts on the device:

adb shell dumpsys activity| grep sticky

INFO - Support for other component types and dynamically adding extras is in the works, please check for updates

After finishing the scan, QARK will present the following screen. This is one of its unique features, which allows us to create a POC app by choosing option [1].

Discover QARK: The Automated Tool for Android App Assessments (11)

Additionally, it provides some adb commands to exploit the issues identified. Another nice feature of QARK to mention is its ability to provide nice reports.

Reporting

As we can see in the above figure, QARK has generated a report with the name "report.html". We can navigate to the path provided in the previous figure and open "report.html" file to see the report.

Personally, I liked the appearance of QARK reporting. Simple and clean.

The following figure shows the overview of QARK findings under "Dashboard".

Discover QARK: The Automated Tool for Android App Assessments (12)

Let's first check the vulnerabilities reported from Manifest file.

Discover QARK: The Automated Tool for Android App Assessments (13)

As we can notice there are two vulnerabilities identified. Apart from the vulnerability information, there are some references provided to know more about those issues.

The next tab has vulnerabilities related to App components.

Discover QARK: The Automated Tool for Android App Assessments (14)

As we can see in the figure above, QARK has identified two activities that are exported. Manual verification is required to decide if they are really vulnerabilities that pose some risk to the app. For this, we need to create a malicious application or write some adb commands. QARK provides these adb commands in its report as shown below.

Discover QARK: The Automated Tool for Android App Assessments (15)

We can install the target app on a device/emulator and run these commands on the PC.

Running QARK in seamless mode

Below is the command that can be used to run QARK in seamless mode.

$ python qark.py --source 1 --pathtoapk ../testapp.apk --exploit 1 --install 1

This will do the same process of finding vulnerabilities without user intervention.

If you are facing errors with building the POC app, set –exploit value to 0.

If you don't want it to be installed on the device set –install value to 0.

python qark.py --source 1 --pathtoapk ../testapp.apk --exploit 0 --install 0

This will just perform the assessment and provide you a report without POC app as shown below.

INFO - Initializing...

INFO - Identified Android SDK installation from a previous run.

INFO - Initializing QARK

INFO - Unpacking /Users/srini0x00/Downloads/testapp.apk

INFO - Zipfile: <zipfile.ZipFile object at 0x104ba0810>

INFO - Extracted APK to /Users/srini0x00/Downloads/testapp/

INFO - Finding AndroidManifest.xml in /Users/srini0x00/Downloads/testapp

INFO - AndroidManifest.xml found

INFO - <?xml version="1.0" ?><manifest android_versionCode="1" android_versionName="1.0" package="com.isi.testapp" xmlns_android="http://schemas.android.com/apk/res/android">

<uses-sdk android_minSdkVersion="8" android_targetSdkVersion="18">

</uses-sdk>

<application android_allowBackup="true" android_debuggable="true" android_icon="@7F020000" android_label="@7F050000" android_theme="@7F060001">

<activity android_label="@7F050000" android_name="com.isi.testapp.MainActivity">

<intent-filter>

<action android_name="android.intent.action.MAIN">

</action>

<category android_name="android.intent.category.LAUNCHER">

</category>

</intent-filter>

</activity>

<activity android_exported="true" android_name="com.isi.testapp.Welcome">

</activity>

</application>

</manifest>

INFO - Determined minimum SDK version to be:8

WARNING - Logs are world readable on pre-4.1 devices. A malicious app could potentially retrieve sensitive data from the logs.

ISSUES - APP COMPONENT ATTACK SURFACE

WARNING - Backups enabled: Potential for data theft via local attacks via adb backup, if the device has USB debugging enabled (not common). More info: http://developer.android.com/reference/android/R.attr.html#allowBackup

POTENTIAL VULNERABILITY - The android:debuggable flag is manually set to true in the AndroidManifest.xml. This will cause your application to be debuggable in production builds and can result in data leakage and other security issues. It is not necessary to set the android:debuggable flag in the manifest, it will be set appropriately automatically by the tools. More info: http://developer.android.com/guide/topics/manifest/application-element.html#debug

.

.

.

.

.

.

==>EXPORTED ACTIVITIES:

1com.isi.testapp.MainActivity

adb shell am start -a "android.intent.action.MAIN" -n "com.isi.testapp/com.isi.testapp.MainActivity"

2com.isi.testapp.Welcome

adb shell am start -n "com.isi.testapp/com.isi.testapp.Welcome"

To view any sticky broadcasts on the device:

adb shell dumpsys activity| grep sticky

INFO - Support for other component types and dynamically adding extras is in the works, please check for updates

An html report of the findings is located in : /Users/srini0x00/Downloads/qark-master/report/report.html

Discover QARK: The Automated Tool for Android App Assessments (16)

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

See Courses

Goodbye!

Conclusion

QARK without a doubt is one of the best tools for Android SCA that is freely available. It requires having some more features such as providing adb commands for querying content providers, exploiting injection vulnerabilities, identifying insecure data storage vulnerabilities etc. According to their github page, some of them are about to come in its upcoming versions. So, let's wait for more intelligent and powerful QARK.

Posted: October 5, 2015

Discover QARK: The Automated Tool for Android App Assessments (17)

Srinivas

View Profile

Srinivas is an Information Security professional with 4 years of industry experience in Web, Mobile and Infrastructure Penetration Testing. He is currently a security researcher at Infosec Institute Inc. He holds Offensive Security Certified Professional(OSCP) Certification. He blogs atwww.androidpentesting.com. Email: srini0x00@gmail.com

Discover QARK: The Automated Tool for Android App Assessments (2024)
Top Articles
10 Important Cryptocurrencies Other Than Bitcoin
The state of AI in early 2024: Gen AI adoption spikes and starts to generate value
123Movies Encanto
DPhil Research - List of thesis titles
Weeminuche Smoke Signal
Craigslist Benton Harbor Michigan
Google Sites Classroom 6X
A Complete Guide To Major Scales
Puretalkusa.com/Amac
Tiger Island Hunting Club
Mawal Gameroom Download
Obituary | Shawn Alexander | Russell Funeral Home, Inc.
Ree Marie Centerfold
Washington, D.C. - Capital, Founding, Monumental
Citymd West 146Th Urgent Care - Nyc Photos
Samsung Galaxy S24 Ultra Negru dual-sim, 256 GB, 12 GB RAM - Telefon mobil la pret avantajos - Abonament - In rate | Digi Romania S.A.
Craftology East Peoria Il
Craiglist Tulsa Ok
Palm Coast Permits Online
Walmart stores in 6 states no longer provide single-use bags at checkout: Which states are next?
Myhr North Memorial
Japanese Mushrooms: 10 Popular Varieties and Simple Recipes - Japan Travel Guide MATCHA
About My Father Showtimes Near Copper Creek 9
A Man Called Otto Showtimes Near Cinemark University Mall
Hdmovie2 Sbs
Nk 1399
Mini-Mental State Examination (MMSE) – Strokengine
Craigslist Middletown Ohio
Sam's Club Near Wisconsin Dells
Evil Dead Rise - Everything You Need To Know
Fairwinds Shred Fest 2023
Ripsi Terzian Instagram
Tmj4 Weather Milwaukee
Cdcs Rochester
One Main Branch Locator
Craigslist Putnam Valley Ny
The Banshees Of Inisherin Showtimes Near Reading Cinemas Town Square
Doordash Promo Code Generator
The Realreal Temporary Closure
Gasoline Prices At Sam's Club
Best Restaurants West Bend
QVC hosts Carolyn Gracie, Dan Hughes among 400 laid off by network's parent company
Grizzly Expiration Date Chart 2023
Nu Carnival Scenes
Brown launches digital hub to expand community, career exploration for students, alumni
What is 'Breaking Bad' star Aaron Paul's Net Worth?
Grace Family Church Land O Lakes
Craigslist Free Cats Near Me
Sitka Alaska Craigslist
Tìm x , y , z :a, \(\frac{x+z+1}{x}=\frac{z+x+2}{y}=\frac{x+y-3}{z}=\)\(\frac{1}{x+y+z}\)b, 10x = 6y và \(2x^2\)\(-\) \(...
Uno Grade Scale
99 Fishing Guide
Latest Posts
Article information

Author: Tyson Zemlak

Last Updated:

Views: 5231

Rating: 4.2 / 5 (43 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Tyson Zemlak

Birthday: 1992-03-17

Address: Apt. 662 96191 Quigley Dam, Kubview, MA 42013

Phone: +441678032891

Job: Community-Services Orchestrator

Hobby: Coffee roasting, Calligraphy, Metalworking, Fashion, Vehicle restoration, Shopping, Photography

Introduction: My name is Tyson Zemlak, I am a excited, light, sparkling, super, open, fair, magnificent person who loves writing and wants to share my knowledge and understanding with you.