LinkedIn Security Blog | Access to Your Account Data (2024)

LinkedIn Security Blog | Access to Your Account Data (1)

Authored byđź”’Tony Trummer đź”’

August 17, 2015

Last week, at DefCon 23 and BlackHat USA 2015, LinkedIn's House Security team announced the release of an alpha version of QARK, the Quick Android Review Kit, a new open-source project aimed at improving Android application security.

Tushar Dalvi and I originally conceived of and created QARK outside of our normal House Security development processes. QARK was developed as part of our internal “HackDay” events, when employees take the day to work on anything they want. This is part of the reason you will find that QARK attempts to review applications in a manner meant to emulate the human review process, more so than a rigorous scientific approach.

At its core, QARK is a static code analysis tool, designed to recognize potential security vulnerabilities and points of concern for Java-based Android applications. QARK was designed to be community based, available to everyone and free for use. QARK educates developers and information security personnel about potential risks related to Android application security, providing clear descriptions of issues and links to authoritative reference sources. QARK also attempts to provide dynamically generated ADB (Android Debug Bridge) commands to aid in the validation of potential vulnerabilities it detects. It will even dynamically create a custom-built testing application, in the form of a ready to use APK, designed specifically to demonstrate the potential issues it discovers, whenever possible.

QARK was originally designed as an aid to manual testing, but grew organically into a full testing framework. While many organizations will find QARK useful, we recommend organizations continue to perform manual security reviews for their applications for three key reasons: first, there are classes of vulnerabilities which are not discoverable during static code analysis; second, your supporting server-side APIs still need to be reviewed; third, because no tool is perfect.

Along with the customized tests, the testing application generated by QARK provides many features useful for enhancing manual security testing of Android applications.

QARK's features include:

  • Simple installation and setup
  • An extremely simple interactive command line interface
  • Robust output detailing potential issues, including links to “Learn More”
  • A headless mode for easy integration into any organization’s SDLC (Software Development Lifecycle)
  • Reporting functionality for historical tracking of issues
  • The ability to inspect raw Java source or compiled APKs
  • Version specific results for the API versions supported
  • Parsing of the AndroidManifest.xml to locate potential issues
  • Source to sink mapping; following potentially tainted flows through the Java source code
  • Automatic issue validation via dynamically generated ADB commands or a custom APK

Given that reviewing an APK allows you to get the true view of an application, including testing all the included libraries and exactly what the build process produces, QARK completely automates the APK retrieval, decompiling the APK and extracting a human readable manifest file. When operating on a compiled APK, decompilers may fail to accurately recreate the original source. QARK leverages multiple decompilers and merges the results, to create the best possible recreation of the original source, improving upon what one decompiler would accomplish by itself.

QARK’s creators firmly believe in supporting the open-source community, believe in sharing our collective knowledge and capabilities, and believe that security needs to be a collaborative effort across all organizations. Helping to improve Android security ultimately helps us all.

QARK is being open-sourced under the Apache 2.0 license

QARK will be undergoing very active development in the days and weeks to come. These improvements are specifically designed to minimize any false positives/negatives, complete the ability to automatically verify additional vulnerabilities via the testing APK it creates, implement important capability enhancements, bug fixes and, finally, add support for Windows operating systems, as only Mac and Linux are currently supported. We encourage users to pull from our GitHub repo and check for updates frequently, especially in the early days as the project is gaining momentum, to get all the latest features and bug fixes. We are actively soliciting contributions to improve QARK. If you would like to contribute by alerting us to a vulnerability, correcting any of our detection rules, improving the underlying code or libraries, making QARK more extensible or perform better in any way, please either submit your feedback on GitHubor feel free to connect with us on LinkedIn! We hope you enjoy using QARK and look forward to helping make the Android ecosystem a safer place!

Topics: Security

Related articles

  • Security

    How LinkedIn Elevated Its Risk and Compliance Platform To Impr...

    Eric Stoll, CISA

    Oct 13, 2023

    LinkedIn Security Blog | Access to Your Account Data (2)
  • Security

    Building Resilience in the Face of Disruption: LinkedIn's Jour...

    Chau Vu

    Oct 6, 2023

    LinkedIn Security Blog | Access to Your Account Data (3)
  • Security

    Enhancing Security and Developer Productivity: LinkedIn's Jour...

    Aug 31, 2023

    LinkedIn Security Blog | Access to Your Account Data (4)
LinkedIn Security Blog | Access to Your Account Data (2024)
Top Articles
Paul Derda Pool Hours
How to help Pandirna in Baldur's Gate 3
Funny Roblox Id Codes 2023
Www.mytotalrewards/Rtx
San Angelo, Texas: eine Oase fĂĽr Kunstliebhaber
Golden Abyss - Chapter 5 - Lunar_Angel
Www.paystubportal.com/7-11 Login
Steamy Afternoon With Handsome Fernando
fltimes.com | Finger Lakes Times
Detroit Lions 50 50
18443168434
Newgate Honda
ZĂĽrich Stadion Letzigrund detailed interactive seating plan with seat & row numbers | Sitzplan Saalplan with Sitzplatz & Reihen Nummerierung
978-0137606801
Nwi Arrests Lake County
Missed Connections Dayton Ohio
Justified Official Series Trailer
London Ups Store
Committees Of Correspondence | Encyclopedia.com
Jinx Chapter 24: Release Date, Spoilers & Where To Read - OtakuKart
How Much You Should Be Tipping For Beauty Services - American Beauty Institute
How to Create Your Very Own Crossword Puzzle
Apply for a credit card
Unforeseen Drama: The Tower of Terror’s Mysterious Closure at Walt Disney World
Ups Print Store Near Me
How Taraswrld Leaks Exposed the Dark Side of TikTok Fame
University Of Michigan Paging System
Dashboard Unt
Access a Shared Resource | Computing for Arts + Sciences
2023 Ford Bronco Raptor for sale - Dallas, TX - craigslist
Healthy Kaiserpermanente Org Sign On
Restored Republic
Progressbook Newark
Lawrence Ks Police Scanner
3473372961
Landing Page Winn Dixie
Everstart Jump Starter Manual Pdf
Hypixel Skyblock Dyes
Senior Houses For Sale Near Me
Flashscore.com Live Football Scores Livescore
Ksu Sturgis Library
Trivago Myrtle Beach Hotels
Thotsbook Com
Funkin' on the Heights
Caesars Rewards Loyalty Program Review [Previously Total Rewards]
Marcel Boom X
Www Pig11 Net
Ty Glass Sentenced
Michaelangelo's Monkey Junction
Game Akin To Bingo Nyt
Ranking 134 college football teams after Week 1, from Georgia to Temple
Latest Posts
Article information

Author: Van Hayes

Last Updated:

Views: 5237

Rating: 4.6 / 5 (46 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Van Hayes

Birthday: 1994-06-07

Address: 2004 Kling Rapid, New Destiny, MT 64658-2367

Phone: +512425013758

Job: National Farming Director

Hobby: Reading, Polo, Genealogy, amateur radio, Scouting, Stand-up comedy, Cryptography

Introduction: My name is Van Hayes, I am a thankful, friendly, smiling, calm, powerful, fine, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.