Navigate to the QARK directory and type in the following command:
python qark.py
[ 127 ]
This will launch an interactive QARK console as shown following:
We can choose between APK and source code based on what we want to scan.
I am going with the APK option, which allows us to see the power of QARK in decompiling the APK files. After choosing the APK option [1], we need to provide the path to an APK file on our PC or pull an existing APK from the device. Let's choose the APK file location from the PC. In my case, I am going to give the path of the APK file (testapp.apk):
www.it-ebooks.info
After providing the path of the target APK file, it is going to extract the AndroidManifest.xml file as follows:
We can inspect the extracted Manifest file by choosing y above:
QARK first displays the manifest file and waits for the user to continue. Press Enter to start analyzing the manifest file as follows:
[ 129 ]
As we can see in the preceding screenshot, QARK has identified several issues, among which one is a potential vulnerability due to the fact that the android:debuggable value is set to true. QARK also has provided a warning that the activities shown preceding are exported.
After finishing the analysis of the manifest file, QARK begins with decompilation, which is required for Source Code Analysis. By pressing the Enter key, we can begin with the decompilation process as follows:
For some reason, if this decompilation process takes a lot of time we can press C to continue with the analysis of whatever the code that was extracted during the decompilation process. QARK uses various tools to carry out the decompilation process.
After the decompilation process, we can press Enter to continue with source code analysis:
www.it-ebooks.info
Let's start Source Code Analysis:
As we can see in the previous screenshot, source code analysis has started to identify the vulnerabilities in the code. This provides a lengthy output on the screen with all the possible findings. This looks as follows:
=========================================================================
===========================
INFO - This class is exported from a manifest item: MainActivity
INFO - Checking this file for vulns: /Users/srini0x00/Downloads/testapp/
classes_dex2jar/com/isi/testapp/MainActivity.java entries:
onCreate
INFO - No custom imports to investigate. The method is assumed to be in the standard libraries
INFO - No custom imports to investigate. The method is assumed to be in the standard libraries
INFO - No custom imports to investigate. The method is assumed to be in the standard libraries
INFO - No custom imports to investigate. The method is assumed to be in the standard libraries
INFO - No custom imports to investigate. The method is assumed to be in the standard libraries
[ 131 ]
INFO - No custom imports to investigate. The method is assumed to be in the standard libraries
INFO - No custom imports to investigate. The method is assumed to be in the standard libraries
INFO - No custom imports to investigate. The method is assumed to be in the standard libraries
INFO - No custom imports to investigate. The method is assumed to be in the standard libraries
INFO - No custom imports to investigate. The method is assumed to be in the standard libraries
INFO - No custom imports to investigate. The method is assumed to be in the standard libraries
INFO - No custom imports to investigate. The method is assumed to be in the standard libraries
=========================================================================
===========================
INFO - This class is exported from a manifest item: Welcome
INFO - Checking this file for vulns: /Users/srini0x00/Downloads/testapp/
classes_dex2jar/com/isi/testapp/Welcome.java entries:
onCreate
INFO - No custom imports to investigate. The method is assumed to be in the standard libraries
ISSUES - CRYPTO ISSUES INFO - No issues to report ISSUES - BROADCAST ISSUES INFO - No issues to report
ISSUES - CERTIFICATE VALIDATION ISSUES INFO - No issues to report
ISSUES - PENDING INTENT ISSUES
POTENTIAL VULNERABILITY - Implicit Intent: localIntent used to create instance of PendingIntent. A malicious application could potentially intercept, redirect and/or modify (in a limited manner) this Intent.
Pending Intents retain the UID of your application and all related permissions, allowing another application to act as yours. File: / Users/srini0x00/Downloads/testapp/classes_dex2jar/android/support/v4/app/
TaskStackBuilder.java More details: https://www.securecoding.cert.org/
confluence/display/android/DRD21-J.+Always+pass+explicit+intents+to+a+Pen dingIntent
ISSUES - FILE PERMISSION ISSUES INFO - No issues to report
www.it-ebooks.info
ISSUES - WEB-VIEW ISSUES INFO - FOUND 0 WEBVIEWS:
WARNING - Please use the exploit APK to manually test for TapJacking until we have a chance to complete this module. The impact should be verified manually anyway, so have fun...
INFO - Content Providers appear to be in use, locating...
INFO - FOUND 0 CONTENTPROVIDERS:
ISSUES - ADB EXPLOIT COMMANDS
INFO - Until we perfect this, for manually testing, run the following command to see all the options and their meanings: adb shell am. Make sure to update qark frequently to get all the enhancements! You'll also find some good examples here: http://xgouchet.fr/android/index.
php?article42/launch-intents-using-adb
==>EXPORTED ACTIVITIES:
1com.isi.testapp.MainActivity
adb shell am start -a "android.intent.action.MAIN" -n "com.isi.testapp/
com.isi.testapp.MainActivity"
2com.isi.testapp.Welcome
adb shell am start -n "com.isi.testapp/com.isi.testapp.Welcome"
To view any sticky broadcasts on the device:
adb shell dumpsys activity| grep sticky
INFO - Support for other component types and dynamically adding extras is in the works, please check for updates
After the scan, QARK will present the following screen. This is one of its unique features, which allows us to create a POC app by choosing option [1]:
Additionally, it provides some adb commands to exploit the issues identified.
Another nice feature of QARK to mention is its ability to provide nice reports.
[ 133 ]
Reporting
As we can see in the previous screenshot, QARK has generated a report with the name report.html. We can navigate to the path provided in the previous screenshot and open a report.html file to see the report.
QARK reporting is simple and clean.
The following screenshot shows the overview of QARK findings under Dashboard:
Let's first check the vulnerabilities reported from the Manifest file:
As we can see, there are two vulnerabilities identified. Apart from the vulnerability information, there are some references provided to help understand the vulnerability and its risks.
www.it-ebooks.info
The next tab has vulnerabilities related to app components:
As we can see in the preceding screenshot, QARK has identified two activities that are exported. Manual verification is required to decide if they are really
vulnerabilities that pose some risk to the app. For this, we need to create a malicious application or use some adb commands. QARK provides these adb commands in its report as shown following:
We can install the target app on a device/emulator and run these commands on a PC.