quick android review kit (qark)
TRANSCRIPT
Quick Android Review KIT
(QARK)
Android Security Testing Tool
Hello!I am Chandan Kumar
This presentation is about an open source security tool for static code analysis.
You can find me @ [email protected]
QUARK
WHAT IS IT??
Quick Android Review KIT (QUARK)
“ QARK is a static code analysis tool, designed to recognize potential security vulnerabilities and points of concern for Java-based Android applications. QARK was designed to be community based,
available to everyone and free for use. ”
What it Does? Included in the types of security vulnerabilities this tool attempts to find are:
Improperly protected exported components
Intents which are vulnerable to interception or eavesdropping
Improper x.509 certificate validation
Activities which may leak data
Insecurely created Pending Intents
Sending of insecure Broadcast Intents
Private keys embedded in the source
Weak or improper cryptography use
Potentially exploitable WebView configurations
Tapjacking
Apps supporting outdated API versions, with known vulnerabilities
Requirement :● Python 2.7.6
● JRE 1.6+ (preferably 1.7+)
● OSX or Ubuntu Linux (Others may work, but not fully tested)
Download QARK from following link:http://resources.infosecinstitute.com/wp-content/uploads/qark-master.zip
➜ Download the QARK➜ Navigate to quark folder and type <python
qark.py>➜ Enter option(1/2) to provide apk/source
code.➜ Inspect Manifest file➜ Decompile the apk and vulnerability will be
displayed on the screen➜ You can create a custom apk of vulnerable
app and print the report of SCA (Static Code Analyis)
AUDIT STEPs :
Thanks!Any questions?
You can find me at:[email protected]