Android penetration tools walkthrough series: QARK
In this article, we are going to learn how to use the Quick Android Review Kit. QARK one of the most efficient Android static analysis tool developed by two LinkedIn security researchers -- Tushar Dalvi and Tony Trummer. QARK is designed to look for several security-related Android application vulnerabilities, either in source code or packaged APKs. This project is completely written in Python which uses the plyj library. This allows Python to parse Java code and is further used to map Java objects. Tushar Dalvi and Tony Trummer say that the motivation behind creating tools is the mwrlabs DROZER tool, which is indeed a great Android Application Penetration Testing tool but requires expertise to use. On the other hand, QARK is very simple and easy to use. Let's have a look at what QARK can do and what Android application related vulnerabilities it can find.
- Inadvertently exported components
- Improperly protected exported components
- Intents which are vulnerable to interception or eavesdropping
- Improper x.509 certificate validation
- Creation of world-readable or world-writeable file.
- Activities which may leak data
- The use of Sticky Intents
- Insecurely created Pending Intents
- Sending of insecure Broadcast Intents
- Private keys embedded in the source
- Weak or improper cryptography use
- Potentially exploitable WebView configurations
- Exported Preference Activities
- Tapjacking
- Apps which enable backups
- Apps which are debuggable
- Apps supporting outdated API versions, with known vulnerabilities
And the best part it can produce ADB commands, or even fully functional APKs, that turn above mentioned hypothetical vulnerabilities into working "POC" exploits. There is no need to root the device as QARK can be used to exploit vulnerabilities in a secure environment.
What should you learn next?
Tool requirements
- Python 2.7.6
- JRE 1.6+ (preferably 1.7+)
- OSX or RHEL6.6 (Others may work, but not fully tested)
Let's install the tool
Step1: Clone the master repository of QARK.
Step2: Locate the repository.
Step3: Install the requirements "install –r requirements.txt."
Step4: After the requirements installation is done, you may use QARK as a Python module by using setup.py. Here we will user qarkMain.py to run QARK.
Step5: Navigate to the quark directory to run QARK in the interactive mode, "python qarkMain.py." It asks you to download and install Android sdk if you already have the sdk just locate the path as shown in the screenshot below.
Analyzing an apk through QARK
We will use Goat Droid a vulnerable Android application for the static analysis. We have seen the QARK installation above, continuing the same interactive shell of QARK we will analyze goatdroid.apk. We can analyze the compiled .apk or we can analyze through source code, here we will discuss the static analysis of the .apk file.
Step1: Choose 1 in the interactive shell and provide the path of the .apk as shown in the screenshot below. Type y to analyze manifest file of Android to find possible vulnerabilities like exported activities, exported services, broadcast receivers, etc.
Step2: Press Enter to instruct QARK to initiate decompilation process as a part of the static analysis, QARK uses three different decompilers, JD CORE, Procyon, CFR to decompile an apk. Here it's basically reversing the binaries to potential source code and analyze it further for vulnerabilities.
Step3: Press Enter to begin the static code analysis on the decompiled code, QARK will automatically look for the vulnerabilities as shown in the screenshot below.
Step4: QARK has done the static analysis on the provided apk, now it's time to create the POCs exploit for the vulnerabilities found in the static analysis. Type 1 to generate the exploit build for the vulnerable apk which have provided.
Step5: Now our exploit build is ready, either we can use the physical device or the emulator to install the exploit build apk, here we will use an emulator preinstalled with goatdroid.apk. Type y to install the exploit apk on to the emulator/device, simultaneously QARK generates HTML report for the static analysis, first we see the report, then we will have a look on our exploit apk on the emulator.
Step6: Report will be generated inside the quark directory, use any web browser to open the report.
Step7: Open the emulator to navigate to the exploit POC apk, created by QARK. Here we have already installed the goatdroid.apk in the emulator.
Step8: Open the QARK Exploit POC application, we can see the POC's for various vulnerabilities, here I will show the Tab Jacking vulnerability, rest you I'll let you people explore by yourself.
Step 9: Tab Jacking is the same vulnerability as ClickJacking, the only difference it can be exploited in an Android mobile for Android application to hijack the victim's tab on the screen, whereas ClickJacking is a web application related vulnerability found in web applications to hijack the clicks of the victim. Through Tab Jacking an attacker can lure the victim to Tab Jack critical views and activities to
achieve malicious intents. Let's Tab Jack View profile activity in GoatDroid, click on the activity as shown.
Step 10: The activity gets Tab Jacked
What should you learn next?
QARK is an amazing tool while performing static analysis on an Android application, it reduces the manual effort of the penetration tester, and eases him/her to create a valid proof of concepts.