QARK
WHO are we?
PENETRATION TESTERS AT LINKEDIN
• STAFF INFORMATION SECURITY ENGINEER
TONY TRUMMER
• SENIOR INFORMATION SECURITY ENGINEER
TUSHAR DALVI
WHAT IS QARK?
QUICK ANDROID REVIEW KIT
AN AUDITING AND ATTACK FRAMEWORK
A PROGRESSION OF OTHER TOOLS/IDEAS
A PINCH OF INNOVATION
LOTS OF (HORRIBLY WRITTEN) PYTHON
ANDROID ISSUES
FRAGMENTATION
USERS DON’T UPDATE
IMPROPER TLS, IF ANY
NUMEROUS TAINTED SOURCES
CLIENT SIDE FAIL – NO ONE WILL KNOW
MOTIVATION
WE’RE LAZY OUR BOSS IS CRAZY
WE HAVE LOTS OF APPS TO
PROTECT
DEVELOPERS ARE EVEN
LAZIER THAN US
WE HATE REPEATING
BUGS
LOTS OF SMALL DEV SHOPS
(AKA NO SECURITY)
UNDER THE HOOD PARSING: PLYJ, BEAUTIFULSOUP, MINIDOM
REVERSING: PROCYON, JD-CORE, CFR, DEX2JAR, APKTOOL
CODE: PYTHON
TOOLS & BUILDING: ANDROID SDK
REVERSING APKs GET
MANIFEST • APKTOOL D FOO.APK
UNZIP APK • APK TO ZIP; UNZIP
DALVIK BYTECODE • DEX2JAR CLASSES.DEX
JAVA BYTECODE
• JD-GUI
RAW JAVA FILES
ACQUISITION SIMPLIFIES APK RETRIEVAL FROM DEVICES
DECOMPRESSES APK
CONVERTS ANDROIDMANIFEST.XML TO TEXT
PARSES ANDROIDMANIFEST.XML
FINDS PERMISSIONS ISSUES
FINDS EXPORTED COMPONENTS, SUPPORTED VERSIONS, ETC.
ACTIVITY
ONCREATE()
ONSTART()
ONRESUME()
ONPAUSE()
ONSTOP()
ONDESTROY()
ONRESTART()
SERVICE
ONCREATE()
ONBIND()
ONSTARTCOMMAND()
ONUNBIND()
ONDESTROY()
PROVIDER
ONCREATE()
RECEIVER
ONRECEIVE()
COMPONENTS
SOURCE TO SINK
FINDS SOURCES OF TAINTED INPUT
TRACKS POTENTIALLY TAINTED INPUT
RECORDS ANY “SINKS” ENCOUNTERED
STORES INFORMATION GATHERED ALONG WITH MANIFEST DETAILS FOR LATER USE
SECURITY MAGIC
QARK CHECKS EXAMINES WEBVIEW CONFIGURATIONS AND
PROVIDES TEMPLATED HTML FILES FOR VALIDATION OF VULNERABILITIES
LOOKS FOR COMMON X.509 CERTIFICATE VALIDATION ISSUES
LOOKS FOR VULNERABILITIES ORIGINATING FROM WITHIN THE APP, INSPECTING
BROADCAST, STICKY AND PENDING INTENTS
LOOKS FOR EMBEDDED PRIVATE KEYS AND INCORRECTLY IMPLEMENTED CRYPTO ISSUES
LOOKS FOR WORLDREADABLE AND WORLDWRITEABLE FILES
UNIQUE FEATURES USES MULTIPLE DECOMPILERS TO PROVIDE
BETTER RESULTS
BUILDS AN APK FOR MANUAL TESTING
CONTAINS SWISS-ARMY KNIFE STYLE SET OF FUNCTIONALITIES
CREATES ADB COMMANDS TO EXPLOIT DISCOVERED VULNERABILITIES
CREATES CUSTOM EXPLOIT APK FOR POINT-AND-CLICK PWNAGE
FUTURE PLANS DYNAMIC ANALYSIS FUNCTIONALITY
SMALI INSPECTION
NON-ANDROID SPECIFIC JAVA VULNS
ODEX SUPPORT
IMPROVE EXTENSIBILITY
ASK FOR YOUR HELP
ACKNOWLEDGEMENTS MWR LABS: DROZER�
RAFAY BLALOCH, ET AL, FOR THE WEBVIEW EXPLOITS
NVISIUM: TAPJACKING CODE
THE AUTHORS AND MAINTAINERS OF ALL THE OPENSOURCE PROJECTS USED IN QARK
JASON HADDIX, SAM BOWNE, ET AL, FOR SUPPLYING SOME VULNERABLE APKS
CONTACT INFO
WWW.SECBRO.COM
• WWW.LINKEDIN.COM/IN/TONYTRUMMER@SECBRO1
TONY TRUMMER
• WWW.LINKEDIN.COM/IN/TDALVI@TUSHARDALVI
TUSHAR DALVI