QARK
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
QARK
WHO are we?
PENETRATION TESTERS AT LINKEDIN
• STAFF INFORMATION SECURITY ENGINEER
TONY TRUMMER
• SENIOR INFORMATION SECURITY ENGINEER
TUSHAR DALVI
WHAT IS QARK?
QUICK ANDROID REVIEW KIT
AN AUDITING AND ATTACK FRAMEWORK
A PROGRESSION OF OTHER TOOLS/IDEAS
A PINCH OF INNOVATION
LOTS OF (HORRIBLY WRITTEN) PYTHON
QARK’s mission
RAISE THE BAR
SHARE KNOWLEDGE
COMMUNITY INVOLVMENT
MOTIVATE OTHERS
ANDROID ISSUES
FRAGMENTATION
USERS DON’T UPDATE
IMPROPER TLS, IF ANY
NUMEROUS TAINTED SOURCES
CLIENT SIDE FAIL – NO ONE WILL KNOW
MOTIVATION
WE’RE LAZY OUR BOSS IS CRAZY
WE HAVE LOTS OF APPS TO
PROTECT
DEVELOPERS ARE EVEN
LAZIER THAN US
WE HATE REPEATING
BUGS
LOTS OF SMALL DEV SHOPS
(AKA NO SECURITY)
UNDER THE HOOD PARSING: PLYJ, BEAUTIFULSOUP, MINIDOM
REVERSING: PROCYON, JD-CORE, CFR, DEX2JAR, APKTOOL
CODE: PYTHON
TOOLS & BUILDING: ANDROID SDK
APK STRUCTURE
APKRESOURCES
.ARSC
/RES
ANDROID
MANIFEST.XML
CLASSES�.DEX
/META-INF
/LIB
/ASSETS
REVERSING APKs GET
MANIFEST • APKTOOL D FOO.APK
UNZIP APK • APK TO ZIP; UNZIP
DALVIK BYTECODE • DEX2JAR CLASSES.DEX
JAVA BYTECODE
• JD-GUI
RAW JAVA FILES
ACQUISITION SIMPLIFIES APK RETRIEVAL FROM DEVICES
DECOMPRESSES APK
CONVERTS ANDROIDMANIFEST.XML TO TEXT
PARSES ANDROIDMANIFEST.XML
FINDS PERMISSIONS ISSUES
FINDS EXPORTED COMPONENTS, SUPPORTED VERSIONS, ETC.
COMMUNICATION
SOURCES
WEBVIEWS
INTENTS NETWORK REQUESTS
DEEPLINK URLSAIDL
MESSAGES
ACTIVITY
ONCREATE()
ONSTART()
ONRESUME()
ONPAUSE()
ONSTOP()
ONDESTROY()
ONRESTART()
SERVICE
ONCREATE()
ONBIND()
ONSTARTCOMMAND()
ONUNBIND()
ONDESTROY()
PROVIDER
ONCREATE()
RECEIVER
ONRECEIVE()
COMPONENTS
PARSE STRUCTURE
MAPS MANIFEST TO CLASSES
PARSES JAVA CLASSES
LOCATES “ENTRY POINT” METHODS
SOURCE TO SINK
FINDS SOURCES OF TAINTED INPUT
TRACKS POTENTIALLY TAINTED INPUT
RECORDS ANY “SINKS” ENCOUNTERED
STORES INFORMATION GATHERED ALONG WITH MANIFEST DETAILS FOR LATER USE
SECURITY MAGIC
QARK CHECKS EXAMINES WEBVIEW CONFIGURATIONS AND
PROVIDES TEMPLATED HTML FILES FOR VALIDATION OF VULNERABILITIES
LOOKS FOR COMMON X.509 CERTIFICATE VALIDATION ISSUES
LOOKS FOR VULNERABILITIES ORIGINATING FROM WITHIN THE APP, INSPECTING
BROADCAST, STICKY AND PENDING INTENTS
LOOKS FOR EMBEDDED PRIVATE KEYS AND INCORRECTLY IMPLEMENTED CRYPTO ISSUES
LOOKS FOR WORLDREADABLE AND WORLDWRITEABLE FILES
DEMO TIME !!
UNIQUE FEATURES USES MULTIPLE DECOMPILERS TO PROVIDE
BETTER RESULTS
BUILDS AN APK FOR MANUAL TESTING
CONTAINS SWISS-ARMY KNIFE STYLE SET OF FUNCTIONALITIES
CREATES ADB COMMANDS TO EXPLOIT DISCOVERED VULNERABILITIES
CREATES CUSTOM EXPLOIT APK FOR POINT-AND-CLICK PWNAGE
QARK Is NOT (YET)
A FORENSICS TOOL
A DYNAMIC ANALYSIS TOOL
PERFECT
FINISHED
FUTURE PLANS DYNAMIC ANALYSIS FUNCTIONALITY
SMALI INSPECTION
NON-ANDROID SPECIFIC JAVA VULNS
ODEX SUPPORT
IMPROVE EXTENSIBILITY
ASK FOR YOUR HELP
ACKNOWLEDGEMENTS MWR LABS: DROZER�
RAFAY BLALOCH, ET AL, FOR THE WEBVIEW EXPLOITS
NVISIUM: TAPJACKING CODE
THE AUTHORS AND MAINTAINERS OF ALL THE OPENSOURCE PROJECTS USED IN QARK
JASON HADDIX, SAM BOWNE, ET AL, FOR SUPPLYING SOME VULNERABLE APKS
CONTACT INFO
WWW.SECBRO.COM
• WWW.LINKEDIN.COM/IN/TONYTRUMMER@SECBRO1
TONY TRUMMER
• WWW.LINKEDIN.COM/IN/TDALVI@TUSHARDALVI
TUSHAR DALVI
WHERE TO GET QARK?
LINKEDIN’S GIT REPO
HTTPS://GITHUB.COM/LINKEDIN/QARK
Related Documents
