Quick Android Review KIT

(QARK)

Android Security Testing Tool

Hello!I am Chandan Kumar

This presentation is about an open source security tool for static code analysis.

You can find me @ cksonker@gmail.com

QUARK

WHAT IS IT??

Quick Android Review KIT (QUARK)

“ QARK is a static code analysis tool, designed to recognize potential security vulnerabilities and points of concern for Java-based Android applications. QARK was designed to be community based,

available to everyone and free for use. ”

What it Does? Included in the types of security vulnerabilities this tool attempts to find are:

Improperly protected exported components

Intents which are vulnerable to interception or eavesdropping

Improper x.509 certificate validation

Activities which may leak data

Insecurely created Pending Intents

Sending of insecure Broadcast Intents

Private keys embedded in the source

Weak or improper cryptography use

Potentially exploitable WebView configurations

Tapjacking

Apps supporting outdated API versions, with known vulnerabilities

Requirement :● Python 2.7.6

● JRE 1.6+ (preferably 1.7+)

● OSX or Ubuntu Linux (Others may work, but not fully tested)

Download QARK from following link:http://resources.infosecinstitute.com/wp-content/uploads/qark-master.zip

➜ Download the QARK➜ Navigate to quark folder and type <python

qark.py>➜ Enter option(1/2) to provide apk/source

code.➜ Inspect Manifest file➜ Decompile the apk and vulnerability will be

displayed on the screen➜ You can create a custom apk of vulnerable

app and print the report of SCA (Static Code Analyis)

AUDIT STEPs :

Thanks!Any questions?

You can find me at:cksonker@gmail.com