QARK - Free Android App Scanner to find Security Vulnerabilities
QARK (Quick Android Review Kit) is a free Android app scanner to find security vulnerabilities. This tool is able to extract the source code from apk file and list out security vulnerabilities. This tool is not a comprehensive tool but surely it is one of the tools to provide some good observations and issues for Android mobile apk.
Vulnerabilities related to exported components, intents, improper x.509 certificate validation, configuration related to files, activities, private keys embedded in the source, cryptography-related issues, WebView configurations, activities, Tapjacking, etc. have been found by using this tool.
How to Install QARK on Linux-based OS
Download the installer by using the below command
$git clone https://github.com/linkedin/qark
$cd qark
$pip install -r requirements.txt
$pip install . --user
To check whether the installation is proper or not
$qark
Usage
qark --apk <PATH-OF-APK-FILE>
I have used test mobile apk to run the scan to find a few security issues. "goatdroid.apk" is a test application available in "tests" directory.
Default report format is html type and you can open it on any browser.
While starting a security scan for apk file, I encountered the below error:
$qark --apk test.apk
Failed to extract zipped APK from /home/ubuntu/proj1/test.apk to /home/ubuntu/qark/build/qark
Traceback (most recent call last):
File "/home/ubuntu/.local/lib/python2.7/site-packages/qark/decompiler/decompiler.py", line 228, in unzip_file
zipped_apk.extractall(path=destination_to_unzip)
File "/usr/lib/python2.7/zipfile.py", line 1063, in extractall
self.extract(zipinfo, path, pwd)
File "/usr/lib/python2.7/zipfile.py", line 1051, in extract
return self._extract_member(member, path, pwd)
File "/usr/lib/python2.7/zipfile.py", line 1106, in _extract_member
file(targetpath, "wb") as target:
IOError: [Errno 13] Permission denied: '/home/ubuntu/qark/build/qark/AndroidManifest.xml'
Failed to extract zipped APKThis issue has been resolved by run that command using sudo, but other error has come
$sudo qark --apk test.apk
Decompiling...
/home/ubuntu/.local/lib/python2.7/site-packages/qark/decompiler/../lib/dex2jar-2.0/d2j_invoke.sh: 48: /home/ubuntu/.local/lib/python2.7/site-packages/qark/decompiler/../lib/dex2jar-2.0/d2j_invoke.sh: java: not found
Error running dex2jar command: /home/ubuntu/.local/lib/python2.7/site-packages/qark/decompiler/../lib/dex2jar-2.0/d2j-dex2jar.sh /home/ubuntu/qark/build/qark/classes.dex -o /home/ubuntu/qark/build/qark/test.jar
Error running dex2jarThe above issue is resolved just by installing openjdk
$sudo apt install openjdk-8-jre-headless
Conclusion
QARK is an awesome tool to start Android app security. This tool test specific security issues in the mobile app. As told in the beginning, you can use other tools also for static and dynamic analysis of mobile apps.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.
Hi everyone,
How to create a custom apk using qark