QARK - Free Android App Scanner to find Security Vulnerabilities
QARK (Quick Android Review Kit) is a free android app scanner to find security vulnerabilities. This tool able to extract the source code from apk file and list out security vulnerabilities. This tool is not a comprehensive tool but surely it is one of the tools to provide some good observations and issues for android mobile apk.
Vulnerabilities related to exported components, intents, improper x.509 certificate validation, configuration related to files, activities, private keys embedded in the source, cryptography related issues, WebView configurations, activities, Tapjacking etc. have been found by using this tool.
How to Install QARK on Linux based OS
Download the installer by using below command
$git clone https://github.com/linkedin/qark
$pip install -r requirements.txt
$pip install .
To check whether installation is proper or not
I have used test mobile apk to run the scan to find a few security issues. "goatdroid.apk" is a test application available in "tests" directory.
Default report format is html type and you can open it on any browser.
While starting a security scan for apk file, I have encountered a below error:
Failed to extract zipped APK from /home/ubuntu/proj1/test.apk to /home/ubuntu/qark/build/qark Traceback (most recent call last): File "/home/ubuntu/.local/lib/python2.7/site-packages/qark/decompiler/decompiler.py", line 228, in unzip_file zipped_apk.extractall(path=destination_to_unzip) File "/usr/lib/python2.7/zipfile.py", line 1063, in extractall self.extract(zipinfo, path, pwd) File "/usr/lib/python2.7/zipfile.py", line 1051, in extract return self._extract_member(member, path, pwd) File "/usr/lib/python2.7/zipfile.py", line 1106, in _extract_member file(targetpath, "wb") as target: IOError: [Errno 13] Permission denied: '/home/ubuntu/qark/build/qark/AndroidManifest.xml' Failed to extract zipped APK
This issue has been resolved by run that command using sudo, but other error has come
Decompiling... /home/ubuntu/.local/lib/python2.7/site-packages/qark/decompiler/../lib/dex2jar-2.0/d2j_invoke.sh: 48: /home/ubuntu/.local/lib/python2.7/site-packages/qark/decompiler/../lib/dex2jar-2.0/d2j_invoke.sh: java: not found Error running dex2jar command: /home/ubuntu/.local/lib/python2.7/site-packages/qark/decompiler/../lib/dex2jar-2.0/d2j-dex2jar.sh /home/ubuntu/qark/build/qark/classes.dex -o /home/ubuntu/qark/build/qark/test.jar Error running dex2jar
Above issue is resolved just by installing openjdk
$sudo apt install openjdk-8-jre-headless
QARK is an awesome tool to start android app security. This tool test specific security issues in the mobile app. As told in beginning, you can use other tools also for static and dynamic analysis.
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.