An Open Source Tool to Improve Android Application Security
August 17, 2015
Last week, at DefCon 23 and BlackHat USA 2015, LinkedIn's House Security team announced the release of an alpha version of QARK, the Quick Android Review Kit, a new open-source project aimed at improving Android application security.
Tushar Dalvi and I originally conceived of and created QARK outside of our normal House Security development processes. QARK was developed as part of our internal “HackDay” events, when employees take the day to work on anything they want. This is part of the reason you will find that QARK attempts to review applications in a manner meant to emulate the human review process, more so than a rigorous scientific approach.
What is QARK?
At its core, QARK is a static code analysis tool, designed to recognize potential security vulnerabilities and points of concern for Java-based Android applications. QARK was designed to be community based, available to everyone and free for use. QARK educates developers and information security personnel about potential risks related to Android application security, providing clear descriptions of issues and links to authoritative reference sources. QARK also attempts to provide dynamically generated ADB (Android Debug Bridge) commands to aid in the validation of potential vulnerabilities it detects. It will even dynamically create a custom-built testing application, in the form of a ready to use APK, designed specifically to demonstrate the potential issues it discovers, whenever possible.
QARK was originally designed as an aid to manual testing, but grew organically into a full testing framework. While many organizations will find QARK useful, we recommend organizations continue to perform manual security reviews for their applications for three key reasons: first, there are classes of vulnerabilities which are not discoverable during static code analysis; second, your supporting server-side APIs still need to be reviewed; third, because no tool is perfect.
How It Works
Along with the customized tests, the testing application generated by QARK provides many features useful for enhancing manual security testing of Android applications.
QARK's features include:
- Simple installation and setup
- An extremely simple interactive command line interface
- Robust output detailing potential issues, including links to “Learn More”
- A headless mode for easy integration into any organization’s SDLC (Software Development Lifecycle)
- Reporting functionality for historical tracking of issues
- The ability to inspect raw Java source or compiled APKs
- Version specific results for the API versions supported
- Parsing of the AndroidManifest.xml to locate potential issues
- Source to sink mapping; following potentially tainted flows through the Java source code
- Automatic issue validation via dynamically generated ADB commands or a custom APK
Given that reviewing an APK allows you to get the true view of an application, including testing all the included libraries and exactly what the build process produces, QARK completely automates the APK retrieval, decompiling the APK and extracting a human readable manifest file. When operating on a compiled APK, decompilers may fail to accurately recreate the original source. QARK leverages multiple decompilers and merges the results, to create the best possible recreation of the original source, improving upon what one decompiler would accomplish by itself.
Why Open-Source?
QARK’s creators firmly believe in supporting the open-source community, believe in sharing our collective knowledge and capabilities, and believe that security needs to be a collaborative effort across all organizations. Helping to improve Android security ultimately helps us all.
What’s Next for QARK
QARK will be undergoing very active development in the days and weeks to come. These improvements are specifically designed to minimize any false positives/negatives, complete the ability to automatically verify additional vulnerabilities via the testing APK it creates, implement important capability enhancements, bug fixes and, finally, add support for Windows operating systems, as only Mac and Linux are currently supported. We encourage users to pull from our GitHub repo, using a Git client, so they can easily keep their code up-to-date with these improvements. If you decided instead to download an untracked copy, please check back frequently to download an updated version (especially in the early days as the project is gaining momentum) to get all the latest features and bug fixes.
We are actively soliciting contributions to improve QARK. If you would like to contribute by alerting us to a vulnerability, correcting any of our detection rules, improving the underlying code or libraries, making QARK more extensible or perform better in any way, please either submit your feedback on GitHub or feel free to connect with us on LinkedIn! We hope you enjoy using QARK and look forward to helping make the Android ecosystem a safer place!
You can find the slides from our DefCon presentation here
Licensing
QARK is being open-sourced under the Apache 2.0 license