QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION...
Transcript of QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION...
![Page 1: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/1.jpg)
QARK
![Page 2: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/2.jpg)
WHO are we?
Penetration Testers at LinkedIn
• Staff Information Security Engineer
Tony Trummer
• Senior Information Security Engineer
Tushar Dalvi
![Page 3: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/3.jpg)
APK Structure
APK resources.arsc
Pre-compiled resources;
binary xml
/res
Resources not in resources.arsc
Images
Layouts
Android
Manifest.xml
Permissions
Component exporting
Name, version, etc
classes.dex
Dalvik Bytecode
/META-INF
MANIFEST.MF
CERT.RSA
CERT.SF
/lib
Processor specific, compiled C/C++
libraries
/assets
Fonts, file resources
Loaded via Asset Manager
![Page 4: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/4.jpg)
REVERSING APKs Get
Manifest • apktool d foo.apk
Unzip APK
• change apk to zip; unzip foo.zip
Dalvik Bytecode • dex2jar classes.dex
Java Bytecode
• JD-GUI; Save all classes
Java Class files
![Page 5: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/5.jpg)
Activity
OnCreate()
OnStart()
OnResume()
OnPause()
OnStop()
OnDestroy()
OnRestart()
Service
OnCreate()
OnBind()
OnStartCommand()
OnUnbind()
OnDestroy()
Provider
.query()
.update()
.delete()
.insert()
Receiver
.OnReceive()
COMPONENTS
![Page 6: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/6.jpg)
COMMUNICATION
APK
WebViews
Intents
Network Requests
Deeplink URLs
Binder
AIDL
![Page 7: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/7.jpg)
ANDROID ISSUES
Many sources – all the web bugs ++
SSL/TLS fail – no ssl/tls & cert validation
Lots of old devices – slow updating
client-side fail – no one will ever know…
![Page 8: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/8.jpg)
WHAT IS QARK?
Quick Android Review Kit
An improvement on other ideas/tools
Lots of (horribly written) Python
A pinch of innovation
An auditing and attack framework
![Page 9: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/9.jpg)
QARK MOTIVATION
We’re lazy Our boss is lazy
Developers are extremely lazy
and ignore warnings
We don’t like hate repeating
bugs
We have lots of apps to protect
Lots of small dev shops
(aka no security)
![Page 10: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/10.jpg)
QARK’s mission
Raise the bar for Android security
Knowledge sharing
Free SCA with validation
Community involvement
Motivate Google?
![Page 11: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/11.jpg)
UNDER THE HOOD
Parsing: PLYJ, BeatifulSoup, Minidom
REVERSING: Procyon, JD-CORE,dex2jar, apktool
Code: Python
Tools & Building: ANDROID SDK
![Page 12: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/12.jpg)
DATA ACQUISITION
Automates APK retrieval
Decompresses APK
Converts AndroidManifest.xml to text
Parses AndroidManifest.xml
![Page 13: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/13.jpg)
PARSE STRUCTURE
Identifies permissions issues, exported components, supported versions, etc.
Parses Java classes
Maps Manifest to classes
Locates “entry point” methods
Looks for sources of user-supplied data
![Page 14: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/14.jpg)
SOURCE TO SINK
FOLLOW POTENTIALLY TAINTED INPUT
LOOK FOR MODIFIERS
RECORDS ANY “SINKS” ENCOUNTERED
![Page 15: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/15.jpg)
REVIEW COMMS
Combines the information gathered with manifest details for later use
Examines WebView configurations and provides templated HTML files for validation of vulnerabilities
Looks for vulnerabilities originating from within the app, inspecting Broadcast, Sticky and Pending Intents
![Page 16: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/16.jpg)
FINAL CHECKS Looks for WORLDREADABLE and WORLDWRITEABLE files
Looks for tapjacking defenses
Looks for X.509 certificate validation issues
Creates a “deliverable” HTML report of findings
![Page 17: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/17.jpg)
DEMO TIME !!
![Page 18: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/18.jpg)
UNIQUE FEATURES
Multiple decompilers to provide better results
Builds an APK for manual testing
swiss-army knife style set of functionalities
creates ADB commands to exploit discovered vulnerabilities
custom exploit APK facilitates point-and-click pwnage
![Page 19: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/19.jpg)
QARK Is (NOT) YET
A Forensics Tool
A DYNAMIC ANALYSIS TOOL
PERFECT
FINISHED
![Page 20: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/20.jpg)
FUTURE PLANS Dynamic analysis functionality
Contribute to improve libraries and tools
Handle obfuscated code
Smali inspection
Native code support
Ask for your help
![Page 21: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/21.jpg)
WHERE TO GET QARK?
LinkedIn’s Git repo
https://github.com/linkedin/qark
![Page 22: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/22.jpg)
ACKNOWLEDGEMENTS
MWR Labs for Drozer (inspiration)
Rafay Blaloch, et al, for the WebView exploits
NVisium for the TapJacking code
The authors and maintainers of all the opensource projects used in QARK
Jason Haddix, Sam Bowne, et al, for supplying some vulnerable APKs
![Page 23: QARK - Black Hat | Homeapktool Code: Python Tools & Building: ANDROID SDK. DATA ACQUISITION Automates APK retrieval Decompresses APK Converts AndroidManifest.xml to text Parses AndroidManifest.xml.](https://reader033.fdocuments.us/reader033/viewer/2022060919/60ab7f15d0310d113a30cbe3/html5/thumbnails/23.jpg)
CONTACT INFO
www.secbro.com
• www.linkedin.com/in/tonytrummer @SecBro1
Tony Trummer
• www.linkedin.com/in/tdalvi @tushardalvi
Tushar Dalvi