2. WHO are we?
PENETRATION TESTERS AT LINKEDIN
• STAFF INFORMATION SECURITY ENGINEER
TONY TRUMMER
• SENIOR INFORMATION SECURITY ENGINEER
TUSHAR DALVI
3. WHAT IS QARK?
QUICK ANDROID REVIEW KIT
AN AUDITING AND ATTACK FRAMEWORK
A PROGRESSION OF OTHER TOOLS/IDEAS
A PINCH OF INNOVATION
LOTS OF (HORRIBLY WRITTEN) PYTHON
6. MOTIVATION
WE’RE LAZY
OUR BOSS IS
CRAZY
WE HAVE LOTS
OF APPS TO
PROTECT
DEVELOPERS
ARE EVEN
LAZIER THAN
US
WE HATE
REPEATING
BUGS
LOTS OF SMALL
DEV SHOPS
(AKA NO
SECURITY)
14. SOURCE TO SINK
FINDS SOURCES OF TAINTED INPUT
TRACKS POTENTIALLY TAINTED INPUT
RECORDS ANY “SINKS” ENCOUNTERED
STORES INFORMATION GATHERED ALONG
WITH MANIFEST DETAILS FOR LATER USE
SECURITY MAGIC
15. QARK CHECKS
EXAMINES WEBVIEW CONFIGURATIONS AND
PROVIDES TEMPLATED HTML FILES FOR
VALIDATION OF VULNERABILITIES
LOOKS FOR COMMON X.509 CERTIFICATE
VALIDATION ISSUES
LOOKS FOR VULNERABILITIES ORIGINATING
FROM WITHIN THE APP, INSPECTING
BROADCAST, STICKY AND PENDING INTENTS
LOOKS FOR EMBEDDED PRIVATE KEYS AND
INCORRECTLY IMPLEMENTED CRYPTO ISSUES
LOOKS FOR WORLDREADABLE AND
WORLDWRITEABLE FILES
17. UNIQUE FEATURES
USES MULTIPLE DECOMPILERS TO PROVIDE
BETTER RESULTS
BUILDS AN APK FOR MANUAL TESTING
CONTAINS SWISS-ARMY KNIFE STYLE SET
OF FUNCTIONALITIES
CREATES ADB COMMANDS TO EXPLOIT
DISCOVERED VULNERABILITIES
CREATES CUSTOM EXPLOIT APK FOR POINT-
AND-CLICK PWNAGE
18. QARK Is NOT (YET)
A FORENSICS TOOL
A DYNAMIC ANALYSIS TOOL
PERFECT
FINISHED
19. FUTURE PLANS
DYNAMIC ANALYSIS FUNCTIONALITY
SMALI INSPECTION
NON-ANDROID SPECIFIC JAVA VULNS
ODEX SUPPORT
IMPROVE EXTENSIBILITY
ASK FOR YOUR HELP
20. ACKNOWLEDGEMENTS
MWR LABS: DROZER
RAFAY BLALOCH, ET AL, FOR THE WEBVIEW
EXPLOITS
NVISIUM: TAPJACKING CODE
THE AUTHORS AND MAINTAINERS OF ALL
THE OPENSOURCE PROJECTS USED IN QARK
JASON HADDIX, SAM BOWNE, ET AL, FOR
SUPPLYING SOME VULNERABLE APKS