Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Qark DefCon 23

7,824 views

Published on

These are the slides from our presentation at DefCon 23

Published in: Software

Qark DefCon 23

  1. 1. QARK
  2. 2. WHO are we? PENETRATION TESTERS AT LINKEDIN • STAFF INFORMATION SECURITY ENGINEER TONY TRUMMER • SENIOR INFORMATION SECURITY ENGINEER TUSHAR DALVI
  3. 3. WHAT IS QARK? QUICK ANDROID REVIEW KIT AN AUDITING AND ATTACK FRAMEWORK A PROGRESSION OF OTHER TOOLS/IDEAS A PINCH OF INNOVATION LOTS OF (HORRIBLY WRITTEN) PYTHON
  4. 4. QARK’s mission RAISE THE BAR SHARE KNOWLEDGE COMMUNITY INVOLVMENT MOTIVATE OTHERS
  5. 5. ANDROID ISSUES FRAGMENTATION USERS DON’T UPDATE IMPROPER TLS, IF ANY NUMEROUS TAINTED SOURCES CLIENT SIDE FAIL – NO ONE WILL KNOW
  6. 6. MOTIVATION WE’RE LAZY OUR BOSS IS CRAZY WE HAVE LOTS OF APPS TO PROTECT DEVELOPERS ARE EVEN LAZIER THAN US WE HATE REPEATING BUGS LOTS OF SMALL DEV SHOPS (AKA NO SECURITY)
  7. 7. UNDER THE HOOD PARSING: PLYJ, BEAUTIFULSOUP, MINIDOM REVERSING: PROCYON, JD-CORE, CFR, DEX2JAR, APKTOOL CODE: PYTHON TOOLS & BUILDING: ANDROID SDK
  8. 8. APK STRUCTURE APK RESOURCES .ARSC /RES ANDROID MANIFEST. XML CLASSES .DEX /META-INF /LIB /ASSETS
  9. 9. REVERSING APKs GET MANIFEST •  APKTOOL D FOO.APK UNZIP APK •  APK TO ZIP; UNZIP DALVIK BYTECODE •  DEX2JAR CLASSES.DEX JAVA BYTECODE •  JD-GUI RAW JAVA FILES
  10. 10. ACQUISITION SIMPLIFIES APK RETRIEVAL FROM DEVICES DECOMPRESSES APK CONVERTS ANDROIDMANIFEST.XML TO TEXT PARSES ANDROIDMANIFEST.XML FINDS PERMISSIONS ISSUES FINDS EXPORTED COMPONENTS, SUPPORTED VERSIONS, ETC.
  11. 11. COMMUNICATION SOURCES WEBVIEWS INTENTS NETWORK REQUESTS DEEPLINK URLSAIDL MESSAGES
  12. 12. ACTIVITY ONCREATE() ONSTART() ONRESUME() ONPAUSE() ONSTOP() ONDESTROY() ONRESTART() SERVICE ONCREATE() ONBIND() ONSTARTCOMMAND() ONUNBIND() ONDESTROY() PROVIDER ONCREATE() RECEIVER ONRECEIVE() COMPONENTS
  13. 13. PARSE STRUCTURE MAPS MANIFEST TO CLASSES PARSES JAVA CLASSES LOCATES “ENTRY POINT” METHODS
  14. 14. SOURCE TO SINK FINDS SOURCES OF TAINTED INPUT TRACKS POTENTIALLY TAINTED INPUT RECORDS ANY “SINKS” ENCOUNTERED STORES INFORMATION GATHERED ALONG WITH MANIFEST DETAILS FOR LATER USE SECURITY MAGIC
  15. 15. QARK CHECKS EXAMINES WEBVIEW CONFIGURATIONS AND PROVIDES TEMPLATED HTML FILES FOR VALIDATION OF VULNERABILITIES LOOKS FOR COMMON X.509 CERTIFICATE VALIDATION ISSUES LOOKS FOR VULNERABILITIES ORIGINATING FROM WITHIN THE APP, INSPECTING BROADCAST, STICKY AND PENDING INTENTS LOOKS FOR EMBEDDED PRIVATE KEYS AND INCORRECTLY IMPLEMENTED CRYPTO ISSUES LOOKS FOR WORLDREADABLE AND WORLDWRITEABLE FILES
  16. 16. DEMO TIME !!
  17. 17. UNIQUE FEATURES USES MULTIPLE DECOMPILERS TO PROVIDE BETTER RESULTS BUILDS AN APK FOR MANUAL TESTING CONTAINS SWISS-ARMY KNIFE STYLE SET OF FUNCTIONALITIES CREATES ADB COMMANDS TO EXPLOIT DISCOVERED VULNERABILITIES CREATES CUSTOM EXPLOIT APK FOR POINT- AND-CLICK PWNAGE
  18. 18. QARK Is NOT (YET) A FORENSICS TOOL A DYNAMIC ANALYSIS TOOL PERFECT FINISHED
  19. 19. FUTURE PLANS DYNAMIC ANALYSIS FUNCTIONALITY SMALI INSPECTION NON-ANDROID SPECIFIC JAVA VULNS ODEX SUPPORT IMPROVE EXTENSIBILITY ASK FOR YOUR HELP
  20. 20. ACKNOWLEDGEMENTS MWR LABS: DROZER RAFAY BLALOCH, ET AL, FOR THE WEBVIEW EXPLOITS NVISIUM: TAPJACKING CODE THE AUTHORS AND MAINTAINERS OF ALL THE OPENSOURCE PROJECTS USED IN QARK JASON HADDIX, SAM BOWNE, ET AL, FOR SUPPLYING SOME VULNERABLE APKS
  21. 21. CONTACT INFO WWW.SECBRO.COM •  WWW.LINKEDIN.COM/IN/TONYTRUMMER @SECBRO1 TONY TRUMMER •  WWW.LINKEDIN.COM/IN/TDALVI @TUSHARDALVI TUSHAR DALVI
  22. 22. WHERE TO GET QARK? LINKEDIN’S GIT REPO HTTPS://GITHUB.COM/LINKEDIN/QARK

×