Comments (4)
SecBro1
commented on August 18, 2024
This check should only alert when there is a custom permission defined. If you are seeing something else, please indicate which app you are scanning that provides a false positive.
from qark.
mabdi
commented on August 18, 2024
my app's manifest is sth like this:
<?xml version="1.0" encoding="utf-8" standalone="no"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.foobar.PushNotify">
<application android:debuggable="true" android:icon="@drawable/_app_icon" android:label="@string/app_name" android:name="com.foobar.PushNotify.Controller" android:theme="@style/AppTheme">
<activity android:label="@string/app_caption" android:name="com.foobar.PushNotify.Registration" android:theme="@android:style/Theme.NoTitleBar.Fullscreen">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
<intent-filter>
<action android:name="android.intent.action.VIEW"/>
<action android:name="android.intent.action.DELETE"/>
<category android:name="android.intent.category.DEFAULT"/>
<data android:scheme="com.idrivecare.familypro"/>
</intent-filter>
</activity>
<activity android:configChanges="keyboardHidden|orientation" android:label="@string/app_caption" android:name="com.foobar.PushNotify.MyActivity" android:theme="@android:style/Theme.NoTitleBar.Fullscreen"/>
<activity android:configChanges="keyboardHidden|orientation" android:label="@string/app_caption" android:name="com.foobar.PushNotify.OtpVerify" android:theme="@android:style/Theme.NoTitleBar.Fullscreen"/>
<receiver android:name="com.google.android.gcm.GCMBroadcastReceiver" android:permission="com.google.android.c2dm.permission.SEND">
<intent-filter>
<action android:name="com.google.android.c2dm.intent.RECEIVE"/>
<action android:name="com.google.android.c2dm.intent.REGISTRATION"/>
<category android:name="com.androidexample.gcm"/>
</intent-filter>
</receiver>
<service android:name="com.foobar.PushNotify.GCMIntentService"/>
</application>
<uses-permission android:name="android.permission.INTERNET"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WAKE_LOCK"/>
<permission android:name="com.foobar.PushNotify.permission.C2D_MESSAGE" android:protectionLevel="signature"/>
<uses-permission android:name="com.foobar.PushNotify.permission.C2D_MESSAGE"/>
<uses-permission android:name="com.google.android.c2dm.permission.RECEIVE"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.VIBRATE"/>
</manifest>
and qark result:
INFO - Determined minimum SDK version to be:8
WARNING - Logs are world readable on pre-4.1 devices. A malicious app could potentially retrieve sensitive data from the logs.
INFO - Setting maxSdkVersion not recommended, unless you explicitly want to prevent use on newer versions.
ISSUES - APP COMPONENT ATTACK SURFACE
WARNING - The backup element is not specified in the manifest, which therefore defaults to true. Potential for data theft via local attacks via adb backup, if the device has USB debugging enabled (not common). More info: http://developer.android.com/reference/android/R.attr.html#allowBackup
POTENTIAL VULNERABILITY - The android:debuggable flag is manually set to true in the AndroidManifest.xml. This will cause your application to be debuggable in production builds and can result in data leakage and other security issues. It is not necessary to set the android:debuggable flag in the manifest, it will be set appropriately automatically by the tools. More info: http://developer.android.com/guide/topics/manifest/application-element.html#debug
INFO - Checking provider
INFO - Checking activity
WARNING - The following activity are exported, but not protected by any permissions. Failing to protect activity could leave them vulnerable to attack by malicious apps. The activity should be reviewed for vulnerabilities, such as injection and information leakage.
com.foobar.PayamResan.Registration
INFO - Checking activity-alias
INFO - Checking services
INFO - Checking receivers
POTENTIAL VULNERABILITY - The following receiver are exported and protected by a permission, but the permission can be obtained by malicious apps installed prior to this one. More info: https://github.com/commonsguy/cwac-security/blob/master/PERMS.md. Failing to protect receiver could leave them vulnerable to attack by malicious apps. The receiver should be reviewed for vulnerabilities, such as injection and information leakage.
com.google.android.gcm.GCMBroadcastReceiver
com.google.android.c2dm.permission.SEND
from qark.
mabdi
commented on August 18, 2024
We have a permission define, but defined permission is not used for this receiver.
<permission android:name="com.foobar.PushNotify.permission.C2D_MESSAGE" android:protectionLevel="signature"/>
<receiver android:name="com.google.android.gcm.GCMBroadcastReceiver" android:permission="com.google.android.c2dm.permission.SEND">
from qark.
nwalsh-lnk
commented on August 18, 2024
We have just pushed a new version of QARK that solves a lot of problems and enhances the code.
As a result we will be closing out all tickets for the older version since we no longer support it. If this issue persists in the new version please create a new ticket.
from qark.
Related Issues (20)
- Improper x.509 certificate validation in extensions of X509TrustManager with general conditions
- Improper x.509 certificate validation in extensions of X509TrustManager with Specific conditions
- can not install qark.
- Dex not supported
- Exported component not found because of code logic
- RecursionError: maximum recursion depth exceeded in comparison HOT 4
- 'xml.etree.ElementTree.Element' object has no attribute 'getchildren' HOT 1
- Failed to run APKTool HOT 4
- lesterdeMacBook-Pro% qark --help zsh: permission denied: qark
- exploit-apk not working on windows
- ImportError: No module named termios
- Error running dex2jar command HOT 1
- npm run generate error
- Broken logic since multidex
- 'qark' is not recognized as an internal or external command HOT 1
- Traceback error fix ?
- FAILURE: Build failed with an exception.
- Could not determine java version from '17.0.6'.
- Problem in Installing Qark requirements HOT 2
- Which is the latest working commit?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from qark.