When I run qark from Windows with plink.exe (Putty Tools)

------------QARK.bat-------------------
"%~dp0pscp.exe" -l %Username% -pw %Password% -C "%PathAPK%" %Server%:"/tmp/%FileApk%%Timestamp%.apk"
"%~dp0pscp.exe" -l %Username% -pw %Password% -C "qark.sh" %Server%:"%DirApp%/qark.sh"
"%~dp0plink.exe" -P 22 -ssh -l %Username% -pw %Password% -C %Server% "cd '%DirApp%' ; chmod 755 ./qark.sh ; ./qark.sh '%DirApp%' '%FileApk%%Timestamp%'"
"%~dp0plink.exe" -P 22 -ssh -l %Username% -pw %Password% -C %Server% "cd '%DirApp%' ; tar -cvzf '/tmp/QarkReport - %FileApk%%Timestamp%.tar.gz' '/tmp/%FileApk%%Timestamp%.apk' 'Report_%FileApk%%Timestamp%/' logs/ exploit/"
"%~dp0pscp.exe" -P 22 -l %Username% -pw %Password% -C %Server%:"/tmp/QarkReport - %FileApk%%Timestamp%.tar.gz" %Documentacion%
"%~dp0plink.exe" -P 22 -ssh -l %Username% -pw %Password% -C %Server% "rm -f '/tmp/QarkReport - %FileApk%_%Timestamp%.tar.gz'"
------------QARK.bat-------------------

------------qark.sh-------------------

!/bin/bash

DirApp=$1
APK=$(echo $2 | sed 's/"//g')

cd $DirApp

rm -fr report/build/ logs/ exploit/
python ./qark.py --acceptterms ACCEPTTERMS --source 1 --pathtoapk "/tmp/$APK.apk" --install 0 --exploit 1 --debug 10 --reportdir "Report_$APK"
mkdir exploit/
cp build/qark/app/build/outputs/apk/app-debug.apk exploit/
cp build/qark/app/build/outputs/apk/app-debug-unaligned.apk exploit/
------------qark.sh-------------------

The error:
Traceback (most recent call last):
File "./qark.py", line 676, in
unpackAPK.decompile(common.pathToDEX)
File "/root/qark/modules/unpackAPK.py", line 156, in decompile
with common.term.cbreak():
File "/usr/lib/python2.7/contextlib.py", line 17, in enter
return self.gen.next()
File "/root/qark/lib/blessed/terminal.py", line 572, in cbreak
save_mode = termios.tcgetattr(self.keyboard_fd)
termios.error: (25, 'Inappropriate ioctl for device')

??

Tried following and it's not working, it dumps report to default directory

python qark.py --pathtoapk "/Users/ironman/Downloads/my.apk" -s 1 -e 0 -r /Users/ironman/apps/Security/myreport

FAILURE: Build failed with an exception.

• What went wrong:
  A problem occurred configuring project ':app'.

  failed to find target android-21 : /root/qark/android-sdk_r24.0.2-macosx/android-sdk-macosx

• Try:
  Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.

BUILD FAILED

Seems like only download osx sdk caused this issue?

According to https://github.com/commonsguy/cwac-security/blob/master/PERMS.md a custom permission problem requires a custom permission define. If no new permission is defined or the used permission for a module is a known permission a custom permission vulnerability cannot happen.

qark output:

POTENTIAL VULNERABILITY - The following receiver are exported and protected by a permission, but the permission can be obtained by malicious apps installed prior to this one. More info: https://github.com/commonsguy/cwac-security/blob/master/PERMS.md. Failing to protect receiver could leave them vulnerable to attack by malicious apps. The receiver should be reviewed for vulnerabilities, such as injection and information leakage.
com.google.android.gcm.GCMBroadcastReceiver
com.google.android.c2dm.permission.SEND

Manifest:

       <receiver android:name="com.google.android.gcm.GCMBroadcastReceiver" android:permission="com.google.android.c2dm.permission.SEND">
            <intent-filter>
                <action android:name="com.google.android.c2dm.intent.RECEIVE"/>
                <action android:name="com.google.android.c2dm.intent.REGISTRATION"/>
                <category android:name="com.androidexample.gcm"/>
            </intent-filter>
        </receiver>

Hi

I want to run an automated test using qark in seamless mode. I want to inspect the manifest file and I dont want to build the exploitable apk not install it.

On the same hand, i would like to generate a report in my own folder

How should the command look like?

python qark.py –source 1 –pathtoapk -manifest 1 -O pathreport

Thanks

Do you want to:
[1] Provide a path to an APK
[2] Pull an existing APK from the device?

Select an APK[0-140]: 134
INFO - Selected:134 /data/app/tv.android-1.apk
5167 KB/s (13440708 bytes in 2.539s)
INFO - Unpacking /root/Downloads/qark-master/temp/tv.android-1.apk
INFO - Zipfile: <zipfile.ZipFile object at 0x7ff00bc48510>
INFO - Extracted APK to /root/Downloads/qark-master/temp/tv.android-1/
INFO - Finding AndroidManifest.xml in /root/Downloads/qark-master/temp/tv.periscope.android-1
INFO - AndroidManifest.xml found
Traceback (most recent call last):
File "qark.py", line 492, in
ap = axmlprinter.AXMLPrinter(open(mf, 'rb').read())
File "/root/Downloads/qark-master/lib/axmlparserpy/axmlprinter.py", line 47, in init
self.buff += "xmlns:%s="%s"\n" % (self.axml.getNamespacePrefix(0), self.axml.getNamespaceUri(0))
File "/root/Downloads/qark-master/lib/axmlparserpy/axmlparser.py", line 194, in getNamespacePrefix
prefix = self.m_prefixuriL[ pos ][0]
IndexError: list index out of range

Not an issue just a FYI: I moved pypubsub from sourceforge to https://github.com/schollii/pypubsub and made some updates. Best regards!

Press ENTER key to begin decompilation
Traceback (most recent call last):
File "qark.py", line 613, in
unpackAPK.decompile(common.pathToDEX)
File "/root/Desktop/qark-master/modules/unpackAPK.py", line 123, in decompile
sp = subprocess.Popen([pathToDex2jar, common.pathToDEX], shell=False, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
File "/usr/lib/python2.7/subprocess.py", line 710, in init
errread, errwrite)
File "/usr/lib/python2.7/subprocess.py", line 1335, in _execute_child
raise child_exception
OSError: [Errno 13] Permission denied

When run from a different directory, such as the qark.py's parent:

python qark/qark.py --source 1 --pathtoapk sampleApps/goatdroid/goatdroid.apk --exploit 0
causes an infinite loop at the unpacking phase, with the message below repeating endlessly:

INFO - Unpacking /var/lib/jenkins/tools/sampleApps/goatdroid/goatdroid.apk

This message comes from:

./modules/unpackAPK.py: logger.info('Unpacking %s', common.apkPath)

I had the following issue when tried to create the exploit poc apk :
Traceback (most recent call last):
File "qark.py", line 1017, in
extras_list[j] = extras_list[j].replace('"','')
AttributeError: 'list' object has no attribute 'replace'

Please note the apk being analyzed was created using xamarin....

The debuglevel argument (-d or --debug) seems to be always ignored. I tried "-debug 10", as i wanted to see details of execution, but nothing changed... both log handlers (console and file) kept their default log level (INFO). Another problem is that the file created inside "logs" folder is always named "info.log", despite the log level.

In addition, as long as the debuglevel argument refers to the log level, i think it should be named "-l" or "--loglevel" instead.

best regards,

I am using below command to run QARK over my codebase in shell:

python qark.py --source 2 -c /var/lib/jenkins/jobs/Android_App/workspace/App --manifest /var/lib/jenkins/jobs/Android_App/workspace/App/AndroidManifest.xml --exploit 1 --install 1

There are multiple manifests present in my project(more than 50,due to app splitting and other apks). QARK waits for me to enter the manifest number rather than selecting the manifest file passed as parameter.

I am running QARK in ubuntu and python version is 2.7.6

Thanks in advance for the help

From #12, someone reported that they are still prompted to install the attack APK, even after the build failed.

We should detect the build failure and respond differently.

:app:mergeDebugResources
Error: org.gradle.process.internal.ExecException: A problem occurred starting process 'command '/root/Downloads/qark-master/android-sdk_r24.3.4-linux/android-sdk-linux/build-tools/21.1.2/aapt''
:app:mergeDebugResources FAILED

FAILURE: Build failed with an exception.

• What went wrong:
  Execution failed for task ':app:mergeDebugResources'.

  Error: org.gradle.process.internal.ExecException: A problem occurred starting process 'command '/root/Downloads/qark-master/android-sdk_r24.3.4-linux/android-sdk-linux/build-tools/21.1.2/aapt''

• Try:
  Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.

BUILD FAILED

Main (launcher) activity is a special activity; it needs true export and no permission restriction.
It's better to warn differently for launcher activities.

qark output:

INFO - Checking activity
WARNING - The following activity are exported, but not protected by any permissions. Failing to protect activity could leave them vulnerable to attack by malicious apps. The activity should be reviewed for vulnerabilities, such as injection and information leakage.
com.foo.bar.Main

Sample Android Manifest for a launcher:

        <activity android:label="@string/app_caption" android:name="com.foo.bar.Main" android:theme="@android:style/Theme.NoTitleBar.Fullscreen">
            <intent-filter>
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            </intent-filter>
        </activity>

The names of components set in the exploit APK and ADB commands may be incorrect, due to a bug in the function that was supposed to normalize them. You may see the package name repeated twice. We have identified the issue, completed the patch and are testing now. Update should be available tomorrow.

JD CORE 100%|#################################################################|
Procyon  94%|#############################################################    |
CFR 100%|#####################################################################|

it takes too long ,but nothing updates.

when i press Ctrl+c ,it shows:

Traceback (most recent call last):
  File "/usr/lib/python2.7/multiprocessing/process.py", line 258, in _bootstrap
    self.run()
  File "/usr/lib/python2.7/multiprocessing/process.py", line 114, in run
    self._target(*self._args, **self._kwargs)
  File "/xxx/python/qark-master/modules/unpackAPK.py", line 253, in procyon
Traceback (most recent call last):
  File "qark.py", line 613, in <module>
    line = process.stdout.readline()

When checking exported providers in the Application Manifest, QARK checks for the android:permission flag. If it can't find it, it assumes the provider is not protected by a permission. However, you can use android:readPermission and android:writePermission to set the individual read/write permissions. QARK should check the presence of these attributes if no android:permission is found.

http://developer.android.com/guide/topics/manifest/provider-element.html

Hi, thanks for share this amazing soft 👍

I have received this message when i try to generated the html report.

ERROR - problem with reporting; no Html report generated. Please see the readme file for possible solutions.

Any solutions??? Thanks!!

Hi Team,

I have analyzed 8-10 application in qark and what I found was, it fails to identify certain source code vulnerabilities like sensitive data storage in db, data storage in share_pref, hard coded data, ssl pinning related vulnerabilities.

Qark is a really good tool and it can become even better. Please consider above points.

When you try to analyse the android webview base.apk from a device running Android 6, you get:

Traceback (most recent call last):
File "qark.py", line 494, in
manifestInXML = minidom.parseString(mfbuff).toxml()
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/xml/dom/minidom.py", line 1928, in parseString
return expatbuilder.parseString(string)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/xml/dom/expatbuilder.py", line 940, in parseString
return builder.parseString(string)
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/xml/dom/expatbuilder.py", line 223, in parseString
parser.Parse(string, True)
xml.parsers.expat.ExpatError: not well-formed (invalid token): line 22, column 14

The Manifest file extracted via apktool is:

<?xml version="1.0" encoding="utf-8" standalone="no"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.google.android.webview" platformBuildVersionCode="23" platformBuildVersionName="6.0-2166767">
    <uses-feature android:name="android.hardware.touchscreen" android:required="false"/>
    <application android:icon="@drawable/icon_webview" android:label="Android System WebView" android:multiArch="true">
        <activity android:label="@string/license_activity_title" android:name="com.android.webview.chromium.LicenseActivity">
            <intent-filter>
                <action android:name="android.settings.WEBVIEW_LICENSE"/>
                <category android:name="android.intent.category.DEFAULT"/>
            </intent-filter>
            <meta-data android:name="com.android.settings.PRIMARY_PROFILE_CONTROLLED" android:value="true"/>
        </activity>
        <provider android:authorities="com.google.android.webview.LicenseContentProvider" android:exported="true" android:name="com.android.webview.chromium.LicenseContentProvider"/>
        <meta-data android:name="com.android.webview.WebViewLibrary" android:value="libwebviewchromium.so"/>
    </application>
</manifest>

I am using the below command in jenkins for qark automation to android scan:
python qark/qark.py --source 1 --pathtoapk /tmp/java-uat.apk --exploit 0 --install 0

The jenkins build failed it with the following error:

JD CORE 0%|
Procyon 0%|
CFR 0%|

Traceback (most recent call last):
File "qark/qark.py", line 638, in
unpackAPK.decompile(common.pathToDEX)
File "XXX/workspace/QARK/qark/modules/unpackAPK.py", line 156, in decompile
with common.term.cbreak():
File "/usr/lib/python2.7/contextlib.py", line 17, in enter
return self.gen.next()
File "XXX/workspace/QARK/qark/lib/blessed/terminal.py", line 572, in cbreak
save_mode = termios.tcgetattr(self.keyboard_fd)
termios.error: (25, 'Inappropriate ioctl for device')

The build fails with
JD CORE 100%|
Procyon 100%|
CFR 100%|

Also tried the below with no vain
echo "C"|python qark/qark.py --source 1 --pathtoapk /tmp/java-uat.apk --exploit 0 --install 0

When the decompiling process is going on , CFR and JD Core finishes it properly but Procyon is stuck in the middle for a long time , even interrupting the compilation with CRTL+C is not helping .

I am using python 2.7.10, but I can't get thing worked.Is this a compatible problem?

d:\Developer\CodeReview\qark>C:\Python27\python.exe qark.py
Traceback (most recent call last):
  File "qark.py", line 24, in <module>
    from modules import common,intents,webviews, report, unpackAPK
  File "d:\Developer\CodeReview\qark\modules\common.py", line 26, in <module>
    from lib.blessed import *
  File "d:\Developer\CodeReview\qark\lib\blessed\__init__.py", line 12, in <modu
    from terminal import Terminal
  File "d:\Developer\CodeReview\qark\lib\blessed\terminal.py", line 7, in <modul
    import termios
ImportError: No module named termios

Hi
I tried Qark and its result was good for me.

But then, I have one question for it.
Does qurk have any simple report features to integrate with CI such as Jenkins ?
If it doesn't have, do you have alternative to integrate with CI ?
For example, exporting the result as xml.

I'd like to see the result via Dashboard provided by CI.

Thanks

Here are three POC apks in zip file: http://www.androbugs.com/upload/APP/PermissionTest.zip
1.Callee_with_customized_permission.apk (Package name: example.com.permissioncheckbug)
2.Caller_signed_different_cert.apk (Package name: example.com.testpermission)
3.Caller_signed_with_the_same_cert_as_Callee.apk (Package name: example.com.testpermission)

Only "1.Callee_with_customized_permission.apk" and "3.Caller_signed_with_the_same_cert_as_Callee.apk" are signed with the same Certificate(KeyStore). That is, they have the same signature.
Both APK "2.Caller_signed_different_cert.apk" and "3.Caller_signed_with_the_same_cert_as_Callee.apk" have a button to open the "TestPermissionActivity" Activity of "1.Callee_with_customized_permission.apk". But only "3.Caller_signed_with_the_same_cert_as_Callee.apk" can open the "TestPermissionActivity" Activity successfully because of the "signature|signatureOrSystem" permission setting.

Below is the AndroidManifest.xml of each of the APKs.

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:"http://schemas.android.com/apk/res/android" android:versionCode="1" android:versionName="1.0" package="example.com.permissioncheckbug" platformBuildVersionCode="23" platformBuildVersionName="6.0-2166767">
    <uses-sdk android:minSdkVersion="15" android:targetSdkVersion="23" />
    <permission android:name="example.com.permissioncheckbug.PermissionControl" android:protectionLevel="signature|signatureOrSystem" />
    <uses-permission android:name="example.com.permissioncheckbug.PermissionControl" />
    <application android:theme="@style/AppTheme" android:label="@string/app_name" android:icon="@mipmap/ic_launcher" android:debuggable="true" android:allowBackup="true">
        <activity android:label="@string/app_name" android:name="example.com.permissioncheckbug.MainActivity">
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
                <category android:name="android.intent.category.LAUNCHER" />
            </intent-filter>
        </activity>
        <activity android:label="@string/title_activity_test_permission" android:name="example.com.permissioncheckbug.TestPermissionActivity" android:permission="example.com.permissioncheckbug.PermissionControl" android:exported="true" />
    </application>
</manifest>

Also, you know how to decompile them to get the source code :)
The Activity "TestPermissionActivity" is actually protected with "signature" or "signatureOrSystem" protectionLevel.
Basically, others won't get Linkedin's Release Certificate(KeyStore) for Android app.
So app using "signature" or "signatureOrSystem" protectionLevel is not vulnerable.

But when I was scanning the POC apks with QARK, it reported:

      example.com.permissioncheckbug.TestPermissionActivity
                example.com.permissioncheckbug.PermissionControl

WARNING - The following activity are exported, but not protected by any permissions. Failing to protect activity could leave them vulnerable to attack by malicious apps. The activity should be reviewed for vulnerabilities, such as injection and information leakage.

=> It turns out to be a false alert.

I know my POC app is [android:debuggable="true" android:allowBackup="true"].
Please ignore that! It's just for testing.

BTW, you should try AndroBugs Framework !

RT

When failing to specify the --manifest argument, the program should fail, or allow re-entry, but instead goes into endless loop

python /var/lib/jenkins/tools/qark/qark.py --source 2 -c /Documents/Work/Code/qark_fix/qark/sampleApps/goatdroid/OWASP-GoatDroid-0.9/ --exploit 0 --reportdir /var/lib/jenkins/tools/qark/report/

.d88888b. d8888 8888888b. 888 d8P
d88P" "Y88b d88888 888 Y88b 888 d8P
888 888 d88P888 888 888 888 d8P
888 888 d88P 888 888 d88P 888d88K
888 888 d88P 888 8888888P" 8888888b
888 Y8b 888 d88P 888 888 T88b 888 Y88b
Y88b.Y8b88P d8888888888 888 T88b 888 Y88b
"Y888888" d88P 888 888 T88b 888 Y88b
Y8b

ERROR - When selecting --source=2, Please either pass --autodetectcodepath=1 or both --manifest and --codepath
INFO - Initializing...
INFO - Identified Android SDK installation from a previous run.
INFO - Initializing QARK

ERROR - Not a directory. Please try again
ERROR - Not a directory. Please try again
ERROR - Not a directory. Please try again
ERROR - Not a directory. Please try again
ERROR - Not a directory. Please try again....

Tool does not seem to detect it when a webview has a Javascript interface.

I love qark guys! I am running on Mac OS X Yosemite version 10.10.5 and python 2.7.10

I ran it and after it generated the potential vulnerabilities I chose for it to create a custom APK for exploitation. However is hangs while building. It says it found latest build tools 23.0.1.

Some other notes is after initial installation I had choose to have qark install the android-sdk, however when I first attempted to create a custom APK for exploitation it could not find adb. I had to go into the fetched folder and run ./tools/android update sdk ---no-ui

Thanks guys,

Hi

I am noticing a lot of Python 3.x support code, but when I try to run it under Python 3, I get errors like

  File "qark.py", line 115
    print "Version 0.8"
                      ^
SyntaxError: Missing parentheses in call to 'print'

This is unintentional?

To analyze a gradle project (sources) with many modules (libs), I have to manually pick a manifest for each module. Can you automate this task (scan all the project modules)?

Also, consider to stop suggesting manifests beneath /build/intermediates folders - currently it creates too much noise.

Any package is missed ?
Guide me for resolving this error !

When I start qark it want to get Android SDK, I confirmed to it get sdk and configure sdk path itself. But I returns error and error looks like;

Do you want QARK to download and set up Android SDK?[y/n] :y
[##########] 100%\nFile downloaded to/Users/USER/Projects/Android Studio/Qark/android-sdk_r24.0.2-macosx.zip
\nUnpacking Android SDK Manager.../Users/USER/Projects/Android Studio/Qark/android-sdk_r24.0.2-macosx.zip
INFO - Done
2,6,26,141,142
Traceback (most recent call last):
File "qark.py", line 263, in
sdkManager.getAndroidSDKManager()
File "/Users/USER/Projects/Android Studio/Qark/modules/sdkManager.py", line 43, in getAndroidSDKManager
downloadSDK()
File "/Users/USER/Projects/Android Studio/Qark/modules/sdkManager.py", line 97, in downloadSDK
runSDKManager()
File "/Users/USER/Projects/Android Studio/Qark/modules/sdkManager.py", line 128, in runSDKManager
p1.stdin.write(common.args.acceptterms)
TypeError: must be string or buffer, not None

How can I fix this error, many thanks for helping.

BUILD SUCCESSFUL

Total time: 4 mins 18.931 secs
Do you want to install this to your device? (y/n)y
INFO - Installing...
INFO - The apk can be found in the /home/pablo/tools/qark/build/qark directory
error: more than one device/emulator
- waiting for device -
...
error: more than one device/emulator
- waiting for device -

Instead of looping there, give the user the option to choose which device to use.

Hi

Do i need sdk studio to run this tool?

Thanks

Running Qark against a large APK will result in a lot of spew and the progress bars are messed up because of it. Repeated instances of

Decompilation may hang/take too long (usually happens when the source is obfuscated).mpiled.
At any time,Press C to continue and QARK will attempt to run SCA on whatever was decompiled.

Interfere with the progress bars

Steps to reproduce:

• Download Firefox for Android https://nightly.mozilla.org
• Run python qark.py --source 1 --pathtoapk ./fennec-43.0a1.en-US.android-arm.apk --exploit 1 --install 1
• Wait for the decompilation step

Example of the spew spanning over 100 lines https://gist.github.com/kbrosnan/397d349ae496968f6465

Qark fails to decompile application on Windows using cygwin:

Press ENTER key to begin decompilation
Traceback (most recent call last):
  File "qark.py", line 614, in <module>
    unpackAPK.decompile(common.pathToDEX)
  File "/cygdrive/c/Users/admin/gits/qark/modules/unpackAPK.py", line 127, in decompile
    zf = zipfile.ZipFile(common.pathToJar)
  File "/usr/lib/python2.7/zipfile.py", line 756, in __init__
    self.fp = open(file, modeDict[mode])
IOError: [Errno 2] No such file or directory: '/cygdrive/c/Users/username/Folder/apkstuffs/app-1.0.0-200-debug/classes_dex2jar.jar'

The tool tries to use Build Tools 21.1.2 to build the exploitation APK, which is not present on my system (23.0.0 is). The build fails because of this, but still asks to install the created APK, which ofcourse fails as well.

Great stuff nonetheless!

For the potential vulnerabilities, do you want to:
[1] Create a custom APK for exploitation
[2] Exit
Enter your choice:1
Generating exploit payloads for all vulnerabilities
com.myapp.MainActivity
adding value to string: com.myapp
adding value to string: com.myapp.MainActivity
com.myapp.OAuthCodeActivity
adding value to string: com.myapp.OAuthCodeActivity
------------ Building Exploit APK ------------
Download https://jcenter.bintray.com/com/android/tools/build/gradle/1.1.0/gradle-1.1.0.pom
Download https://jcenter.bintray.com/com/android/tools/build/gradle-core/1.1.0/gradle-core-1.1.0.pom
Download https://jcenter.bintray.com/com/android/tools/build/builder/1.1.0/builder-1.1.0.pom
Download https://jcenter.bintray.com/com/android/tools/lint/lint/24.1.0/lint-24.1.0.pom
Download https://jcenter.bintray.com/com/android/tools/build/builder-model/1.1.0/builder-model-1.1.0.pom
Download https://jcenter.bintray.com/com/android/tools/build/builder-test-api/1.1.0/builder-test-api-1.1.0.pom
Download https://jcenter.bintray.com/com/android/tools/sdklib/24.1.0/sdklib-24.1.0.pom
Download https://jcenter.bintray.com/com/android/tools/sdk-common/24.1.0/sdk-common-24.1.0.pom
Download https://jcenter.bintray.com/com/android/tools/common/24.1.0/common-24.1.0.pom
Download https://jcenter.bintray.com/com/android/tools/build/manifest-merger/24.1.0/manifest-merger-24.1.0.pom
Download https://jcenter.bintray.com/com/android/tools/ddms/ddmlib/24.1.0/ddmlib-24.1.0.pom
Download https://jcenter.bintray.com/com/android/tools/lint/lint-checks/24.1.0/lint-checks-24.1.0.pom
Download https://jcenter.bintray.com/com/android/tools/annotations/24.1.0/annotations-24.1.0.pom
Download https://jcenter.bintray.com/com/android/tools/layoutlib/layoutlib-api/24.1.0/layoutlib-api-24.1.0.pom
Download https://jcenter.bintray.com/com/android/tools/dvlib/24.1.0/dvlib-24.1.0.pom
Download https://jcenter.bintray.com/com/android/tools/lint/lint-api/24.1.0/lint-api-24.1.0.pom
Download https://jcenter.bintray.com/com/android/tools/build/gradle/1.1.0/gradle-1.1.0.jar
Download https://jcenter.bintray.com/com/android/tools/build/gradle-core/1.1.0/gradle-core-1.1.0.jar
Download https://jcenter.bintray.com/com/android/tools/build/builder/1.1.0/builder-1.1.0.jar
Download https://jcenter.bintray.com/com/android/tools/lint/lint/24.1.0/lint-24.1.0.jar
Download https://jcenter.bintray.com/com/android/tools/build/builder-model/1.1.0/builder-model-1.1.0.jar
Download https://jcenter.bintray.com/com/android/tools/build/builder-test-api/1.1.0/builder-test-api-1.1.0.jar
Download https://jcenter.bintray.com/com/android/tools/sdklib/24.1.0/sdklib-24.1.0.jar
Download https://jcenter.bintray.com/com/android/tools/sdk-common/24.1.0/sdk-common-24.1.0.jar
Download https://jcenter.bintray.com/com/android/tools/common/24.1.0/common-24.1.0.jar
Download https://jcenter.bintray.com/com/android/tools/build/manifest-merger/24.1.0/manifest-merger-24.1.0.jar
Download https://jcenter.bintray.com/com/android/tools/ddms/ddmlib/24.1.0/ddmlib-24.1.0.jar
Download https://jcenter.bintray.com/com/android/tools/lint/lint-checks/24.1.0/lint-checks-24.1.0.jar
Download https://jcenter.bintray.com/com/android/tools/annotations/24.1.0/annotations-24.1.0.jar
Download https://jcenter.bintray.com/com/android/tools/layoutlib/layoutlib-api/24.1.0/layoutlib-api-24.1.0.jar
Download https://jcenter.bintray.com/com/android/tools/dvlib/24.1.0/dvlib-24.1.0.jar
Download https://jcenter.bintray.com/com/android/tools/lint/lint-api/24.1.0/lint-api-24.1.0.jar

FAILURE: Build failed with an exception.

* What went wrong:
A problem occurred configuring project ':app'.
> failed to find Build Tools revision 21.1.2

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.

BUILD FAILED

Total time: 13.113 secs
Do you want to install this to your device? (y/n)y
INFO - Installing...
INFO - The apk can be found in the /home/nhaarman/dev/qark/build/qark directory
Invalid APK file: /home/nhaarman/dev/qark/build/qark/app/build/outputs/apk/app-debug.apk
An html report of the findings is located in : /home/nhaarman/dev/qark/report/report.html
Goodbye!

Hello,

I've got a few questions regarding tapjacking.
What do you mean with "static tapjacking" in your docs?

How does the tapjacking poc work? Ive generated an APK for the application I'm targeting, which opens the application with the overlay. Is it also currently possible to track touch inputs (and view where on the screen they occurred?)

Thanks,
Cedric

Any chance we could get an option for json output in addition to html report?

$ python qark.py
Traceback (most recent call last):
File "qark.py", line 24, in
from modules import common,intents,webviews, report, unpackAPK
File "C:\Users\akshay\Desktop\qark-master\qark-master\modules\common.py", line 26, in
from lib.blessed import *
File "C:\Users\akshay\Desktop\qark-master\qark-master\lib\blessed__init__.py", line 12, in
from terminal import Terminal
File "C:\Users\akshay\Desktop\qark-master\qark-master\lib\blessed\terminal.py", line 7, in
import termios
ImportError: No module named termios

Get at issue at the tag end of the execution.
"ERROR - Problem with reporting; No html report generated. Please see the readme file for possible solutions."
Please try and address this. Will be helpful in presenting the analysis more efficiently to the audience. Do let me know once this is addressed.

Why don't we use enjarify. dex2jar is too old.

[chris@chris-g50 qark]$ python qark.py 
Traceback (most recent call last):
  File "qark.py", line 24, in <module>
    from modules import common,findExtras,webviews, report, unpackAPK
  File "/home/chris/github/qark/modules/common.py", line 26, in <module>
    from lib.blessed import *
  File "/home/chris/github/qark/lib/blessed/__init__.py", line 12, in <module>
    from terminal import Terminal 
ImportError: cannot import name Terminal
[chris@chris-g50 qark]$ 

This occurs on master (not related to my current work). Maybe a circular dependency?

When supplying a pre-installed Android SDK directory without the trailing /, Qark does not handle this correctly:

Do you want QARK to download and set up Android SDK?[y/n] :n
Please enter the fullpath to your Android SDK root directory:/opt/android-sdk
Updated config value:: AndroidSDKPath /opt/android-sdk
INFO - Initializing QARK

For example, when creating and installing the explotation APK, the following happens:

Do you want to install this to your device? (y/n)y
Traceback (most recent call last):
  File "qark.py", line 1041, in <module>
    apkList = list_all_apk()
  File "qark.py", line 319, in list_all_apk
    st = os.stat(adb)
OSError: [Errno 2] No such file or directory: '/opt/android-sdkplatform-tools/adb'

When I run

!/bin/bash

DirApp=$1
APK=$(echo $2 | sed 's/"//g')

cd $DirApp

rm -fr report/build/ logs/ exploit/
python ./qark.py --acceptterms ACCEPTTERMS --source 1 --pathtoapk "/tmp/$APK.apk" --exploit 1 --install 0 --debug 10 --reportdir "Report_$APK"

StackTrace:

Traceback (most recent call last):
File "./qark.py", line 1027, in
apkList = list_all_apk()
File "./qark.py", line 217, in list_all_apk
p1 = Popen([adb, 'devices'], stdout=PIPE, stdin=PIPE, stderr=STDOUT)
File "/usr/lib/python2.7/subprocess.py", line 711, in init
errread, errwrite)
File "/usr/lib/python2.7/subprocess.py", line 1343, in _execute_child
raise child_exception
OSError: [Errno 8] Exec format error

Hi

I am having some problems integrating qark with Jenkins

If i run it as a python script, it tells me that the syntax is incorrect (note that $apkpath.apk is hardcoded with the apk file)

qark/qark.py --source 1 --path $apkpath.apk --manifest 1 --exploit 0

If i run it as a shell script in jenkins

python qark/qark.py --source 1 --path $apkpath.apk --manifest 1 --exploit 0

It works fine until decompiling step. After that, it gives an unexpected failure

What could be the problem? If i run the same from command line (both my .sh or executing the python script directly) it works fine

Thanks

There seems to be a bug in the Manifest parsing code when special characters are encountered:

Press ENTER key to continue

INFO - Determined minimum SDK version to be:15

WARNING - Logs are world readable on pre-4.1 devices. A malicious app could potentially retrieve sensitive data from the logs.

ISSUES - APP COMPONENT ATTACK SURFACE

WARNING - Backups enabled: Potential for data theft via local attacks via adb backup, if the device has USB debugging enabled (not common). More info: http://developer.android.com/reference/android/R.attr.html#allowBackup

INFO - Checking provider

INFO - Checking activity

ERROR - Traceback (most recent call last):

  File "qark.py", line 622, in <module>

    act_priv_list=common.normalizeActivityNames(act_priv_list,package_name)

  File "/Users/sevena/qark-master/modules/common.py", line 467, in normalizeActivityNames

    if re.match(r'\..*',str(activityList[d])):

UnicodeEncodeError: 'ascii' codec can't encode character u'\ufeaa' in position 2: ordinal not in range(128)