LinkedIn Release QARK to Discover Security Holes in Android Apps

| by Abel Avram Follow 9 Followers on Aug 27, 2015. Estimated reading time: 1 minute |

LinkedIn has recently open sourced QARK, a static analysis tool meant to discover potential security vulnerabilities existing in Android applications written in Java.

QARK was first introduced at DEFCON 23 earlier this month, then made public on GitHub shortly after. QARK uses PLYJ, a Python tool for parsing Java source code, and Beautiful Soup for parsing the Android manifest file. But QARK can handle binaries also, using multiple decompilers and merging their results: Procyon, JD-Core, CFR, DEX2JAR, and APKTool.  The range of issues investigated includes:

  • Inadvertently exported components
  • Improperly protected exported components
  • Intents which are vulnerable to interception or eavesdropping
  • Improper x.509 certificate validation
  • Creation of world-readable or world-writeable files
  • Activities which may leak data
  • The use of Sticky Intents
  • Insecurely created Pending Intents
  • Sending of insecure Broadcast Intents
  • Private keys embedded in the source
  • Weak or improper cryptography use
  • Potentially exploitable WebView configurations
  • Exported Preference Activities
  • Tapjacking
  • Apps which enable backups
  • Apps which are debuggable
  • Apps supporting outdated API versions, with known vulnerabilities

When pointing to a possible vulnerability, QARK provides some explanation and a link to a web page with more details on the issue. The tool can create a testable APK and ADB commands that can be issued to show how the vulnerabilities found can be exploited.

In the future, they intend to extend QARK to discover Bound Service and Content Provider  vulnerabilities, issues not related to Java/Android, parsing ODEX files, improved extensibility, dynamic analysis and others.

While QARK can be integrated in the Android tool chain to automatically detect issues, the authors recommend to continue performing manual reviews of applications because there are categories of vulnerabilities not discoverable during static analysis and there are vulnerabilities not yet covered by the tool.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you