项目首页:
https://github.com/linkedin/qark
项目简介:
QARK是一个用python安卓漏洞测试工具,他可以在不需要安卓设备的情况下进行测试,其目的是寻找一些与安全相关的Android应用程序的漏洞,无论是在源代码或打包的应用程序。
支持漏洞:
- Inadvertently exported components
- Improperly protected exported components
- Intents which are vulnerable to interception or eavesdropping
- Improper x.509 certificate validation
- Creation of world-readable or world-writeable files
- Activities which may leak data
- The use of Sticky Intents
- Insecurely created Pending Intents
- Sending of insecure Broadcast Intents
- Private keys embedded in the source
- Weak or improper cryptography use
- Potentially exploitable WebView configurations
- Exported Preference Activities
- Tapjacking
- Apps which enable backups
- Apps which are debuggable
- Apps supporting outdated API versions, with known vulnerabilities
-
使用方法:
他提供俩种工作方式,
- 交互模式直接输入命令执行即可,根据提示输入相关参数,进行测试,
python qark.py2. 手动模式
在命令行中设置好需要的参数,直接开始测试
$ python qark.py --source 1 --pathtoapk /Users/foo/qark/sampleApps/goatdroid/goatdroid.apk --exploit 1 --install 1
or
$ python qark.py --source 2 -c /Users/foo/qark/sampleApps/goatdroid/goatdroid --manifest /Users/foo/qark/sampleApps/goatdroid/goatdroid/AndroidManifest.xml --exploit 1 --install 1输出结果:
