QARK Cheatsheet

Overview

QARK (Quick Android Review Kit) is a static analysis tool designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs.

Installation

Prerequisites

# Install Python 3.6+
sudo apt update
sudo apt install python3 python3-pip

# Install Java 8+
sudo apt install openjdk-8-jdk

# Install Android SDK (optional but recommended)

Install QARK

# Install from PyPI
pip3 install qark

# Or install from source
git clone https://github.com/linkedin/qark.git
cd qark
pip3 install -e .

Basic Usage

Analyze APK File

# Basic APK analysis
qark --apk /path/to/app.apk

# Analyze with custom output directory
qark --apk /path/to/app.apk --output-dir /path/to/output

# Generate detailed report
qark --apk /path/to/app.apk --report-type html

Analyze Source Code

# Analyze Android source code
qark --source /path/to/android/project

# Analyze specific Java files
qark --java /path/to/java/files

# Analyze with custom rules
qark --source /path/to/project --custom-rules /path/to/rules.json

Command Line Options

Basic Options

# Show help
qark --help

# Show version
qark --version

# Verbose output
qark --apk app.apk --verbose

# Quiet mode
qark --apk app.apk --quiet

Analysis Options

# Skip specific checks
qark --apk app.apk --skip-checks "check1,check2"

# Include only specific checks
qark --apk app.apk --include-checks "check1,check2"

# Set minimum severity level
qark --apk app.apk --min-severity medium

# Enable experimental features
qark --apk app.apk --experimental

Output Options

# Generate HTML report
qark --apk app.apk --report-type html

# Generate JSON report
qark --apk app.apk --report-type json

# Generate XML report
qark --apk app.apk --report-type xml

# Custom output file
qark --apk app.apk --output-file report.html

Security Checks

Common Vulnerabilities Detected

# SSL/TLS Issues
- Weak SSL/TLS configurations
- Certificate validation bypasses
- Insecure hostname verification

# Data Storage Issues
- Insecure data storage
- Unencrypted databases
- Sensitive data in logs

# Authentication Issues
- Weak authentication mechanisms
- Hardcoded credentials
- Insecure session management

# Communication Issues
- Unencrypted communications
- Weak cryptographic implementations
- Insecure network protocols

Custom Rules

{
  "rules": [
    {
      "id": "custom_rule_1",
      "name": "Custom Security Check",
      "description": "Checks for custom security issue",
      "severity": "high",
      "pattern": "regex_pattern_here"
    }
  ]
}

Advanced Usage

Batch Analysis

# Analyze multiple APKs
for apk in *.apk; do
    qark --apk "$apk" --output-dir "results_$(basename "$apk" .apk)"
done

# Parallel analysis
find . -name "*.apk" | xargs -P 4 -I {} qark --apk {}

Integration with CI/CD

# Jenkins pipeline example
qark --apk app.apk --report-type json --output-file qark_report.json
if [ $? -eq 0 ]; then
    echo "QARK analysis completed successfully"
else
    echo "QARK analysis failed"
    exit 1
fi

Filtering Results

# Filter by severity
qark --apk app.apk --min-severity high

# Filter by category
qark --apk app.apk --include-checks "ssl,crypto,storage"

# Exclude false positives
qark --apk app.apk --exclude-patterns "test,debug"

Report Analysis

Understanding Severity Levels

# Critical - Immediate security risk
# High - Significant security risk
# Medium - Moderate security risk
# Low - Minor security concern
# Info - Informational finding

Common Issues and Fixes

# SSL Certificate Validation
Issue: Disabled certificate validation
Fix: Implement proper certificate validation

# Hardcoded Secrets
Issue: API keys in source code
Fix: Use secure configuration management

# Insecure Data Storage
Issue: Unencrypted sensitive data
Fix: Implement proper encryption

Configuration

Configuration File

{
  "output_dir": "./qark_output",
  "report_type": "html",
  "min_severity": "medium",
  "skip_checks": [],
  "include_checks": [],
  "custom_rules": "./custom_rules.json"
}

Environment Variables

# Set QARK configuration
export QARK_CONFIG=/path/to/config.json

# Set Android SDK path
export ANDROID_HOME=/path/to/android/sdk

# Set Java home
export JAVA_HOME=/path/to/java

Troubleshooting

Common Issues

# Java not found
export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64

# Android SDK issues
export ANDROID_HOME=/path/to/android/sdk
export PATH=$PATH:$ANDROID_HOME/tools:$ANDROID_HOME/platform-tools

# Permission issues
chmod +x qark
sudo chown -R $USER:$USER ~/.qark

Debug Mode

# Enable debug logging
qark --apk app.apk --debug

# Verbose output with stack traces
qark --apk app.apk --verbose --debug

Best Practices

Security Testing Workflow

1. Static Analysis with QARK
   qark --apk app.apk --report-type html

2. Review findings and prioritize fixes

3. Dynamic testing with other tools

4. Re-test after fixes
   qark --apk fixed_app.apk --compare baseline_report.json

Integration Tips

# Automate with scripts
#!/bin/bash
APK_FILE=$1
OUTPUT_DIR="qark_$(date +%Y%m%d_%H%M%S)"
qark --apk "$APK_FILE" --output-dir "$OUTPUT_DIR" --report-type html
echo "Report generated in $OUTPUT_DIR"

# Use with other security tools
qark --apk app.apk && \
mobsf_scan app.apk && \
drozer_scan app.apk

Resources

• Official Documentation: QARK GitHub
• Security Guidelines: OWASP Mobile Security
• Android Security: Android Security Best Practices