This lab will cover the entire process of reviewing Android applications from the basics to newer, lesser known vulnerabilities. So, if you’re new to testing Android apps, or are a developer looking to ensure you don’t fall victim to common mistakes, this presentation is for you.
After a few years of trying to protect Android applications, developing a solid security testing methodology for apps and finding myself repeating the same checks over and over, I decided to automate the process as much as possible. From my laziness, QARK was born.
This session introduces a new tool, QARK, designed to work for both blue and red teams, internal developers and security folks as well as penetration testers and researchers. Essentially, it is Android-specific SCA on a budget, for every organization. QARK is a tool to review mobile applications for common vulnerabilities, in common components, such as Receivers, Intents, WebViews, Content Providers and so on.
Part of QARK’s appeal is that it not only does it finds bugs, but provides clear explanations, along with references, exploit steps and even version specific, customized exploit code examples for each application. All this is intended to make it as simple as possible on the user and allow it to serve as a teaching tool as well.