Optimize the document of Quark Script CWE-338, 489, and 532

[JerryTasi]

Detect CWE-338 in Android Application

This scenario seeks to find Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG).

CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

We analyze the definition of CWE-338 and identify its characteristics.

See CWE-338 for more details.

Code of CWE-338 in pivaa.apk

We use the pivaa.apk sample to explain the vulnerability code of CWE-338.

CWE-338 Detection Process Using Quark Script API

First, we design a detection rule useMethodOfPRNG.json to spot on behavior that uses Pseudo Random Number Generator (PRNG). Then, we use API methodInstance.getXrefFrom() to get the caller method of PRNG. Finally, we use some keywords such as "token", "password", and "encrypt" to check if the PRNG is for credential usage.

Quark Script CWE-338.py

from quark.script import runQuarkAnalysis, Rule

SAMPLE_PATH = "pivaa.apk"
RULE_PATH = "useMethodOfPRNG.json"

CREDENTIAL_KEYWORDS = [
    "token", "password", "account", "encrypt",
    "authentication", "authorization", "id", "key"
]

ruleInstance = Rule(RULE_PATH)
quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

for usePRNGMethod in quarkResult.behaviorOccurList:
    for prngCaller in usePRNGMethod.methodCaller.getXrefFrom():
        if any(
            keyword in prngCaller.fullName for keyword in CREDENTIAL_KEYWORDS
        ):
            print("CWE-338 is detected in %s" % prngCaller.fullName)

Quark Rule: useMethodOfPRNG.json

{
    "crime": "Use method of PRNG",
    "permission": [],
    "api": [
        {
            "class": "Ljava/util/Random;",
            "method": "<init>",
            "descriptor": "()V"
        },
        {
            "class": "Ljava/util/Random;",
            "method": "nextInt",
            "descriptor": "(I)I"
        }
    ],
    "score": 1,
    "label": []
}

Quark Script Result

$ python CWE-338.py
CWE-338 is detected in Lcom/htbridge/pivaa/EncryptionActivity$2; onClick (Landroid/view/View;)V

Detect CWE-489 in Android Application

This scenario seeks to find active debug code.

CWE-489: Active Debug Code

We analyze the definition of CWE-489 and identify its characteristics.

See CWE-489 for more details.

Code of CWE-489 in allsafe.apk

We use the allsafe.apk sample to explain the vulnerability code of CWE-489.

CWE-489 Detection Process Using Quark Script API

First, we use Quark API getApplication(samplePath) to get the application element in the manifest file. Then we use applicationInstance.isDebuggable() to check if the application element sets the attribute android:debuggable to true. If Yes, that causes CWE-489 vulnerabilities.

Quark Script CWE-489.py

from quark.script import getApplication

SAMPLE_PATH = "allsafe.apk"

if getApplication(SAMPLE_PATH).isDebuggable():
    print(f"CWE-489 is detected in {SAMPLE_PATH}.")

Quark Script Result

$ python3 CWE-489.py
CWE-489 is detected in allsafe.apk.

Detect CWE-532 in Android Application

This scenario seeks to find insertion of sensitive information into Log file in the APK file.

CWE-532: Insertion of Sensitive Information into Log File

We analyze the definition of CWE-532 and identify its characteristics.

See CWE-532 for more details.

Code of CWE-532 in dvba.apk

We use the dvba.apk sample to explain the vulnerability code of CWE-532.

CWE-532 Detection Process Using Quark Script API

Let's use the above APIs to show how the Quark script finds this vulnerability.

First, we use the API findMethodInAPK(samplePath, targetMethod) to locate log.d method. Then we use API methodInstance.getArguments() to get the argument that input to log.d. Finally, we use some keywords such as "token", "password", and "decrypt" to check if arguments include sensitive data. If the answer is YES, that may cause sensitive data leakage into log file.

You can use your own keywords in the keywords list to detect sensitive data.

Quark Script: CWE-532.py

from quark.script import findMethodInAPK

SAMPLE_PATH = "dvba.apk"
TARGET_METHOD = [
    "Landroid/util/Log;",                       # class name
    "d",                                        # method name
    "(Ljava/lang/String; Ljava/lang/String;)I"  # descriptor
]
CREDENTIAL_KEYWORDS = [
    "token",
    "decrypt",
    "password"
]

methodsFound = findMethodInAPK(SAMPLE_PATH, TARGET_METHOD)

for debugLogger in methodsFound:
    arguments = debugLogger.getArguments()

    for keyword in CREDENTIAL_KEYWORDS:
        if keyword in arguments[1]:
            print(f"CWE-532 is detected in method, {debugLogger.fullName}")

Quark Script Result

$ python CWE-532.py
CWE-532 is detected in method, Lcom/google/firebase/auth/FirebaseAuth; d (Lc/c/b/h/o;)V

[zinwang]

LGTM!

[zinwang]

Refer to #64