Presentation Material
Abstract
Ever wonder why there isn’t a metasploit-style framework for Android apps? We did!
Whether you’re a developer trying to protect your insecure app from winding up on user devices, an Android n00b or a pentester trying to pwn all the things, QARK is just what you’ve been looking for!
This tool combines Static Code Analysis with source-sink mapping, teaching by detailing misconfigurations, citing research detailing the issues and automatic exploitation into one, simple to use application!
Our tool will review any Android app, either from source or APK, highlight version specific issues, detail your app’s attack surface, inspect all your app components for misconfigurations and allow you to create on-demand proof-of-concept attack applications.
AI Generated Summary
Cork is an open-source static code analysis and attack framework designed for auditing and exploiting Android applications. It was developed to address gaps in existing tools and to provide a free, accessible solution for improving Android security, particularly for resource-constrained developers and small teams.
The tool automates the entire analysis workflow for an Android application package (APK). It extracts the APK from a device or file, parses the AndroidManifest.xml to identify application components (activities, services, providers, receivers) and their exported status, and then decompiles the Dalvik bytecode (classes.dex) into Java source code. A key technical innovation is its use of multiple decompilers in parallel, which significantly improves the recovery of corrupted or incomplete decompilation results—reportedly restoring 85% of otherwise unreadable files.
Cork performs taint analysis by mapping data entry points (sources) such as intents, IPC mechanisms, network requests, and WebView content to sensitive operations (sinks) like file access, telephony functions, or privileged API calls. It includes version-specific checks for Android platform quirks and incorporates a library of HTML proof-of-concepts to test for WebView vulnerabilities like same-origin policy bypasses. The analysis generates color-coded results, detailing the specific intent extras or conditions required to exploit a finding, bridging the gap between detection and practical exploitation.
Practical implications include providing an authoritative, automated resource for identifying common and complex Android vulnerabilities without commercial cost or complex setup. By open-sourcing the tool, the project aims to raise the baseline security for all Android applications, encourage community contributions, and ultimately reduce the attack surface posed by vulnerable apps in a fragmented ecosystem where timely updates are not guaranteed. The framework serves both as a penetration testing accelerator and an educational resource for developers learning secure Android coding practices.