Appshark is a static taint analysis platform to scan vulnerabilities in an Android app.
Appshark requires a specific version of JDK — JDK 11.
After testing, it does not work on other LTS versions, JDK 8 and JDK 16, due to the dependency compatibility issue.
APPShark Features:
- JSON-based custom scanning rules to discover security vulnerabilities and privacy compliance issues you care about
- Flexible configuration, you can seek a balance between accuracy and scanning time and space
- Support custom extension rules, and conduct customized analysis according to your own business needs
apk file preprocessing
It is mainly to extract the basic information in the app, such as exporting components, manifest parsing, and discovering some common vulnerabilities in manifest. One of the most important tasks here is to use jadx to decompile the apk, and the generated java source code will be Shown in the final vulnerability details.
Code preprocessing
There are three main functions of code preprocessing:
- Generate SSA
- Generate basic call graph
- Patch various instructions according to the configuration, such as callback injection.
Building/Compiling AppShark
We assume that you are working in the root directory of the project repo. You can build the whole project with the gradle tool.
$ ./gradlew build -x test
After executing the above command, you will see an artifact file AppShark-0.1.1-all.jar in the directory build/libs.
Running AppShark
Like the previous step, we assume that you are still in the root folder of the project. You can run the tool with
$ java -jar build/libs/AppShark-0.1.1-all.jar config/config.json5
The config.json5 has the following configuration contents.
{
"apkPath": "/Users/apks/app1.apk",
"out": "out",
"rules": "unZipSlip.json",
"maxPointerAnalyzeTime": 600
}Each JSON field is explained below.
- apkPath: the path of the apk file to analyze
- out: the path of the output directory
- rules: the path(s) of the rule file(s), can be more than 1 rules
- maxPointerAnalyzeTime: the timeout duration in seconds set for the analysis started from an entry point
- debugRule: specify the rule name that enables logging for debugging
If you provide a configuration JSON file which sets the output path as out in the project root directory, you will find the result file out/results.json after running the analysis.
Interpreting the Results
Below is an example of the results.json.
{
“AppInfo”: {
“AppName”: “test”,
“PackageName”: “net.bytedance.security.app”,
“min_sdk”: 17,
“target_sdk”: 28,
“versionCode”: 1000,
“versionName”: “1.0.0”
},
“SecurityInfo”: {
“FileRisk”: {
“unZipSlip”: {
“category”: “FileRisk”,
“detail”: “”,
“model”: “2”,
“name”: “unZipSlip”,
“possibility”: “4”,
“vulners”: [
{
“details”: {
“position”: “<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>”,
“Sink”: “<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r31”,
“entryMethod”: “<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void f()>”,
“Source”: “<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r3”,
“url”: “/Volumes/dev/zijie/appshark-opensource/out/vuln/1-unZipSlip.html”,
“target”: [
“<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r3”,
“pf{obj{<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>:35=>java.lang.StringBuilder}(unknown)->@data}”,
“<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r11”,
“<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r31”
]
},
“hash”: “ec57a2a3190677ffe78a0c8aaf58ba5aee4d2247”,
“possibility”: “4”
},
{
“details”: {
“position”: “<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>”,
“Sink”: “<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r34”,
“entryMethod”: “<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void f()>”,
“Source”: “<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r3”,
“url”: “/Volumes/dev/zijie/appshark-opensource/out/vuln/2-unZipSlip.html”,
“target”: [
“<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r3”,
“pf{obj{<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>:33=>java.lang.StringBuilder}(unknown)->@data}”,
“<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r14”,
“<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r34”
]
},
“hash”: “26c6d6ee704c59949cfef78350a1d9aef04c29ad”,
“possibility”: “4”
}
],
“wiki”: “”,
“deobfApk”: “/Volumes/dev/zijie/appshark-opensource/app.apk”
}
}
},
“DeepLinkInfo”: {
},
“HTTP_API”: [
],
“JsBridgeInfo”: [
],
“BasicInfo”: {
“ComponentsInfo”: {
},
“JSNativeInterface”: [
]
},
“UsePermissions”: [
],
“DefinePermissions”: {
},
“Profile”: “/Volumes/dev/zijie/appshark-opensource/out/vuln/3-profiler.json”
}
