Quark-Engine integration

[pulorsok]

Quark-Engine integration

Requirements:

• Python 3.7+
• Quark-Engine 21.01.3+

Add "Quark Analysis" option

Add "Quark Analysis" as one of the "decode quick pick" items.

Then Quark will be executed after the decompilation of Jadx. And the report will appear as a JSON file in the decoded directory.

A warning message pops up when Quark is not installed

When "Quark Analysis" is selected, it will first check whether Quark-Engine has been installed. If not, it will show an error message and exit the process.

Show report as WebView

The summary report of the APK will be shown as a WebView at the bottom panel.

You can also right-click the report file to show the WebView (summary report).

Righ-click quark report file to show WebView (summary report).

Source Code Navigation

In WebView (summary report), click on the description of potential malicious activities, the editor panel will open the exact .smali file and highlight the whole block of the function where the activities are detected.

Note:
Meaning of colors in the highlighted smali codes.

• Green: The whole block of function.
• Yellow: Where the native APIs are called.

[Surendrajat]

Hi @pulorsok, thanks for the PR. Looking great overall. I have to say it's better than what I had in my mind :)
Just adding small comments here and there.

[amsharma44]

Thank for the PR @pulorsok. Awesome work, just a minor concern I have.

[pulorsok]

@Surendrajat @amsharma44
Thank you for the comments, I will fix these issues ASAP.

And there are still a few works I will do after.

• Prettier quark report style on WebView :
  I will make the report WebView more pretty and readable.

• Quark test unit :
  The test unit will be finished next week.

• Same malicious activity in multiple smali files :
  Sometime, the same malicious activity will be detected in several smali files.
  However, source code navigation will open only a file to show where the activity is.
  I will figure out a way to fix this issue (maybe add a hoover to let the user choose which file to open).

[Surendrajat]

@pulorsok please rebase this PR on master.

[pulorsok]

Hi @Surendrajat ,
I fixed the problem you mentioned and added a test unit for quark analysis.
I also improved the Webview quark report to get a better UI.
Now it can display multiple functions where the activity is located.

Click on the description of the potentially malicious activity, it will expand and show the detailed of the function (green box), including the class name, method name and smali code that executes the API.
Click on the green box and it will navigate to the source code file.

[Surendrajat]

@pulorsok Thanks for update. Please check the recent changes on quark side as well. It will require some adjustments in this PR.

[Surendrajat]

@pulorsok Leaving some comments here. Mostly related to new quark-engine changes.

[Surendrajat]

@pulorsok could you please rebase it once again? Seems like some conflicts with master again.

[Surendrajat]

@pulorsok I tested the changes, and it seems we are almost there :)

There are few things that need further changes:

1. The https://github.com/Surendrajat/apklab-testdata submodule needs update to fix the tests.
2. Resulting WebView needs some tweaks. See this:

quark-ext.mp4

My concerns here are:

• The WebView opens in upper-half and not in lower half which is not intuitive (maybe open it in full).
• The space between POTENTIAL MALICIOUS ACTIVITIES and CONFIDENCE is a lot.
• The WebView expands out of the TextEditor view (it's either because of long method signature or the space mentioned above).

[Surendrajat]

@pulorsok I've added the missing step from GitHub workflow to install quark-egnine before tests. Please pull the changes and rebase on master once. Maybe it will fix the tests.

[Surendrajat]

@pulorsok Great job!
Looks good overall. I'm planning to move docs to a proper repo, so we can add more .gifs and guide there.
Thanks again for your contribution. Thanks, @krnick, for promptly handling issues with integration and @18z, for reaching out to me :D