Add quark script to detect cwe 489

[zinwang]

Detect CWE-489 in Android Application (allsafe.apk, AndroGoat.apk, pivaa.apk)

This scenario seeks to find active debug code in the APK file. See CWE-489 for more details.

Let’s use allsafe.apk, AndroGoat.apk, pivaa.apk, and the above APIs to show how the Quark script finds this vulnerability.

First, we use Quark API getApplication to get the application element in the manifest file. Then we use applicationInstance.isDebuggable to check if the application element sets the attribute android:debuggable to true. If Yes, that causes CWE-489 vulnerabilities.

API Spec

getApplication(samplePath)

• Description: Get the application element from the manifest file of the target sample.
• params:
  1. samplePath: the file path of the target sample
• return: the application element of the target sample

applicationInstance.isDebuggable(none)

• Description: Check if the application element sets android:debuggable=true.
• params: none
• return: True/False

Quark Script CWE-489.py

The Quark Script below uses allsafe.apk to demonstrate. You can change the SAMPLE_PATH to the sample you want to detect. For example, SAMPLE_PATH = AndroGoat.apk or SAMPLE_PATH = pivaa.apk.

from quark.script import getApplication

SAMPLE_PATH = "allsafe.apk"

if getApplication(SAMPLE_PATH).isDebuggable():
    print(f"CWE-489 is detected in {SAMPLE_PATH}.")

Quark Script Result

• allsafe.apk

$ python3 CWE-489.py
CWE-489 is detected in allsafe.apk

• AndroGoat.apk

$ python3 CWE-489.py
CWE-489 is detected in AndroGoat.apk

• pivaa.apk

$ python3 CWE-489.py
CWE-489 is detected in pivaa.apk

[codecov-commenter]

Codecov Report

Base: 78.56% // Head: 78.72% // Increases project coverage by +0.15% 🎉

Coverage data is based on head (2629289) compared to base (6d8c0f6).
Patch coverage: 94.00% of modified lines in pull request are covered.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #458      +/-   ##
==========================================
+ Coverage   78.56%   78.72%   +0.15%     
==========================================
  Files          63       63              
  Lines        4792     4842      +50     
==========================================
+ Hits         3765     3812      +47     
- Misses       1027     1030       +3     

Flag	Coverage Δ
unittests	78.72% <94.00%> (+0.15%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
quark/core/interface/baseapkinfo.py	79.77% <75.00%> (-0.23%)	⬇️
quark/core/apkinfo.py	90.00% <83.33%> (-0.28%)	⬇️
quark/script/__init__.py	95.41% <94.44%> (-0.09%)	⬇️
quark/core/rzapkinfo.py	76.94% <100.00%> (+0.39%)	⬆️
tests/conftest.py	100.00% <100.00%> (ø)
tests/core/test_apkinfo.py	95.96% <100.00%> (+0.16%)	⬆️
tests/script/test_script.py	100.00% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[haeter525]

Thanks, @zinwang. I have no further comment.
@pulorsok, could you help review the document? Thanks.

[pulorsok]

LGTM! @haeter525 please proceed!