M 301: Qark (15 pts)

What You Need for This Project


To practice using Qark, an Android vulnerability scanner from LinkedIn.

Use Debian

For best results, use a Debian 10 virtual machine. This project is difficult to do on Kali.

Installing Qark

On Debian, in a Terminal, execute these commands:
sudo apt update
sudo apt install python-pip -y
git clone https://github.com/linkedin/qark
cd qark
pip install -r requirements.txt
pip install . 
qark --help
You see a Qark help message, as shown below.

If you see a message saying "qark not found", reboot your Debian machine.

Connecting to your Android Device with ADB

On Debian, in a Terminal, execute these commands, replacing the IP address with the IP address of your Genymotion Android device:
adb connect
adb devices -l
You should see your Genymotion device in the "List of devices attached", as shown below.

Pulling the GenieMD APK from the Phone

You should already have the GenieMD app installed. If you don't, get it from Google Play, as shown below.

To see the complete package name, on Debian, execute this command:

adb shell pm list packages | grep genie
The reply shiows the package name, as shown below. Use that package name in the next command to get the APK path:
adb shell pm path com.geniemd.geniemd.harvard
The reply shiows the full path to the APK. Use that path in the next command to pull the APK file:
adb pull /data/app/com.geniemd.geniemd.harvard-A0xnv6wdqwqLoAAgXh3GqA==/base.apk
The file downloads into Debian, as shown below.

Scanning the APK with Quark

On Debian, execute this command:
qark --apk base.apk
Qark takes about 10 minutes to unpack all the code and scan it, ending with the path to a report file, as shown below.

After the report is generated, move it to a more convenient location and name with this command:

mv /usr/local/lib/python2.7/dist-packages/qark/report/report.html genie.html

Viewing the Report

On your Debian desktop, on the left side, click the folder icon.

Navigate to the genie.htm file, as shown below, and double-click it.

The report opens in Firefox, as shown below.

Type Ctrl+F and search for cert to find the SSL certificate validation error, as shown below.

M 301: Unsafe implementation (15 pts)

Find the text covered by a green box in the image above. That's the flag.


Android Penetration Tools Walkthrough Series: QARK

Posted 1-24-19 by Sam Bowne
Converted to a CTF 2-28-19
Install python-pip added 2-19-2020
Changed from Kali to Debian 3-10-2021