|
| 1 | +Detect CWE-940 in Android Application (ovaa,Vuldroid) |
| 2 | +------------------------------------------------------ |
| 3 | +This scenario aims to demonstrate the detection of the **Improper Verification of Source of a Communication Channel** vulnerability using [ovaa.apk](https://github.com/oversecured/ovaa) and [Vuldroid.apk](https://github.com/jaiswalakshansh/Vuldroid). See [CWE-940](https://cwe.mitre.org/data/definitions/940.html) for more details. |
| 4 | + |
| 5 | +To begin with, we create a detection rule named ``LoadUrlFromIntent.json`` to identify behavior that loads url from intent data to the WebView. |
| 6 | + |
| 7 | +Next, we retrieve the methods that pass the url. Following this, we check if these methods are only for setting intent, such as findViewById, getStringExtra, or getIntent. |
| 8 | + |
| 9 | +If **NO**, it could imply that the APK uses communication channels without proper verification, which may cause CWE-940 vulnerability. |
| 10 | + |
| 11 | +Quark Script CWE-940.py |
| 12 | +========================== |
| 13 | + |
| 14 | +The Quark Script below uses ovaa.apk to demonstrate. You can change the ``SAMPLE_PATH`` to the sample you want to detect. For example, ``SAMPLE_PATH = "Vuldroid.apk"``. |
| 15 | + |
| 16 | + |
| 17 | +```python |
| 18 | + from quark.script import runQuarkAnalysis, Rule |
| 19 | + |
| 20 | + SAMPLE_PATH = "ovaa.apk" |
| 21 | + RULE_PATH = "LoadUrlFromIntent.json" |
| 22 | + |
| 23 | + INTENT_SETTING_METHODS = [ |
| 24 | + "findViewById", |
| 25 | + "getStringExtra", |
| 26 | + "getIntent", |
| 27 | + ] |
| 28 | + |
| 29 | + ruleInstance = Rule(RULE_PATH) |
| 30 | + |
| 31 | + quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance) |
| 32 | + |
| 33 | + for behaviorInstance in quarkResult.behaviorOccurList: |
| 34 | + methodsInArgs = behaviorInstance.getMethodsInArgs() |
| 35 | + |
| 36 | + verifiedMethodCandidates = [] |
| 37 | + |
| 38 | + for method in methodsInArgs: |
| 39 | + if method.methodName not in INTENT_SETTING_METHODS: |
| 40 | + verifiedMethodCandidates.append(method) |
| 41 | + |
| 42 | + if verifiedMethodCandidates == []: |
| 43 | + caller = behaviorInstance.methodCaller.fullName |
| 44 | + print(f"cwe-940 is detected in method, {caller}") |
| 45 | +``` |
| 46 | + |
| 47 | +Quark Rule: LoadUrlFromIntent.json |
| 48 | +============================================== |
| 49 | + |
| 50 | +```json |
| 51 | + { |
| 52 | + "crime": "Load Url from Intent and open WebView", |
| 53 | + "permission": [], |
| 54 | + "api": [ |
| 55 | + { |
| 56 | + "class": "Landroid/content/Intent;", |
| 57 | + "method": "getStringExtra", |
| 58 | + "descriptor": "(Ljava/lang/String;)Ljava/lang/String" |
| 59 | + }, |
| 60 | + { |
| 61 | + "class": "Landroid/webkit/WebView;", |
| 62 | + "method": "loadUrl", |
| 63 | + "descriptor": "(Ljava/lang/String;)V" |
| 64 | + } |
| 65 | + ], |
| 66 | + "score": 1, |
| 67 | + "label": [] |
| 68 | + } |
| 69 | +``` |
| 70 | + |
| 71 | +Quark Script Result |
| 72 | +====================== |
| 73 | +- **ovaa.apk** |
| 74 | + |
| 75 | +``` |
| 76 | + $ python CWE-940.py |
| 77 | + CWE-940 is detected in method, Loversecured/ovaa/activities/WebViewActivity; onCreate (Landroid/os/Bundle;)V |
| 78 | +``` |
0 commit comments