Appshark is a static taint analysis platform to scan vulnerabilities in an Android app.
Appshark requires a specific version of JDK — JDK 11. After testing, it does not work on other LTS versions, JDK 8 and JDK 16, due to the dependency compatibility issue.
We assume that you are working in the root directory of the project repo. You can build the whole project with the gradle tool.
$ ./gradlew build -x test
After executing the above command, you will see an artifact file AppShark-0.1.1-all.jar
in the directory build/libs
.
Like the previous step, we assume that you are still in the root folder of the project. You can run the tool with
$ java -jar build/libs/AppShark-0.1.1-all.jar config/config.json5
The config.json5
has the following configuration contents.
{ "apkPath": "/Users/apks/app1.apk", "out": "out", "rules": "unZipSlip.json", "maxPointerAnalyzeTime": 600 }
Each JSON field is explained below.
If you provide a configuration JSON file which sets the output path as out
in the project root directory, you will find the result file out/results.json
after running the analysis.
Below is an example of the results.json
.
{ "AppInfo": { "AppName": "test", "PackageName": "net.bytedance.security.app", "min_sdk": 17, "target_sdk": 28, "versionCode": 1000, "versionName": "1.0.0" }, "SecurityInfo": { "FileRisk": { "unZipSlip": { "category": "FileRisk", "detail": "", "model": "2", "name": "unZipSlip", "possibility": "4", "vulners": [ { "details": { "position": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>", "Sink": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r31", "entryMethod": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void f()>", "Source": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r3", "url": "/Volumes/dev/zijie/appshark-opensource/out/vuln/1-unZipSlip.html", "target": [ "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r3", "pf{obj{<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>:35=>java.lang.StringBuilder}(unknown)->@data}", "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r11", "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r31" ] }, "hash": "ec57a2a3190677ffe78a0c8aaf58ba5aee4d2247", "possibility": "4" }, { "details": { "position": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>", "Sink": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r34", "entryMethod": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void f()>", "Source": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r3", "url": "/Volumes/dev/zijie/appshark-opensource/out/vuln/2-unZipSlip.html", "target": [ "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r3", "pf{obj{<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>:33=>java.lang.StringBuilder}(unknown)->@data}", "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r14", "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r34" ] }, "hash": "26c6d6ee704c59949cfef78350a1d9aef04c29ad", "possibility": "4" } ], "wiki": "", "deobfApk": "/Volumes/dev/zijie/appshark-opensource/app.apk" } } }, "DeepLinkInfo": { }, "HTTP_API": [ ], "JsBridgeInfo": [ ], "BasicInfo": { "ComponentsInfo": { }, "JSNativeInterface": [ ] }, "UsePermissions": [ ], "DefinePermissions": { }, "Profile": "/Volumes/dev/zijie/appshark-opensource/out/vuln/3-profiler.json" }
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…