Appshark is a static taint analysis platform to scan vulnerabilities in an Android app.
Appshark requires a specific version of JDK — JDK 11. After testing, it does not work on other LTS versions, JDK 8 and JDK 16, due to the dependency compatibility issue.
We assume that you are working in the root directory of the project repo. You can build the whole project with the gradle tool.
$ ./gradlew build -x test
After executing the above command, you will see an artifact file AppShark-0.1.1-all.jar
in the directory build/libs
.
Like the previous step, we assume that you are still in the root folder of the project. You can run the tool with
$ java -jar build/libs/AppShark-0.1.1-all.jar config/config.json5
The config.json5
has the following configuration contents.
{ "apkPath": "/Users/apks/app1.apk", "out": "out", "rules": "unZipSlip.json", "maxPointerAnalyzeTime": 600 }
Each JSON field is explained below.
If you provide a configuration JSON file which sets the output path as out
in the project root directory, you will find the result file out/results.json
after running the analysis.
Below is an example of the results.json
.
{ "AppInfo": { "AppName": "test", "PackageName": "net.bytedance.security.app", "min_sdk": 17, "target_sdk": 28, "versionCode": 1000, "versionName": "1.0.0" }, "SecurityInfo": { "FileRisk": { "unZipSlip": { "category": "FileRisk", "detail": "", "model": "2", "name": "unZipSlip", "possibility": "4", "vulners": [ { "details": { "position": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>", "Sink": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r31", "entryMethod": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void f()>", "Source": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r3", "url": "/Volumes/dev/zijie/appshark-opensource/out/vuln/1-unZipSlip.html", "target": [ "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r3", "pf{obj{<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>:35=>java.lang.StringBuilder}(unknown)->@data}", "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r11", "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolderFix1(java.lang.String,java.lang.String)>->$r31" ] }, "hash": "ec57a2a3190677ffe78a0c8aaf58ba5aee4d2247", "possibility": "4" }, { "details": { "position": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>", "Sink": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r34", "entryMethod": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void f()>", "Source": "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r3", "url": "/Volumes/dev/zijie/appshark-opensource/out/vuln/2-unZipSlip.html", "target": [ "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r3", "pf{obj{<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>:33=>java.lang.StringBuilder}(unknown)->@data}", "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r14", "<net.bytedance.security.app.pathfinder.testdata.ZipSlip: void UnZipFolder(java.lang.String,java.lang.String)>->$r34" ] }, "hash": "26c6d6ee704c59949cfef78350a1d9aef04c29ad", "possibility": "4" } ], "wiki": "", "deobfApk": "/Volumes/dev/zijie/appshark-opensource/app.apk" } } }, "DeepLinkInfo": { }, "HTTP_API": [ ], "JsBridgeInfo": [ ], "BasicInfo": { "ComponentsInfo": { }, "JSNativeInterface": [ ] }, "UsePermissions": [ ], "DefinePermissions": { }, "Profile": "/Volumes/dev/zijie/appshark-opensource/out/vuln/3-profiler.json" }
Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…
If you are working with Linux or writing bash scripts, one of the most common…
What is a bash case statement? A bash case statement is a way to control…
Why Do We Check Files in Bash? When writing a Bash script, you often work…