Add Quark script showcase of detecting CWE-927

[pulorsok]

Detect CWE-927 in Android Application

This scenario seeks to find Use of Implicit Intent for Sensitive Communication.

CWE-927: Use of Implicit Intent for Sensitive Communication

We analyze the definition of CWE-927 and identify its characteristics.

See CWE-927 for more details.

Code of CWE-927 in ovaa.apk

We use the ovaa.apk sample to explain the vulnerability code of CWE-927.

CWE-927 Detection Process Using Quark Script API

First, we design a detection rule startActivityWithIntent.json to identify the behavior of using an intent to start an activity.
Then, we use the API behaviorInstance.getMethodsInArgs() to retrieve a list of methods that prepare an intent.
Finally, we check whether any component setting method is present in the list. If none is found, it indicates that the APK is using an implicit intent, which may lead to a CWE-927 vulnerability.

Quark Script CWE-927.py

from quark.script import runQuarkAnalysis, Rule

SAMPLE_PATH = "ovaa.apk"
RULE_PATH = "startActivityWithIntent.json"

ruleInstance = Rule(RULE_PATH)
quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

COMPONENT_SETTING_METHODS = ["setComponent", "setClass", "setClassName"]

for intentUsage in quarkResult.behaviorOccurList:
    calledMethods = intentUsage.getMethodsInArgs()

    if not any(
        method.methodName in COMPONENT_SETTING_METHODS for method in calledMethods
    ):
        print(f"CWE-927 is detected in method, {intentUsage.methodCaller.fullName}")

Quark Rule: startActivityWithIntent.json

{
    "crime": "Start Activity With Intent.",
    "permission": [],
    "api": [
        {
            "descriptor": "(Landroid/content/Context;Ljava/lang/Class;)V",
            "class": "Landroid/content/Intent;",
            "method": "<init>"
        },
        {
            "descriptor": "(Landroid/content/Intent;)V",
            "class": "",
            "method": "startActivity"
        }
    ],
    "score": 1,
    "label": []
}

Quark Script Result

$ python3 CWE-927.py
CWE-927 is detected in method, Loversecured/ovaa/activities/DeeplinkActivity; processDeeplink (Landroid/net/Uri;)V

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.10%. Comparing base (22f67f9) to head (1cc42ab).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #807   +/-   ##
=======================================
  Coverage   81.10%   81.10%           
=======================================
  Files          75       75           
  Lines        6372     6372           
=======================================
  Hits         5168     5168           
  Misses       1204     1204           

Flag	Coverage Δ
unittests	81.10% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[haeter525]

LGTM. Thank @pulorsok !