From 69f95896e50b30f0e2d36f548872dbf2f64ec829 Mon Sep 17 00:00:00 2001 From: Shaun Dang Date: Tue, 9 Sep 2025 23:31:59 +0800 Subject: [PATCH 1/6] Add Quark script showcase of detecting CWE-927 --- docs/source/quark_script.rst | 88 ++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) diff --git a/docs/source/quark_script.rst b/docs/source/quark_script.rst index 28935193..4bcfeff6 100644 --- a/docs/source/quark_script.rst +++ b/docs/source/quark_script.rst @@ -3610,3 +3610,91 @@ Quark Script Result + +Detect CWE-927 in Android Application +-------------------------------------- + +This scenario seeks to find **Use of Implicit Intent for Sensitive Communication**. + +CWE-927: Use of Implicit Intent for Sensitive Communication +========================================= + +We analyze the definition of CWE-927 and identify its characteristics. + +See `CWE-927 `_ for more details. + +.. image:: https://hackmd.io/_uploads/H1UYN6pqxe.png + +Code of CWE-927 in ovaa.apk +============================ + +We use the `ovaa.apk `_ sample to explain the vulnerability code of CWE-927. + +.. image:: https://hackmd.io/_uploads/Bk6hEaTcll.png + +CWE-927 Detection Process Using Quark Script API +================================================= + +.. image:: https://hackmd.io/_uploads/rJOHSTaceg.png + +First, we design a detection rule ``findImplicitIntent.json`` to identify the use of implicit intents. Then, we use the API ``behaviorInstance.getMethodsInArgs()`` to retrieve a list of methods that set components. Finally, we check whether any component setting method is present in the list. If **none** is found, it indicates that the APK is using an implicit intent without specifying a particular component, which leads to a CWE-927 vulnerability. + +Quark Script CWE-927.py +======================== + +.. image:: https://hackmd.io/_uploads/BkDZwa65lg.png + + +.. code-block:: python + + from quark.script import runQuarkAnalysis, Rule + + SAMPLE_PATH = "ovaa.apk" + RULE_PATH = "findImplicitIntent.json" + + ruleInstance = Rule(RULE_PATH) + quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance) + + COMPONENT_SETTING_METHODS = ["setComponent", "setClass", "setClassName"] + + for implicitIntent in quarkResult.behaviorOccurList: + calledMethods = implicitIntent.getMethodsInArgs() + + if not any( + method.methodName in COMPONENT_SETTING_METHODS for method in calledMethods + ): + print(f"CWE-927 is detected in method, {implicitIntent.methodCaller.fullName}") + + +Quark Rule: findImplicitIntent.json +================================= + +.. code-block:: json + + { + "crime": "Detect APK using implicit intent.", + "permission": [], + "api": [ + { + "descriptor": "(Landroid/content/Context;Ljava/lang/Class;)V", + "class": "Landroid/content/Intent;", + "method": "" + }, + { + "descriptor": "(Landroid/content/Intent;)V", + "class": "", + "method": "startActivity" + } + ], + "score": 1, + "label": [] + } + + +Quark Script Result +==================== + +.. code-block:: TEXT + + $ python3 CWE-927.py + CWE-927 is detected in method, Loversecured/ovaa/activities/DeeplinkActivity; processDeeplink (Landroid/net/Uri;)V From af633ab1630c656ff4a7cdcc54bbf978d2db2681 Mon Sep 17 00:00:00 2001 From: Shaun Dang Date: Wed, 10 Sep 2025 23:01:32 +0800 Subject: [PATCH 2/6] Correct and improve document content --- docs/source/quark_script.rst | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/docs/source/quark_script.rst b/docs/source/quark_script.rst index 4bcfeff6..64a2f6e1 100644 --- a/docs/source/quark_script.rst +++ b/docs/source/quark_script.rst @@ -3630,49 +3630,51 @@ Code of CWE-927 in ovaa.apk We use the `ovaa.apk `_ sample to explain the vulnerability code of CWE-927. -.. image:: https://hackmd.io/_uploads/Bk6hEaTcll.png +.. image:: https://hackmd.io/_uploads/SJCe0Z1sll.png CWE-927 Detection Process Using Quark Script API ================================================= -.. image:: https://hackmd.io/_uploads/rJOHSTaceg.png +.. image:: https://hackmd.io/_uploads/SkSMfz1slg.png -First, we design a detection rule ``findImplicitIntent.json`` to identify the use of implicit intents. Then, we use the API ``behaviorInstance.getMethodsInArgs()`` to retrieve a list of methods that set components. Finally, we check whether any component setting method is present in the list. If **none** is found, it indicates that the APK is using an implicit intent without specifying a particular component, which leads to a CWE-927 vulnerability. +First, we design a detection rule ``findImplicitIntent.json`` to identify the use of implicit intents. +Then, we use the API ``behaviorInstance.getMethodsInArgs()`` to retrieve a list of methods that provides the intent. +Finally, we check whether any component setting method is present in the list. If **none** is found, it indicates that the APK is using an implicit intent, which may lead to a CWE-927 vulnerability. Quark Script CWE-927.py ======================== -.. image:: https://hackmd.io/_uploads/BkDZwa65lg.png +.. image:: https://hackmd.io/_uploads/ryMLzzJolg.png .. code-block:: python - from quark.script import runQuarkAnalysis, Rule - + from quark.script import runQuarkAnalysis, Rule + SAMPLE_PATH = "ovaa.apk" - RULE_PATH = "findImplicitIntent.json" + RULE_PATH = "detectIntentUsage.json" ruleInstance = Rule(RULE_PATH) quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance) COMPONENT_SETTING_METHODS = ["setComponent", "setClass", "setClassName"] - for implicitIntent in quarkResult.behaviorOccurList: - calledMethods = implicitIntent.getMethodsInArgs() + for intentUsage in quarkResult.behaviorOccurList: + calledMethods = intentUsage.getMethodsInArgs() if not any( method.methodName in COMPONENT_SETTING_METHODS for method in calledMethods ): - print(f"CWE-927 is detected in method, {implicitIntent.methodCaller.fullName}") + print(f"CWE-927 is detected in method, {intentUsage.methodCaller.fullName}") -Quark Rule: findImplicitIntent.json +Quark Rule: detectIntentUsage.json ================================= .. code-block:: json { - "crime": "Detect APK using implicit intent.", + "crime": "Detect APKs that use intents.", "permission": [], "api": [ { From cfa54418bafb39fbf103955819ca085324473735 Mon Sep 17 00:00:00 2001 From: Shaun Dang Date: Thu, 11 Sep 2025 00:54:27 +0800 Subject: [PATCH 3/6] Correct and improve document content --- docs/source/quark_script.rst | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/docs/source/quark_script.rst b/docs/source/quark_script.rst index 64a2f6e1..ad7054af 100644 --- a/docs/source/quark_script.rst +++ b/docs/source/quark_script.rst @@ -3635,24 +3635,23 @@ We use the `ovaa.apk `_ sample to explain t CWE-927 Detection Process Using Quark Script API ================================================= -.. image:: https://hackmd.io/_uploads/SkSMfz1slg.png +.. image:: https://hackmd.io/_uploads/B1ne6m1jgl.png -First, we design a detection rule ``findImplicitIntent.json`` to identify the use of implicit intents. -Then, we use the API ``behaviorInstance.getMethodsInArgs()`` to retrieve a list of methods that provides the intent. +First, we design a detection rule ``startActivityWithIntent.json`` to identify the use of implicit intents. +Then, we use the API ``behaviorInstance.getMethodsInArgs()`` to retrieve a list of methods that prepare an intent. Finally, we check whether any component setting method is present in the list. If **none** is found, it indicates that the APK is using an implicit intent, which may lead to a CWE-927 vulnerability. Quark Script CWE-927.py ======================== -.. image:: https://hackmd.io/_uploads/ryMLzzJolg.png - +.. image:: https://hackmd.io/_uploads/S1AJa7yixe.pn .. code-block:: python from quark.script import runQuarkAnalysis, Rule SAMPLE_PATH = "ovaa.apk" - RULE_PATH = "detectIntentUsage.json" + RULE_PATH = "startActivityWithIntent.json" ruleInstance = Rule(RULE_PATH) quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance) @@ -3668,13 +3667,13 @@ Quark Script CWE-927.py print(f"CWE-927 is detected in method, {intentUsage.methodCaller.fullName}") -Quark Rule: detectIntentUsage.json +Quark Rule: startActivityWithIntent.json ================================= .. code-block:: json { - "crime": "Detect APKs that use intents.", + "crime": "Start Activity With Intent.", "permission": [], "api": [ { From 8f3bef861f23d74eedb52e788b6becf9e9e7074f Mon Sep 17 00:00:00 2001 From: Shaun Dang Date: Thu, 11 Sep 2025 01:57:16 +0800 Subject: [PATCH 4/6] Correct and improve document content --- docs/source/quark_script.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/source/quark_script.rst b/docs/source/quark_script.rst index ad7054af..965d3a57 100644 --- a/docs/source/quark_script.rst +++ b/docs/source/quark_script.rst @@ -3635,16 +3635,16 @@ We use the `ovaa.apk `_ sample to explain t CWE-927 Detection Process Using Quark Script API ================================================= -.. image:: https://hackmd.io/_uploads/B1ne6m1jgl.png +.. image:: https://hackmd.io/_uploads/ByAqo4ksxg.png -First, we design a detection rule ``startActivityWithIntent.json`` to identify the use of implicit intents. +First, we design a detection rule ``startActivityWithIntent.json`` to identify when an intent is used to start an activity. Then, we use the API ``behaviorInstance.getMethodsInArgs()`` to retrieve a list of methods that prepare an intent. Finally, we check whether any component setting method is present in the list. If **none** is found, it indicates that the APK is using an implicit intent, which may lead to a CWE-927 vulnerability. Quark Script CWE-927.py ======================== -.. image:: https://hackmd.io/_uploads/S1AJa7yixe.pn +.. image:: https://hackmd.io/_uploads/rkl2ii4ysex.png .. code-block:: python From b489ea22875f91936fa1d3ac39efbc22e3cf1c7e Mon Sep 17 00:00:00 2001 From: Shaun Dang Date: Thu, 11 Sep 2025 02:07:14 +0800 Subject: [PATCH 5/6] Correct and improve document content --- docs/source/quark_script.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/source/quark_script.rst b/docs/source/quark_script.rst index 965d3a57..0c7e08d2 100644 --- a/docs/source/quark_script.rst +++ b/docs/source/quark_script.rst @@ -3617,7 +3617,7 @@ Detect CWE-927 in Android Application This scenario seeks to find **Use of Implicit Intent for Sensitive Communication**. CWE-927: Use of Implicit Intent for Sensitive Communication -========================================= +=========================================================== We analyze the definition of CWE-927 and identify its characteristics. @@ -3638,7 +3638,9 @@ CWE-927 Detection Process Using Quark Script API .. image:: https://hackmd.io/_uploads/ByAqo4ksxg.png First, we design a detection rule ``startActivityWithIntent.json`` to identify when an intent is used to start an activity. + Then, we use the API ``behaviorInstance.getMethodsInArgs()`` to retrieve a list of methods that prepare an intent. + Finally, we check whether any component setting method is present in the list. If **none** is found, it indicates that the APK is using an implicit intent, which may lead to a CWE-927 vulnerability. Quark Script CWE-927.py @@ -3668,7 +3670,7 @@ Quark Script CWE-927.py Quark Rule: startActivityWithIntent.json -================================= +======================================== .. code-block:: json From 1cc42ab227a430461bd175b0a50e92f373cf3c2c Mon Sep 17 00:00:00 2001 From: Shaun Dang Date: Thu, 11 Sep 2025 02:18:24 +0800 Subject: [PATCH 6/6] Correct and improve document content --- docs/source/quark_script.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/quark_script.rst b/docs/source/quark_script.rst index 0c7e08d2..2d97d2ac 100644 --- a/docs/source/quark_script.rst +++ b/docs/source/quark_script.rst @@ -3637,7 +3637,7 @@ CWE-927 Detection Process Using Quark Script API .. image:: https://hackmd.io/_uploads/ByAqo4ksxg.png -First, we design a detection rule ``startActivityWithIntent.json`` to identify when an intent is used to start an activity. +First, we design a detection rule ``startActivityWithIntent.json`` to identify the behavior of using an intent to start an activity. Then, we use the API ``behaviorInstance.getMethodsInArgs()`` to retrieve a list of methods that prepare an intent.