Skip to content

Optimize the document of Quark Script CWE-940 #63

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zinwang merged 3 commits into from
Aug 14, 2025
Merged

Optimize the document of Quark Script CWE-940 #63

zinwang merged 3 commits into from
Aug 14, 2025

Conversation

@JerryTasi
Copy link
Contributor

@JerryTasi JerryTasi commented Aug 14, 2025

Detect CWE-940 in Android Application

This scenario seeks to find the Improper Verification of Source of a Communication Channel in the APK file.

CWE-940: Improper Verification of Source of a Communication Channel

We analyze the definition of CWE-940 and identify its characteristics.

See CWE-940 for more details.

image

Code of CWE-940 in ovaa.apk

We use the ovaa.apk sample to explain the vulnerability code of CWE-940.

image

Quark Script: CWE-940.py

Let’s use the above APIs to show how the Quark script finds this vulnerability.

To begin with, we create a detection rule named LoadUrlFromIntent.json to identify behavior that loads URLs from intent data to the WebView.

Next, we retrieve the methods that pass the URL. Then, we check if these methods are only for getting the URL, such as findViewById, getStringExtra, or getIntent.

If YES, it could imply that the APK uses communication channels without proper verification, which may cause CWE-940 vulnerability.

from quark.script import runQuarkAnalysis, Rule

SAMPLE_PATH = "ovaa.apk"
RULE_PATH = "LoadUrlFromIntent.json"

URL_GETTING_METHODS = [
    "findViewById",
    "getStringExtra",
    "getIntent",
]

ruleInstance = Rule(RULE_PATH)

quarkResult = runQuarkAnalysis(SAMPLE_PATH, ruleInstance)

for behaviorInstance in quarkResult.behaviorOccurList:
    methodsInArgs = behaviorInstance.getMethodsInArgs()

    verifiedMethodCandidates = []

    for method in methodsInArgs:
        if method.methodName not in URL_GETTING_METHODS:
            verifiedMethodCandidates.append(method)

    if verifiedMethodCandidates == []:
        caller = behaviorInstance.methodCaller.fullName
        print(f"CWE-940 is detected in method, {caller}")

Quark Rule: LoadUrlFromIntent.json

{
    "crime": "Load Url from Intent",
    "permission": [],
    "api": [
        {
            "class": "Landroid/content/Intent;",
            "method": "getStringExtra",
            "descriptor": "(Ljava/lang/String;)Ljava/lang/String"
        },
        {
            "class": "Landroid/webkit/WebView;",
            "method": "loadUrl",
            "descriptor": "(Ljava/lang/String;)V"
        }
    ],
    "score": 1,
    "label": []
}

Quark Script Result

$ python CWE-940.py
CWE-940 is detected in method, Loversecured/ovaa/activities/WebViewActivity; onCreate (Landroid/os/Bundle;)V

@zinwang zinwang self-requested a review August 14, 2025 07:06
zinwang
zinwang approved these changes Aug 14, 2025
View reviewed changes
Copy link
Collaborator

@zinwang zinwang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@zinwang
Copy link
Collaborator

zinwang commented Aug 14, 2025

Refer to #64

@zinwang zinwang merged commit 4510731 into ev-flow:main Aug 14, 2025
1 check passed
@zinwang zinwang mentioned this pull request Aug 14, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zinwang zinwang zinwang approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JerryTasi @zinwang