Developers come up with software to test Android apps security

Developers of the social networking site LinkedIn have released a first test version of an analysis tool that can test the security of an Android app. The software also provides a description of the possible dangers of the vulnerabilities.

LinkedIn calls the tool QARK and offers the software under an open source license. QARK allows developers to find vulnerabilities in Java applications for Android, such as weak encryption or private keys found in source code. If they find dangers, they are shown a description of what is wrong. In addition, QARK presents sources where you can read what can be done about it.

To check whether the vulnerabilities can actually be exploited, QARK generates adb commands that can be used for this. Partly because of this, the tool actually creates a test application with which to demonstrate security vulnerabilities in the Android app, writes security researcher Tony Trummer of LinkedIn.

Despite automating the discovery of vulnerabilities, Trummer recommends that organizations always perform manual security audits. According to him, there are always undiscovered vulnerabilities that can be exploited. In addition, server-side APIs have yet to be explored and, as logical as it may be, “no tool is perfect.”

The LinkedIn developers say they will be working hard on QARK in the near future. Among other things, they want to reduce the number of false positives and false negatives. In addition, they also want the tool to automatically test test programs that QARK generates for vulnerabilities. Finally, they are working on support for Windows as QARK only runs on Mac and Linux for now.