https://github.com/bytedance/appshark

Appshark is a static taint analysis platform to scan vulnerabilities in an Android app.

https://github.com/bytedance/appshark

Science Score: 13.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
  • DOI references
  • Academic publication links
  • Committers with academic emails
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (10.8%) to scientific vocabulary

Keywords

android compliance static-analysis vulnerability
Last synced: 5 months ago · JSON representation

Repository

Appshark is a static taint analysis platform to scan vulnerabilities in an Android app.

Basic Info
  • Host: GitHub
  • Owner: bytedance
  • License: apache-2.0
  • Language: Kotlin
  • Default Branch: main
  • Homepage:
  • Size: 202 MB
Statistics
  • Stars: 1,638
  • Watchers: 18
  • Forks: 171
  • Open Issues: 16
  • Releases: 3
Topics
android compliance static-analysis vulnerability
Created over 3 years ago · Last pushed about 1 year ago
Metadata Files
Readme Contributing License

README.md

Document Index

AppShark

Appshark is a static taint analysis platform to scan vulnerabilities in an Android app.

Prerequisites

Appshark requires a specific version of JDK -- JDK 11. After testing, it does not work on other LTS versions, JDK 8 and JDK 16, due to the dependency compatibility issue.

Building/Compiling AppShark

We assume that you are working in the root directory of the project repo. You can build the whole project with the gradle tool.

shell $ ./gradlew build -x test

After executing the above command, you will see an artifact file AppShark-0.1.2-all.jar in the directory build/libs.

Running AppShark

Like the previous step, we assume that you are still in the root folder of the project. You can run the tool with

shell $ java -jar build/libs/AppShark-0.1.2-all.jar config/config.json5

The config.json5 has the following configuration contents.

JSON { "apkPath": "/Users/apks/app1.apk" }

Each JSON has these basic field.

  • apkPath: the path of the apk file to analyze
  • out: the path of the output directory
  • rules: specifies the rules, split by ,. Default is all *.json files in the $rulePath directory
  • rulePath: specifies the rule's parent directory, default is ./config/rules
  • maxPointerAnalyzeTime: the timeout duration in seconds set for the analysis started from an entry point
  • debugRule: specify the rule name that enables logging for debugging

For more config field, please visit net.bytedance.security.app.ArgumentConfig

If you provide a configuration JSON file which sets the output path as out in the project root directory, you will find the result file out/results.json after running the analysis.

Interpreting the Results

Below is an example of the results.json.

```JSON { "AppInfo": { "AppName": "test", "PackageName": "net.bytedance.security.app", "minsdk": 17, "targetsdk": 28, "versionCode": 1000, "versionName": "1.0.0" }, "SecurityInfo": { "FileRisk": { "unZipSlip": { "category": "FileRisk", "detail": "", "model": "2", "name": "unZipSlip", "possibility": "4", "vulners": [ { "details": { "position": "", "Sink": "->$r31", "entryMethod": "", "Source": "->$r3", "url": "/Volumes/dev/zijie/appshark-opensource/out/vuln/1-unZipSlip.html", "target": [ "->$r3", "pf{obj{:35=>java.lang.StringBuilder}(unknown)->@data}", "->$r11", "->$r31" ] }, "hash": "ec57a2a3190677ffe78a0c8aaf58ba5aee4d2247", "possibility": "4" }, { "details": { "position": "", "Sink": "->$r34", "entryMethod": "", "Source": "->$r3", "url": "/Volumes/dev/zijie/appshark-opensource/out/vuln/2-unZipSlip.html", "target": [ "->$r3", "pf{obj{:33=>java.lang.StringBuilder}(unknown)->@data}", "->$r14", "->$r34" ] }, "hash": "26c6d6ee704c59949cfef78350a1d9aef04c29ad", "possibility": "4" } ], "wiki": "", "deobfApk": "/Volumes/dev/zijie/appshark-opensource/app.apk" } } }, "DeepLinkInfo": { }, "HTTP_API": [ ], "JsBridgeInfo": [ ], "BasicInfo": { "ComponentsInfo": { }, "JSNativeInterface": [ ] }, "UsePermissions": [ ], "DefinePermissions": { }, "Profile": "/Volumes/dev/zijie/appshark-opensource/out/vuln/3-profiler.json" }

```

License

AppShark is licensed under the APACHE LICENSE, VERSION 2.0

Contact Us

Lark

Owner

  • Name: Bytedance Inc.
  • Login: bytedance
  • Kind: organization
  • Location: Singapore

GitHub Events

Total
  • Issues event: 5
  • Watch event: 158
  • Issue comment event: 12
  • Push event: 1
  • Pull request event: 2
  • Fork event: 15
Last Year
  • Issues event: 5
  • Watch event: 158
  • Issue comment event: 12
  • Push event: 1
  • Pull request event: 2
  • Fork event: 15

Committers

Last synced: 9 months ago

All Time
  • Total Commits: 103
  • Total Committers: 7
  • Avg Commits per committer: 14.714
  • Development Distribution Score (DDS): 0.204
Past Year
  • Commits: 1
  • Committers: 1
  • Avg Commits per committer: 1.0
  • Development Distribution Score (DDS): 0.0
Top Committers
Name Email Commits
baizhenxuan b****n@b****m 82
firmianay f****y@g****m 13
bdbubble z****x@b****m 4
renxin@blingsec.cn r****n@b****n 1
leixiao 1****1@q****m 1
Shivam Soni s****3@g****m 1
徐其望 x****g@b****m 1
Committer Domains (Top 20 + Academic)

Issues and Pull Requests

Last synced: 6 months ago

All Time
  • Total issues: 57
  • Total pull requests: 22
  • Average time to close issues: 4 months
  • Average time to close pull requests: 9 days
  • Total issue authors: 39
  • Total pull request authors: 8
  • Average comments per issue: 2.54
  • Average comments per pull request: 1.0
  • Merged pull requests: 13
  • Bot issues: 0
  • Bot pull requests: 0
Past Year
  • Issues: 4
  • Pull requests: 2
  • Average time to close issues: 5 days
  • Average time to close pull requests: 1 day
  • Issue authors: 4
  • Pull request authors: 1
  • Average comments per issue: 1.5
  • Average comments per pull request: 1.0
  • Merged pull requests: 2
  • Bot issues: 0
  • Bot pull requests: 0
Top Authors
Issue Authors
  • firmianay (11)
  • LiHongHui6 (3)
  • listentlky (2)
  • ggwshk (2)
  • ReturnHere (2)
  • nkbai (2)
  • humiaoxin (2)
  • ethan-1106 (1)
  • a363211861 (1)
  • william31212 (1)
  • evilpan (1)
  • 1kuzus (1)
  • kxdkxd (1)
  • heiniuniu (1)
  • X1Wan9 (1)
Pull Request Authors
  • firmianay (11)
  • l3yx (2)
  • pallock (2)
  • blingsec (2)
  • i-shivamsoni (1)
  • Jeffwan (1)
  • guoxiaoxu (1)
  • fanxs-t (1)
Top Labels
Issue Labels
Pull Request Labels