Skip to content

feat(forensic): add get_certificate() to extract APK signing certificate#935

Open
pulorsok wants to merge 6 commits into
ev-flow:masterfrom
pulorsok:feature/forensic-get-certificate
Open

feat(forensic): add get_certificate() to extract APK signing certificate#935
pulorsok wants to merge 6 commits into
ev-flow:masterfrom
pulorsok:feature/forensic-get-certificate

Conversation

@pulorsok

Copy link
Copy Markdown
Member

What

Add Forensic.get_certificate() to surface the APK's signing certificate.

Why

The Forensic module already extracts APK metadata (strings, URLs, IPs, content/file URIs, base64, Android APIs) but had no way to get the signing certificate. Certificate subject/issuer and fingerprints are useful IOCs for provenance and family clustering — e.g. flagging AOSP test-key self-signing, which is common in repackaged malware.

How

get_certificate() reuses the certificate parsing already available from the Androguard backend (no new dependency) and returns a list of dicts: subject, issuer, serial_number, sha1, sha256, not_before, not_after, signature_algorithm. Returns an empty list for unsigned input, a bare DEX, or the rizin backend.

Test

Adds test_get_certificate in tests/forensic/test_forensic.py, asserting the signing cert (subject/issuer/sha256/sig-algo) of the existing test sample 14d9f1a92dd984d6040cc41ed06e273e.apk.

Notes

Backend support: implemented for the Androguard backend; rizin backend returns [] (can be added in a follow-up).

🤖 Generated with Claude Code

pulorsok and others added 6 commits April 10, 2026 20:14
Added new Quark rules for Antidot malware detection, detailing behaviors and identified threats. Included summary report and tested APKs.
Updated images and descriptions in the malware report to reflect new findings and behaviors detected by Quark.
Added new Quark rule for detecting Arsink malware, detailing its behaviors and testing results.
The Forensic module exposes APK metadata (strings, URLs, IPs, content/
file URIs, base64, Android APIs) but had no way to surface the signing
certificate. Certificate subject/issuer and fingerprints are useful IOCs
for provenance and family clustering (e.g. AOSP test-key self-signing).

Add Forensic.get_certificate(), which reuses the certificate parsing
already available from the Androguard backend and returns a list of
dicts (subject, issuer, serial number, sha1/sha256 fingerprint, validity
period, signature algorithm). Returns an empty list for unsigned input,
bare DEX, or the rizin backend.

Add a matching test in tests/forensic/test_forensic.py asserting the
signing certificate of the existing sample.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@codecov

codecov Bot commented Jun 26, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 50.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 78.89%. Comparing base (c001171) to head (ae39555).
⚠️ Report is 21 commits behind head on master.

Files with missing lines Patch % Lines
quark/forensic/forensic.py 50.00% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master     #935      +/-   ##
==========================================
- Coverage   81.32%   78.89%   -2.44%     
==========================================
  Files          80       81       +1     
  Lines        6952     7131     +179     
==========================================
- Hits         5654     5626      -28     
- Misses       1298     1505     +207     
Flag Coverage Δ
unittests 78.89% <50.00%> (-2.44%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant