Reversing APK

Tools

  • APKTool

  • JADX-GUI

  • MobSF

ApkTool

  • Installed by default at Kali Linux

  • Decompile APK

apktool d example.apk -o example/

Jadx-GUI

jadx-gui
# then choose the classes.dex file from example/ folder

MobSF

  • Download using git

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF/
./setup.sh

  • Running the tool

./run.sh 127.0.0.1:8000

Apk Contents

AndroidManifest.xml

  • The app's package name, which usually matches your code's namespace. The Android build tools use this to determine the location of code entities when building your project. When packaging the app, the build tools replace this value with the application ID from the Gradle build files, which is used as the unique app identifier on the system and on Google Play. Read more about the package name and app ID.

  • The components of the app, which include all activities, services, broadcast receivers, and content providers. Each component must define basic properties such as the name of its Kotlin or Java class. It can also declare capabilities such as which device configurations it can handle, and intent filters that describe how the component can be started. Read more about app components.

  • The permissions that the app needs in order to access protected parts of the system or other apps. It also declares any permissions that other apps must have if they want to access content from this app. Read more about permissions.

  • The hardware and software features the app requires, which affects which devices can install the app from Google Play. Read more about device compatibility.

Classes.dex

  • The Java code written in Android Studio is compiled into a “dex” file. Although it’s name comes from the Dalvik VM (Dalvik Executable), it is universal to both the older Dalvik VM and the newer Android Runtime environments.

Assets Folder

  • In theory, you can store anything in the assets folder.

    You’ll commonly find such things as HTML, fonts, mp3, text and image files.

    The importance of this directory and its contents, is based mainly on what the files are and how they are used.

Lib Folder

  • This directory is used for storing libraries and precompiled code. You will commonly find directories in /lib which represent different combinations of CPU types and instruction sets, known as Application Binary Interfaces, or ABIs. Examples of these subdirectories are x86, x86_64 and arm. In these subdirectories, you will find Linux shared object (.so) files.

  • The .so files are libraries, created by the developer or from a third-party.

    If an attacker found a way to modify or replace these file and get them to execute, this could result in arbitrary code execution.

META-INF Folder

  • This directory contains files related to the integrity and authenticity of the application, which we’ll discuss in more detail later:

    • MANIFEST.MF - A listing of all the resource files and their SHA1

    • CERT.RSA - The developer’s signing certificate

    • CERT.SF - A list of the resources and their hashes, corresponding to the MANIFEST.MF

Res Folder

  • Within the /res directory are all of the resources, such as images, which are not compiled into the resources.arsc file.

  • Generally speaking, these files are less impactful from a security perspective

Other Files

  • There are numerous reasons you may find other types of file and directories here.

  • These include, for example:

    • App specific customization and resource directories

    • Third-party libraries

    • HTML template files used in Webviews

    When auditing the source code of an app, you’ll want to ensure you take a look at all the files to determine their impact on the security of the application.

Code Signing

  • .apk files need to be signed. Android devices will not run unsigned .apk files and whether you’re building for testing or deployment, the process only varies by which keys are used to sign.

  • Android apps are cryptographically signed in a similar fashion using a private key only known to the application developer. This process provides several key security related features by:

    • Validating the identity of the author

    • Ensuring the code itself has not been modified after compiling

      There have been several Android vulnerabilities identified related to implementations of this protection

apktool b example/ -o new-exmaple.apk

  • Generate private key

keytool -genkey -v -keystore foo.keystore -alias myalias -keyalg RSA -keysize 2048 -validity 10000

  • Sign it using jarsigner

jarsigner -sigalg SHA1withRSA -digestalg SHA1 -keystore foo.keystore test.apk myalias

PreviousSetting up the environmentNextDevice Rooting

Last updated