Pen-testing Android application
Reverse Engineering: Android Penetration Testing
INDEX
· Need Android Penetration Testing
· Reverse Engineering
· Reversing an apk
What is apk
Tools
Reverse Engineering Android APKs
· Need Android Penetration Testing: Android is the most widely used mobile device OS in the world. Android applications are exposed to a variety of security risks that threaten the integrity of your apps and the safety of your end users.
· Reverse Engineering:Reverse engineering is the process of understanding how things work and reusing the information to do something. This is applicable to Android application also. There are some below mentioned reasons.
1. Reading android application code
2. Finding vulnerabilities in the code
3. Finding hard coded vulnerability in the code
4. Malware Analysis
· Reversing an apk:
What is an apk(Android Package Kit):APK is basically the package file format
used by android OS for distribution and installation of mobile apps.APK are
same in android as .exe in windows pc.
Every Android App consists of a file extension .apk. An Android
application is a compressed file which consists of all the resources and code
used during development. When extracted, an APK file consist of the following:
(i)META-INF:It contain 3 files where MANIFEST.MF — manifest file,
CERT.SF — signature file and CERT.RSA — the real signature file with certificate.
MANIFEST.MF: It contains various information used by the java run-time environment when loading the jar file, such as which is the main class to be run from the jar file, version of package, build number, creator of the package, security policies/permissions of java applets and java web start packages, the list of file names in the jar along with their SHA1 digests, etc.
CERT.SF: This contains the list of all files along with their SHA-1 digest.
CERT.RSA: This contains the signed contents of the CERT.SF file along with the certificate chain of the public key used for signing the contents.
(iI)RES: Res contain those resources which are not complied.Resources are the additional files and static content that your code uses, such as bitmaps, layout definitions, user interface strings, animation instructions, and more.
(iii)AndroidManifest.xml: Every apk includes a manifest file, which is AndroidManifest.xml, stored in the root directory of its project hierarchy. The manifest file is an important part of our app because it defines the structure and metadata of our application, its components, its requirement and its permission .
(iv) Resources.arsc: resources that enables app developers to separate content and external files from their application code and maintain them independently. Resources can be made configuration-aware so that strings are localized and UI layouts are adapted at runtime based on the language settings and screen properties of the device the app is running on
It’s contain unreadable file.resources.arsc file that is compiled by the Android build tool chain alongside the actual code. The resources.arsc file contains simple values, like integers, booleans and strings, as well as references to more complex resources, like UI layouts which are stored in separate binary XML files.
(v)Classes.dex: The classes compiled in the dex file format understandable by the Dalvik virtual machine.
5. Tools:
Dex2jar: Dex2Jar is to convert the classes.dex file of an APK to classes.jar or vice versa. So, it is possible to view the source code of an Android application using any Java de-compiler, and it is completely readable. Here, we get .class files and not the actual Java source code that was written by the application developer.
When converting DEX to JAR, you may get Out of Memory Error for large size DEX file. Here, we need to increase the size of the JVM memory in d2j_invoke script.
Note: Also, it is possible to get “.smali” files directly from the classes.dex file or vice versa. That means you can change the source code of an application directly working with this format.
JD-GUI:JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files.Download respective flavor available (for UNIX, Mac and Windows systems). For windows system you can download the executable or JAR of JD-JUI.If you open the “.jar” file with JD-GUI, you can view the source code of the application which is Java classes in a readable format.
APKTOOL: It can decode resources to nearly original form and rebuild them after making some modifications
Feature:
(i)Disassembling resources to nearly original form (including resources.arsc, classes.dex, 9.png. and XMLs).
(ii)Rebuilding decoded resources back to binary APK/JAR.
(iii)Organizing and handling APKs that depend on framework resources.
(iv)Smali Debugging (Removed in 2.1.0 in favor of IdeaSmali).
(v)Helping with repetitive tasks.
3. Reverse Engineering Android APKs
Dex2jar
(i)Download the dex2jar tool from https://code.google.com/p/dex2jar/
(ii)Provide .apk file as input and convert it into .jar file. Use the below command
d2j.bat <package-name>
(iii)Launch JD-GUI, download Link http://jd.benow.ca/.
(iv)Go to File -> Open -> Select the .jar file to be opened.
Apktool:-
(i) Download APKTOOL, give the APK file as input and decompile using the following command
Provide the link of apktool
(i) apktool d <filename>.apk
(ii) We can read AndroidManifest.xml
(iii) We can also read smali, smali files is nothing but an intermittent file of .java and .apk and is an assembler/disassembler for the dex format used by Dalvik.
Note: If in smali folder we find name like R$, it means inner class.
