Pen-testing Android application

Reverse Engineering: Android Penetration Testing


· Need Android Penetration Testing

· Reverse Engineering

· Reversing an apk

What is apk


Reverse Engineering Android APKs

· Need Android Penetration Testing: Android is the most widely used mobile device OS in the world. Android applications are exposed to a variety of security risks that threaten the integrity of your apps and the safety of your end users.

· Reverse Engineering:Reverse engineering is the process of understanding how things work and reusing the information to do something. This is applicable to Android application also. There are some below mentioned reasons.

1. Reading android application code

2. Finding vulnerabilities in the code

3. Finding hard coded vulnerability in the code

4. Malware Analysis

Image for post
Image for post

· Reversing an apk:

What is an apk(Android Package Kit):APK is basically the package file format

used by android OS for distribution and installation of mobile apps.APK are

same in android as .exe in windows pc.

Every Android App consists of a file extension .apk. An Android

application is a compressed file which consists of all the resources and code

used during development. When extracted, an APK file consist of the following:

(i)META-INF:It contain 3 files where MANIFEST.MF — manifest file,

CERT.SF — signature file and CERT.RSA — the real signature file with certificate.

MANIFEST.MF: It contains various information used by the java run-time environment when loading the jar file, such as which is the main class to be run from the jar file, version of package, build number, creator of the package, security policies/permissions of java applets and java web start packages, the list of file names in the jar along with their SHA1 digests, etc.

CERT.SF: This contains the list of all files along with their SHA-1 digest.

CERT.RSA: This contains the signed contents of the CERT.SF file along with the certificate chain of the public key used for signing the contents.

Image for post
Image for post

(iI)RES: Res contain those resources which are not complied.Resources are the additional files and static content that your code uses, such as bitmaps, layout definitions, user interface strings, animation instructions, and more.

(iii)AndroidManifest.xml: Every apk includes a manifest file, which is AndroidManifest.xml, stored in the root directory of its project hierarchy. The manifest file is an important part of our app because it defines the structure and metadata of our application, its components, its requirement and its permission .

Image for post
Image for post

(iv) Resources.arsc: resources that enables app developers to separate content and external files from their application code and maintain them independently. Resources can be made configuration-aware so that strings are localized and UI layouts are adapted at runtime based on the language settings and screen properties of the device the app is running on

It’s contain unreadable file.resources.arsc file that is compiled by the Android build tool chain alongside the actual code. The resources.arsc file contains simple values, like integers, booleans and strings, as well as references to more complex resources, like UI layouts which are stored in separate binary XML files.

(v)Classes.dex: The classes compiled in the dex file format understandable by the Dalvik virtual machine.

Image for post
Image for post

5. Tools:

Dex2jar: Dex2Jar is to convert the classes.dex file of an APK to classes.jar or vice versa. So, it is possible to view the source code of an Android application using any Java de-compiler, and it is completely readable. Here, we get .class files and not the actual Java source code that was written by the application developer.

When converting DEX to JAR, you may get Out of Memory Error for large size DEX file. Here, we need to increase the size of the JVM memory in d2j_invoke script.

Note: Also, it is possible to get “.smali” files directly from the classes.dex file or vice versa. That means you can change the source code of an application directly working with this format.

JD-GUI:JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files.Download respective flavor available (for UNIX, Mac and Windows systems). For windows system you can download the executable or JAR of JD-JUI.If you open the “.jar” file with JD-GUI, you can view the source code of the application which is Java classes in a readable format.

APKTOOL: It can decode resources to nearly original form and rebuild them after making some modifications


(i)Disassembling resources to nearly original form (including resources.arsc, classes.dex, 9.png. and XMLs).

(ii)Rebuilding decoded resources back to binary APK/JAR.

(iii)Organizing and handling APKs that depend on framework resources.

(iv)Smali Debugging (Removed in 2.1.0 in favor of IdeaSmali).

(v)Helping with repetitive tasks.

3. Reverse Engineering Android APKs


(i)Download the dex2jar tool from

(ii)Provide .apk file as input and convert it into .jar file. Use the below command

d2j.bat <package-name>

(iii)Launch JD-GUI, download Link

(iv)Go to File -> Open -> Select the .jar file to be opened.


(i) Download APKTOOL, give the APK file as input and decompile using the following command

Provide the link of apktool

(i) apktool d <filename>.apk

Image for post
Image for post

(ii) We can read AndroidManifest.xml

(iii) We can also read smali, smali files is nothing but an intermittent file of .java and .apk and is an assembler/disassembler for the dex format used by Dalvik.

Image for post
Image for post

Note: If in smali folder we find name like R$, it means inner class.

Image for post
Image for post

Written by

Security enthusiast working to secure web for others

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store