In today’s era Smartphones have become an essential part of everyone’s life, which raises a major concern in terms of security & privacy. Protecting smartphone devices against different security threats has become a major issue. Smartphones have been a vulnerable target for a long time. Due to the increase in a number of infected/affected applications, certain security measures like code signing, app isolation etc., had to be taken.
Android Operating system, previously developed by Android Inc & currently owned by Google is not only popular among the smartphone users and developers but also popular among the hackers as they continue to be a prime target.
In this blog, we will discuss different tools that are used & freely available to perform reverse engineering.
But before we move towards the reverse engineering aspect let’s understand some basic concepts that will help is our task.
The Android architecture is made up of the following four layers (3): –
- A Linux Kernel that supports multi processes and multithreads. Every application has its own Linux ID and runs in a separate process. Two applications with the same ID can exchange data between them.
- Some Open source libraries.
- Android run-time environment, wherein a Dalvik Virtual Machine runs an application in the dex binary format.
- An application framework that possesses a Java interface. This layer consists of the Android NDK and SDK.
- Some pre-installed core applications.
The Android security model is based on a permission and sandbox mechanism. Each application runs in its own Dalvik Virtual Machine with a unique ID assigned to them. This prevents an application from hampering information/data of another application. But still, we need to how each application works and with what permission, connections, and activities it is involved with. This is where Reverse Engineering Comes into picture.
According to Wikipedia,
“Reverse engineering, also called Black engineering, is the process of extracting knowledge or design information from anything man made and reproducing it or reproducing anything based on the extracted information. The process often involves disassembling something (a mechanical device, electronic component, computer program, or biological, chemical, or organic matter) and analyzing its components and workings in detail”
So basically, Reverse Engineering an Android application aid us in discovering and understanding the complete working of the application by learning its operation, structure, and functions. Reverse engineering of Android applications will help us to:
- Read the code.
- Understand the code.
- Find loopholes in the code level.
- Locate sensitive data which might be hardcoded into the application’s code.
- Migration of applications during a change to a new hardware platform
- Perform Malware Analysis.
- Modify the existing code/functionality of an existing application.
There are two processes involved in reverse engineering: Disassembly and Decompilation
Disassembly is the process of translating machine language into assembly language. The output of a disassembler is often formatted for human readability rather than focusing on suitability for input to an assembler.
Generally speaking, Decompilation is the inverse of compilation. Here we are translating an executable file into a source code with a more readable format, i.e. higher level language. It’s not possible to have a fully automated Decompilation. No decompiler can get the exact source code that the developer wrote.
There are numerous reverse engineering tools.
We will cover some of the common ones that nearly all pentester use, like apktool, Dex2jar, JD-Gui etc.
The APK, Android Application Package, a bundle is the format used to package any application you develop or that you can get from Google Play Store or any other channel. In other words, for each application present on your device, there is a corresponding APK file (this is true also for pre-installed applications).
An APK file is essentially a ZIP file, so you can get one, rename it and then extract it to have access to its content.
|AndroidManifest.xml||The binary xml file that provides information that a device needs in order to run the app.|
|classes.dex||The application code compiled in the dex format.|
|resources.arsc||Binary XML file containing precompiled application resources.|
|res/||Folder containing resources that are not compiled into resources.arsc file|
|assets/||This folder containing applications’ raw assets. AssetManager Provides access to these asset files|
|META-INF/||It contains the MANIFEST.MF file, which stores meta data about the contents of the JAR.
The signature of the APK is also stored in this folder.
|lib/||This folder contains compiled the code – i.e. native code libraries.|
Well DEX, an acronym for Dalvik Executable, is a file format that contains compiled code written for Android and can be interpreted by the Dalvik virtual machine or by the Android Runtime (ART).
When an APK file is produced by the Android build system, the Java classes are first compiled into .class files and later a tool called dx will convert these files into the DEX format.
- As we can see in the above diagram, the java code (application source code) is compiled with the java compiler, giving the output in the form of ‘.class’ files.
- The ‘.class’ files of the application code and the other ‘.class’ files are compiled with the help of dx compiler to form a ‘dex’ file.
- The ‘dex’ file, along with resources required by the application & the AndroidManifest.xml file [which defines the permission of the application] is packaged together and compiled with the help of aapt (Android Asset Packaging Tool) & apkbuilder to form an ‘APK’.
The above is the engineering process of the android applications. Reverse engineering of the android application becomes easier to understand with the following diagram:
Before we can proceed to use the tools. The first step is to get the hands on the APK file. The best way is to get it from your mobile using Android Debug Bridge (adb).
- First, determine the name of the package of the app.
adb shell pm list packages
- Get the full path name of the APK file for the desired package.
adb shell pm path com.example.someapp
- Pull the APK file from the Android device to the test environment.
adb pull /data/app/com.example.someapp-2.apk path/to/desired/destination
A third-party tool for reverse engineering closed binary Android apps.
It can decode resources to nearly original form and can also rebuild them after making some modifications. It also makes working with an application easier due to the project like file structure and automation of some repetitive tasks like decoding, building apk, etc.
- Apktool is capable of disassembling applications to nearly original form and repackaging them after certain modifications.
- It can be used for debugging the smali code.
- It can be utilized for modifying/adding some support or features for customer platforms and for localizing.
- It provides automation of some tasks which are recurring which in return helps the user by making easier interaction of the user to work with the apps.
The following picture shows all that possible usage with apktool
The primary component of android and main program logic of an android app is within the classes.dex file. This file is not user readable. The Dex2jar is used to convert the file to readable classes format for the user to view. With this tool, it is possible to view the source code of an application as a Java code.
Usage: Convert .dex file to .class files (zipped as jar)
sh d2j-dex2jar.sh -f ~/path/to/apk_to_decompile.apk
And the output file will be apk_to_decompile-dex2jar.jar.
JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields. So basically, it is GUI Java .class decompiler.
The above picture shows a sample jar file in JD-GUI.
The simple way to reverse engineer using above is
- Rename your test.apk => test.zip
- Extract test.zip then open that folder
- Copy classes.dex file from the test folder
- Past to dex2jar Extracted folder
- run the command d2j-dex2jar.bat classes.dex
- Move classes-dex2jar.jar file to JD-GUI
- Now you set to analyze the reverse engineered data
If you want some automated method and don’t want to go through all above steps then you can use the following two tools.
It is a static, virtual application analysis tool. One can use it to analyze API references, view application architecture and dependencies, and disassemble byte codes in Android apps. It provides insight into the composition of your APK. It provides a good-looking UI for your application architecture and dependencies.
- View absolute and relative size of files in the APK (such as DEX and Android resource files).
- Understand the composition of DEX files.
- Quickly view final versions of files in the APK (such as the AndroidManifest.xml).
- Perform a side-by-side comparison of two APKs.
To launch it, execute:
java -jar ApkAnalyser.jar
The use it:
- Launch Apk analyzer application.
- Set required paths like android sdk and apk file location.
- Start analyzing the application by selecting File -> Analyse. This would take the time to dissemble the apk.
Byte Code Viewer
According to the developer, Konloch, Bytecode Viewer is an Advanced Lightweight Java Bytecode Viewer, GUI Java Decompiler, GUI Bytecode Editor, GUI Smali, GUI Baksmali, GUI APK Editor, GUI Dex Editor, GUI APK Decompiler, GUI DEX Decompiler, GUI Procyon Java Decompiler, GUI Krakatau, GUI CFR Java Decompiler, GUI FernFlower Java Decompiler, GUI DEX2Jar, GUI Jar2DEX, GUI Jar-Jar, Hex Viewer, Code Searcher, Debugger and more.
So, this post ventures some of the tools that almost all pentesters use to reverse engineer an Android app. The basic motto is to get and read the code, know the activates and interactions of the app. We saw how to use get apk – > dex -> jar ->code. So, using all above methods we get a readable code for the app. Now either we can simply analyze it for it is functions or malware or modify / all things according to our purpose.