Scribd
Upload
521 views22 pages

Reverse Engineering Android Apps Guide

This document provides an overview of reverse engineering Android apps. It discusses obtaining target apps from a phone or Google Play, disassembling the APK file using tools like Apktool and Dex2jar, and decompiling the Dalvik bytecode into Smali or Java code using decompilers. It also demonstrates how to use the Santoku Linux platform, which contains tools for mobile forensics, malware analysis, and app assessment.

Uploaded by

Sin Sin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
521 views22 pages

Reverse Engineering Android Apps Guide

This document provides an overview of reverse engineering Android apps. It discusses obtaining target apps from a phone or Google Play, disassembling the APK file using tools like Apktool and Dex2jar, and decompiling the Dalvik bytecode into Smali or Java code using decompilers. It also demonstrates how to use the Santoku Linux platform, which contains tools for mobile forensics, malware analysis, and app assessment.

Uploaded by

Sin Sin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Beginners Guide to Reverse Engineering

Android Apps
SESSION ID: STU-W02B

Pau Oliva Fora


Sr. Mobile Security Engineer
viaForensics
@pof

Agenda

Anatomy of an Android app

Obtaining our target apps

Getting our hands dirty: reversing the target application

Demo using Santoku Linux

#RSAC

Anatomy of an
Android app

Anatomy of an Android app

Simple ZIP file, renamed to


APK extension

App resources

Signature

Manifest (binary XML)

#RSAC

Obtaining our target


apps

Getting the APK from the phone

Backup to SD Card:

APKOptic

Astro file manager

etc

#RSAC

Getting the APK from the phone

Using ADB (Android Debug Bridge):

adb shell pm list packages

adb pull /data/app/package-name-1.apk

#RSAC

Downloading the APK from Google Play

Using unofficial Google Play API:

https://github.com/egirault/googleplay-api

Using a web service or browser extension:

http://apps.evozi.com/apk-downloader/

http://apify.ifc0nfig.com/static/clients/apk-downloader/

#RSAC

Downloading the APK from Google Play

Using unofficial Google Play API:

https://github.com/egirault/googleplay-api

Using a web service or browser extension:

http://apps.evozi.com/apk-downloader/

http://apify.ifc0nfig.com/static/clients/apk-downloader/

#RSAC

Getting our hands


dirty: reversing the
target application

Disassembling

DEX

Smali
#RSAC

11

Apktool

apktool https://code.google.com/p/android
-apktool/

Multi platform, Apache 2.0 license

Decode resources to original form


(and rebuild after modification)

Transforms binary Dalvik bytecode


(classes.dex) into Smali source

#RSAC

12

Smali

#RSAC

13

Decompiling Java Decompiler

DEX

JAR

JAVA
#RSAC

14

Dex2Jar

dex2jar - https://code.google.com/p/dex2jar/

Multi platform, Apache 2.0 license

Converts Dalvik bytecode (DEX) to java bytecode (JAR)

Allows to use any existing Java decompiler with the resulting JAR file

#RSAC

15

Java Decompilers

Jd-gui - http://jd.benow.ca/

Multi platform

closed source

JAD - http://varaneckas.com/jad/

Multi platform

closed source

Command line

Others: Dare, Mocha, Procyon,


#RSAC

16

Decompiling Android (Dalvik) decompiler

DEX

JAVA
#RSAC

17

Dalvik Decompilers

Transforming DEX to JAR looses important metadata that the


decompiler could use.

Pure Dalvik decompilers skip this step, so they produce better output

Unfortunately there are not as many choices for Android decompilers


as for Java decompilers:

Open Source: Androguards DAD - https://code.google.com/p/androguard/

Commercial: JEB - http://www.android-decompiler.com/

Others?

#RSAC

18

Demo Santoku

Demo Santoku Linux

Santoku Linux https://santoku-linux.com/

Mobile Forensics

Mobile Malware analysis

Mobile application
assessment

#RSAC

20

Summary

APK files are ZIP files, can be extracted with any unzip utility

Apktool helps extracting binary resources, and allows repacking

Dex2jar converts Dalvik Bytecode to Java Bytecode

Pure Android decompilers are better

Santoku Linux has all the tools you need to reverse engineering
mobile apps

#RSAC

21

Q&A | Contact | Feedback

Thanks for listening

@pof

github.com/poliva

poliva@viaforensics.com

#RSAC

22

You might also like