10. Reverse Engineering

Android Reverse Engineering is the process of analysing and deconstructing Android applications (APKs) to understand their functionality, uncover vulnerabilities, or extract sensitive information. This practice involves examining an app's code, resources, and structure to identify security flaws, study the app's behaviour, and even modify or repurpose the app for malicious purposes.

Key Benefits and Insights from Reverse Engineering Android Applications:

Reverse engineering an Android app can reveal critical information, including:

1. API Keys: Hardcoded keys used to authenticate with external services.

2. Passwords: Embedded credentials, such as login details or database passwords.

3. URLs: Endpoints for API requests or external services the app communicates with.

4. Sensitive Tokens: Authentication tokens or session IDs that could allow unauthorized access.

5. Private Data: Any stored user data or sensitive information that may be inadequately protected.

6. Network Requests: Unencrypted or insecure network communications that may expose user data.

7. Debugging Tools: Presence of debugging or logging information, which may be useful for attackers.

8. Malicious Payloads: Hidden or harmful code, including spyware, ad fraud modules, or exploits.

9. Encryption Mechanisms: Flaws in the app’s custom encryption algorithms, which may be weak or improperly implemented.

10. App Logic: Business logic flaws, unprotected workflows, or unanticipated behaviors that could be exploited.

Starting Points for Reverse Engineering

Reverse engineering involves identifying the best place to start your analysis, especially when dealing with large Android applications. Here are the key starting points:

1. Define Your Goal

   • Begin with a clear understanding of what you want to achieve. Focus on answering a specific question or solving a particular problem to avoid distractions.

2. Target Relevant API Calls

   • Look for API calls related to the behaviour you're investigating. For example, if you're analysing SMS functionality, focus on methods like sendTextMessage or sendMultipartMessage.

3. Analyse App Entry Points

   • Start at entry points like onCreate() or onResume(), which are critical for understanding the app's executable code and workflows. Skip non-executable or "dead" code.

4. Inspect Decryption Methods

   • If strings or data are encrypted or obfuscated, locate methods that process these strings. Focus on DE Obfuscation or decryption routines to uncover meaningful information. These starting points provide a structured approach to static analysis, helping you efficiently navigate large applications.

Common Tools for Android Reverse Engineering

1. APKTool

APKTool is a tool for disassembling and reassembling APK files. It can decode resources and rebuild APKs, allowing reverse engineers to inspect and modify the app's structure, including its resources (like XML, images, and other files). Key Features:

• Decode APK into its resources and Smali code.

• Rebuild APK after modifications.

• Decode and modify AndroidManifest.xml.

• Handle resources (images, layouts, and other assets).

• Handle decompilation and reassembly of app code. Important Commands:

• Decompile APK:

apktool d app.apk

This command disassembles the APK into a directory containing the app’s resources and Smali code.

• Rebuild APK:

apktool b app_folder

After making changes to the app folder, this command rebuilds the APK.

• Decompile with a specified output folder:

apktool d app.apk -o output_folder

• Install APK on Device: After modifying the APK, you can reinstall it directly:

adb install app.apk

Use Case: APKTool is used to extract and modify app resources, including layouts, images, and manifest files. It's also useful for understanding how an app is structured and for reassembling an app after modifications.

---

2. JADX

JADX is a tool for decompiling APK files (specifically .dex files) into readable Java source code. It allows reverse engineers to understand the Java logic and functions of an Android app, even after it's been compiled. Key Features:

• Decompile .dex files to Java code.

• User-friendly interface with the ability to browse code, classes, and methods.

• Can handle multi-Dex files and libraries.

• Useful for static analysis to uncover app logic and sensitive data. Important Commands:

• Decompile APK:

  jadx -d output_folder app.apk

  This command decompiles the APK into Java source code, saving it to the specified directory.

• View Decompiled Code in GUI:

  jadx-gui app.apk

  This opens the APK in a graphical interface, making it easier to navigate through the code.

• Decompile .dex Files: If you want to decompile specific .dex files, you can use:

  jadx -d output_folder classes.dex

Use Case:

JADX is used to convert the APK’s bytecode into readable Java source code, enabling reverse engineers to study the app’s logic, workflows, and identify potential vulnerabilities or flaws.

---

3. Dex2Jar

Dex2Jar is a tool that converts .dex (Dalvik Executable) files into .jar (Java ARchive) files, which can then be analysed using standard Java decompiles (like JD-GUI). Key Features:

• Convert .dex files to .jar format.

• Use standard Java decompilers to analyze the converted .jar files.

• Allows for deeper analysis of the app's logic by providing access to Java classes and methods. Important Commands:

• Convert .dex to .jar:

  dex2jar classes.dex

  This command converts the classes.dex file into a .jar file that can be analyzed further.

• Convert all .dex files in an APK:

  dex2jar -f app.apk

  This command converts all .dex files within an APK into a .jar file.

• Use JD-GUI for Viewing: Once the .jar file is created, you can open it in a Java decompiler, like JD-GUI, to view the code.

Use Case: Dex2Jar is used to convert .dex files to .jar format, allowing reverse engineers to use more familiar Java decompiles for analysis.

---

4. Androguard

Androguard is a powerful Python-based reverse engineering tool for analysing and inspecting Android APK files. It allows for both static and dynamic analysis of APKs and provides a range of features to decompile, analyse, and extract information from Android apps. Key Features:

• Supports static and dynamic analysis.

• Extracts information from APK files, including certificates, permissions, and more.

• Can decompile APKs, extract resources, and inspect bytecode.

• Supports analysis of .dex, .apk, and other Android formats.

• Integrates with other tools like IDA Pro for advanced analysis. Important Commands:

• Decompile APK:

  androguard decompile app.ap

  This command decompiles the APK and shows the extracted bytecode and resources.

• Inspect APK Manifest:

  androguard -m app.apk

  This command extracts and displays information about the AndroidManifest.xml, including permissions and components.

• Extract Classes:

  androguard classes app.apk

  Extracts and lists all classes in the APK, providing insight into the app’s functionality.

• Analyse APK’s Permissions:

  androguard perms app.apk

  This command will list the permissions required by the app.

Use Case: Androguard is used for in-depth static analysis of Android APKs. It can be used for inspecting the manifest, extracting classes, analysing permissions, and even performing more complex analysis using Python scripts.

Summary of Tools:

1. APKTool: Best for disassembling and reassembling APK files, extracting resources, and inspecting Smali code.

2. JADX: Ideal for converting .dex files to readable Java source code for static analysis of app logic.

3. Dex2Jar: Converts .dex files into .jar files, enabling deeper analysis using Java decompilers.

4. Androguard: A comprehensive Python tool that allows static and dynamic analysis, decompiling, and inspecting Android apps for detailed analysis. Each tool has its own unique features and can be combined with others for a complete reverse engineering workflow.