how to analyze "Android APK"
how to Analyze "Android Apk"
sorry, my english skill is no good.^^;
so if you dicover mistake of me , please send e-mail to me
e-mail: ykusama@keio.jp or yoshiki.kusama@linecorp.com
Introduction
hey, guy!main topic of today is how to do android app analysing.
recently, i have been analysing a android app of internal field into working at LINE corp.
but it is difficult to analyze , because this app is often obfuscated and encrypted by sometools that can obtain internet and other. therefore, various skill that analze PE header or decryption of cipher and other are required to analyze it , and if you want to analyze it , you need to understand assembly langage a little.
there is no need to fully understand the assembly langage.
The Basic Analysing About APK
Java Code from native apk
How to restorethe process of restore:
1.apk → dex
2.dex → jar
3.jar → class
4.class → java
this is way to most popular analysing.
but, if the apk file is obfucated or encrypted by tools, it will be difficult to anayze.
so first, A case where it is not obfuscated or encrypted will be explained.
1.apk → dex
it is very easy. fist, convert apk file to zip file, and decompress it , and extract dex file.
probalby, if you convert it to dex, a class file called calss.dex will appear.
yotti$ mv apkfile.apk apkfile.zip
yotti$ unzip apkfile.zip
yotti$ ls
AndroidManifest.xml classes.dex lint.xml
: :
: :
fold structure:
├── AndroidManifest.xml
├── META-INF
│ ├── CERT.RSA
│ ├── CERT.SF
│ └── MANIFEST.MF
├── classes.dex
├── res
│ ├── drawable-hdpi
│ │ └── ic_launcher.png
│ ├── drawable-mdpi
│ │ └── ic_launcher.png
│ ├── drawable-xhdpi
│ │ └── ic_launcher.png
│ ├── drawable-xxhdpi
│ │ └── ic_launcher.png
│ ├── layout
│ │ ├── activity_main.xml
│ │ └── activity_next.xml
│ └── menu
│ └── main.xml
└── resources.arsc
but, there file is bainaryized when converted, so To read by us is difficult.
2.dex → jar
using github or download from sites
site: https://sourceforge.net/projects/dex2jar/files/
yotti$ git clone https://github.com/pxb1988/dex2jar.git
Cloning into 'dex2jar'...
remote: Enumerating objects: 12780, done.
remote: Total 12780 (delta 0), reused 0 (delta 0), pack-reused 12780
Receiving objects: 100% (12780/12780), 8.48 MiB | 2.11 MiB/s, done.
Resolving deltas: 100% (1618/1618), done.
yotti$ chmod +x dex2jar/*
restoration the jar file from dexfile.
we are going to use the dex2jar that convert jar to dex
if you want to know detail that tools, Please see to Link of tools list
yotti$ sh d2j-dex2jar.sh -f classes.dex
when this command executed, the classes-dex2jar.jar called file will appear.
3.jar → class
it is easy, we can rewite conveted jar file to class file.
the procedure is the same as 1 of procedure. the jar file rewrite zip file.
next, we will decompress it.
yotti$ mv clasees-dex2jar.jar apk.zip
yotti$ unzip apk.zip
this is fold structure:
├── AndroidManifest.xml
├── META-INF
│ ├── CERT.RSA
│ ├── CERT.SF
│ └── MANIFEST.MF
├── classes.dex
├── res
│ ├── drawable-hdpi
│ │ └── ic_launcher.png
│ ├── drawable-mdpi
│ │ └── ic_launcher.png
│ ├── drawable-xhdpi
│ │ └── ic_launcher.png
│ ├── drawable-xxhdpi
│ │ └── ic_launcher.png
│ ├── layout
│ │ ├── activity_main.xml
│ │ └── activity_next.xml
│ └── menu
│ └── main.xml
├── resources.arsc
├── line
│ └── jp
│ └── tumutusmu
│ ├── ~.class
│ ├── ~.class
│ ├── ~.class
│ └── ~.class
└── android
new fould(line,android) is made by it.
4.class → java
we can see the Java code by using Java Decompiler.
├── android
├── com
│ ├── android/vending...
│ ├── :
│ └── :
├── javax
├── res
│ ├── drawable-hdpi
│ ├── :
│ └── :
├── jp
├── org
├── :
├── :
├── :
it is before convert code
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
}
it is after convert code
private boolean IsCorrectPassWord()
{
String s = mInputPassWord.getText().toString();
Log.d("forDebug", (new StringBuilder("inputText = ")).append(s).toString());
return s.equals("test");
}
i think that you can read Java code.
if this contents is miktake, please send e-mail to me or commit to this repository.
thank you for reading up to here!!!
tools list
・dex2jar(https://github.com/pxb1988/dex2jar)
・Java Decompiler(http://jd.benow.ca/)
・apktool(http://ibotpeaches.github.io/Apktool/install/)
・androguard(I don't use it)
References(book & link) ・Android Hacker's Books:https://www.amazon.co.jp/Android-Hackers-Handbook-Joshua-Drake/dp/111860864X
・https://qiita.com/laprasDrum/items/ab148b0475b6e82de74c
・https://qiita.com/totem/items/48f25abd5769315afa18
next topic is how to analyze by using frida.
how to analyze by usingfrida
Do you know frida?frida is dynamic instrumination toolkits for revers-enginnering and discover securityhole.
so, first step is install into your machine.
The easiest way to isntall is using pip
pip install frida-tools # CLI tools
pip install frida # Python bindings
npm install frida # Node.js bindings
if you are using difficult OS, looking here
https://github.com/frida/frida
command list
A apk of android trace from command
frida-trace -U -i *Func* app
a process of windows trace from command
frida-trace -i *Func* notepad.exe
process list indicate from command
frida-ps
I want to write how to analyze by using frida in the near future.