Log of the Security

The main topic of this blog is computer science such as Security, Operating System, and Other

how to analyze "Android APK"

how to Analyze "Android Apk"

sorry, my english skill is no good.^^;
so if you dicover mistake of me , please send e-mail to me
e-mail: ykusama@keio.jp or yoshiki.kusama@linecorp.com

Introduction

hey, guy!main topic of today is how to do android app analysing.
recently, i have been analysing a android app of internal field into working at LINE corp. 
but it is difficult to analyze , because this app is often obfuscated and encrypted by sometools that can obtain internet and other. therefore, various skill that analze PE header or decryption of cipher and other are required to analyze it , and if you want to analyze it , you need to understand assembly langage a little.
there is no need to fully understand the assembly langage.

The Basic Analysing About APK

How to restore Java Code from native apk

the process of restore:

1.apk → dex
2.dex → jar
3.jar → class
4.class → java

this is way to most popular analysing.
but, if the apk file is obfucated or encrypted by tools, it will be difficult to anayze.
so first, A case where it is not obfuscated or encrypted will be explained.

1.apk → dex
it is very easy. fist, convert apk file to zip file, and decompress it , and extract dex file.
probalby, if you convert it to dex, a class file called calss.dex will appear.

yotti$ mv apkfile.apk apkfile.zip
yotti$ unzip apkfile.zip
yotti$ ls
AndroidManifest.xml classes.dex	lint.xml
             :                 :
             :                 :   

fold structure:

├── AndroidManifest.xml
├── META-INF
│   ├── CERT.RSA
│   ├── CERT.SF
│   └── MANIFEST.MF
├── classes.dex
├── res
│   ├── drawable-hdpi
│   │   └── ic_launcher.png
│   ├── drawable-mdpi
│   │   └── ic_launcher.png
│   ├── drawable-xhdpi
│   │   └── ic_launcher.png
│   ├── drawable-xxhdpi
│   │   └── ic_launcher.png
│   ├── layout
│   │   ├── activity_main.xml
│   │   └── activity_next.xml
│   └── menu
│       └── main.xml
└── resources.arsc

but, there file is bainaryized when converted, so To read by us is difficult.

2.dex → jar
using github or download from sites
site: https://sourceforge.net/projects/dex2jar/files/

yotti$ git  clone https://github.com/pxb1988/dex2jar.git
Cloning into 'dex2jar'...
remote: Enumerating objects: 12780, done.
remote: Total 12780 (delta 0), reused 0 (delta 0), pack-reused 12780
Receiving objects: 100% (12780/12780), 8.48 MiB | 2.11 MiB/s, done.
Resolving deltas: 100% (1618/1618), done.
yotti$ chmod +x dex2jar/*

restoration the jar file from dexfile. 
we are going to use the dex2jar that convert jar to dex
if you want to know detail that tools, Please see to Link of tools list

yotti$ sh d2j-dex2jar.sh -f classes.dex 

when this command executed, the classes-dex2jar.jar called file will appear.

3.jar → class
it is easy, we can rewite conveted jar file to class file.
the procedure is the same as 1 of procedure. the jar file rewrite zip file.
next, we will decompress it.

yotti$ mv clasees-dex2jar.jar apk.zip
yotti$ unzip apk.zip

this is fold structure:

├── AndroidManifest.xml
├── META-INF
│   ├── CERT.RSA
│   ├── CERT.SF
│   └── MANIFEST.MF
├── classes.dex
├── res
│   ├── drawable-hdpi
│   │   └── ic_launcher.png
│   ├── drawable-mdpi
│   │   └── ic_launcher.png
│   ├── drawable-xhdpi
│   │   └── ic_launcher.png
│   ├── drawable-xxhdpi
│   │   └── ic_launcher.png
│   ├── layout
│   │   ├── activity_main.xml
│   │   └── activity_next.xml
│   └── menu
│       └── main.xml
├── resources.arsc
├── line
│   └── jp      
│       └── tumutusmu     
│           ├── ~.class
│           ├──	~.class
│           ├──	~.class
│           └── ~.class     
└── android

new fould(line,android) is made by it.

4.class → java
we can see the Java code by using Java Decompiler.

├── android
├── com
│   ├── android/vending...
│   ├──       :
│   └──       :
├── javax
├── res
│   ├── drawable-hdpi
│   ├──       :
│   └──       :
├── jp
├── org
├── :
├── :
├── :

it is before convert code

 @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
    }

it is after convert code

   private boolean IsCorrectPassWord()
    {
        String s = mInputPassWord.getText().toString();
        Log.d("forDebug", (new StringBuilder("inputText = ")).append(s).toString());
        return s.equals("test");
    }

i think that you can read Java code.
if this contents is miktake, please send e-mail to me or commit to this repository.
thank you for reading up to here!!!

tools list
・dex2jar(https://github.com/pxb1988/dex2jar)
Java Decompiler(http://jd.benow.ca/)
・apktool(http://ibotpeaches.github.io/Apktool/install/)
・androguard(I don't use it)

References(book & link) ・Android Hacker's Books:https://www.amazon.co.jp/Android-Hackers-Handbook-Joshua-Drake/dp/111860864X
https://qiita.com/laprasDrum/items/ab148b0475b6e82de74c
https://qiita.com/totem/items/48f25abd5769315afa18

next topic is how to analyze by using frida.

how to analyze by usingfrida

Do you know frida?frida is dynamic instrumination toolkits for revers-enginnering and discover securityhole.
so, first step is install into your machine.

The easiest way to isntall is using pip

pip install frida-tools # CLI tools
pip install frida       # Python bindings
npm install frida       # Node.js bindings

if you are using difficult OS, looking here
https://github.com/frida/frida

command list

A apk of android trace from command

frida-trace -U -i *Func* app

a process of windows trace from command

frida-trace -i *Func* notepad.exe

process list indicate from command

frida-ps

I want to write how to analyze by using frida in the near future.