Obligatory quote taken from Sun Tzu’s “The Art of War”.
Opening paragraph which draws parallels between aforementioned quote and application security, containing at least one capitalised acronym, und mentioning “NSA” getting your pale white ass, if at all possible.
We shall take on the role of a developer, who wishes to review their Android application in order to verify its security controls, the protection measures they have implemented, and generally, the proper operation of the universe. Of course, someone might also want to reverse an Android application for fun or profit. If you belong in the former category, run. Seriously, just go for a run. The endorphin high can not compare with the merciless torture Google’s OS can - and undoubtedly will - inflict upon your unsuspecting soul. If you belong in the latter category, I can only hope this activity either nets you a serious amount of cash, or you will learn from other people’s collective mistakes.
At any rate, an attacker can obtain our application as well, so we need to know what kind of information we are feeding them as part of our normal mode of operation. Does it include sensitive information? Can they easily spot bugs in our code? Is it easy to circumvent our security controls and manipulate our app’s users?
We can answer all those questions by reversing the application we have uploaded onto Google Play store. How to do that, you say? Here is how:
DISCLAIMER: I am neither endorsing not suggesting I have reviewed the tools mentioned below. Other tools may be more appropriate for your purposes.
- Download the Android SDK (Eclipse/ADT) and unzip it
- Download dex2jar and unzip it
- Download JD-GUI and unzip it
- If you have an Android device which you’ll use:
- Connect your Android device to your laptop/desktop
- Install APK Extractor on your Android device
- Download your target application from Google Play
- Run APK Extractor to send the
.apkfile to your laptop/desktop
- If you do not have an Android device, and since you are the application developer, you
can grab the
.apkstraight from the source, by building your application
- In Eclipse/ADT, click File > New > Java Project
- Name your project, then click Finish
- Right click on the project in the Project Navigator, and select Build Path > Configure Build Path
- In the Libraries tab, select “Add External JARs”, browse to the directory where you
dex2jar, select all the
.jarfiles, and click Open > OK
- Drag your
.apkfile into the Eclipse/ADT project (choose Copy Files > OK)
- Right click on your project, then click Run As > Run Configurations
- Right click on Java Application, then click New
- Set Project to the same name you assigned to your project
- Set Main class to
- Go to the “Arguments” tab, and type the name of the .apk file in the field Program arguments
- Click Run. Now a
.jarfile is created in your project workspace directory. You can find it by right-clicking your project and selecting Properties > Resource > Location
JD-GUIand point it to the
- Et voila, Java code!
Now, you will observe this is not the usual verbose Java code we write. It will be filled
with generic names like
ab and so forth, and sometimes no Java code will
be presented at all. This may be the result of an obfuscator, or simply bug(s) in the
decompiler. Sometimes particularly weird constructs will be presented to you:
which will definitely need a little more than a glance to figure out. Nevertheless, if an attacker can do it, damn it, so can we.
In our next post(s), we will get into the subject of what we can do with a decompiled
.apk, and how to examine it in other ways for information which can prove useful to
attackers. Then, we will see how to monitor an application’s activity, primarily on the
network. Lastly, we will see what we can do to protect ourselves, our fellow Android
device owners and (hopefully) our customers.