Skip to content

Android Application

Lab

Extract APK

ADB Method

Connect to ADB shell and list/download packages. You might need to enable Developer mode and Debugging in order to connect with adb

adb shell pm list packages
adb shell pm path com.example.someapp
adb pull /data/app/com.example.someapp-2.apk

Stores

Warning: Downloading APK files from unofficial stores can compromise your device's security. These sources often host malware and malicious software. Always use trusted and official app stores for downloads.

Download APK from Google Play using a 3rd Party:

Static Analysis

Extract Contents From APK

Search for strings flag,secret, the default string file is Resources/resources.arsc/res/values/strings.xml.

apktool d application.apk

Decompile Data as Java Code

  • Rename application.apk to application.zip: mv application.apk application.zip
  • Extract classes.dex: unzip application.zip
  • Use dex2jar to obtain a jar file: /usr/bin/d2j-dex2jar classes.dex
  • Use jadx using full CPU: jadx classes.dex -j $(grep -c ^processor /proc/cpuinfo) -d Downloads/app/ > /dev/null
    jadx-gui
    --deobf # remove obfuscation by AndroGuard
    -e      # generate a gradle project for Android Studio (easy to find function)
    

To reverse .odex you need to provide the /system/framework/arm, fortunately since we have the firmware we have it.

java -jar baksmali-2.3.4.jar x application.odex -d k107-mb-8.1/system/framework/arm -o application
apktool d application.apk 
apktool b rebuild_folder -o rebuilt.apk

Decompile Native Code

Native library are represented as .so files.
These libraries by default are included in the APK at the file path /lib/<cpu>/lib<name>.so or /assets/<custom_name>.

Use IDA, Radare2/Cutter or Ghidra to reverse them.

CPU Native Library Path
"generic" 32-bit ARM lib/armeabi/libcalc.so
x86 lib/x86/libcalc.so
x64 lib/x86_64/libcalc.so
ARMv7 lib/armeabi-v7a/libcalc.so
ARM64 lib/arm64-v8a/libcalc.so

⚠ The shared object file (.so) doesn't need to be embedded in the app.

Sign and Package APK

  • apktool + jarsigner
    apktool b ./application.apk
    keytool -genkey -v -keystore application.keystore -alias application -keyalg RSA -keysize 2048 -validity 10000
    jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore application.keystore application.apk application
    zipalign -v 4 application.apk application-signed.apk
    
  • apktool + signapk

    apktool b app-release
    ./signapk app-release/dist/app-release.apk
    

  • patrickfav/uber-apk-signer (Linux only)

    java -jar uber-apk-signer.jar --apks /path/to/apks
    

  • APK Toolkit v1.3 (Windows only)

Mobile Security Framework Static

Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

Run MobSF/Mobile-Security-Framework-MobSF

  • Latest version from DockerHub
    docker run -it --name mobsf -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
    
  • Enable persistence on the Docker container
    docker run -it --rm --name mobsf -p 8000:8000 -v <your_local_dir>:/root/.MobSF opensecurity/mobile-security-framework-mobsf:latest
    

Online Assets

⚠ Uploading APKs to uncontrolled websites risks data leaks, malware, intellectual property theft, and privacy violations. Use trusted platforms only to ensure the security and integrity of your app.

React Native and Hermes

Identify React Native app with index.android.bundle inside the assets folder

Hermes: pip install hbctool
╰─$ hbctool disasm index.android.bundle indexasm
[*] Disassemble 'index.android.bundle' to 'indexasm' path
[*] Hermes Bytecode [ Source Hash: 4013cb75f7e16d4474f5cf258edc45ee16585560, HBC Version: 74 ]
[*] Done

Flutter

Indentify Flutter use in the MANIFEST.MF and search for libflutter.so.

  • worawit/blutter - Flutter Mobile Application Reverse Engineering Tool
    blutter jadx/resources/lib/arm64-v8a/ ./blutter_output
    

Dynamic Analysis

Dynamic analysis for Android malware involves executing and monitoring an app in a controlled environment to observe its behavior. This technique detects malicious activities like data exfiltration, unauthorized access, and system modifications. Additionally, it aids in reverse engineering app features, revealing hidden functionalities and potential vulnerabilities for better threat mitigation.

Burp Suite

  • Proxy > Listen to all interfaces
  • Import/Export CA certificate
  • adb push burp.der /sdcard/burp.crt
  • Open the Settings on the device and search "Install Cert"
  • Click Install certificates from SD card
  • Configure the AVD to use the proxy

Frida

Download frida from releases.

pip install frida-tools
unxz frida-server.xz
adb root # might be required
adb push frida-server /data/local/tmp/
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"

Interesting Frida scripts:

Runtime Mobile Security

Runtime Mobile Security (RMS) πŸ“±πŸ”₯ - is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime

Requirements: * adb * frida: server up and running on the target device

In case of issue with your favorite Browser, please use Google Chrome (fully supported).

  • Install RMS
    npm install -g rms-runtime-mobile-security
    
  • Make sure frida-server is up and running on the target device.
  • Launch RMS: rms
  • Open your browser at http://127.0.0.1:5491/
  • Attach to the app, find name with adb shell pm list package | grep NAME

Genymotion

Genymotion is a robust Android emulator designed for developers, offering fast and reliable virtual devices for app testing. It features GPS, battery, and network simulation, enabling comprehensive testing and development

Android SDK emulator

Android Virtual Device (AVD) without Google Play Store.

  • Download the files for an API 25 build

    sdkmanager "system-images;android-25;google_apis;x86_64"
    

  • Create a device based on what we downloaded previously

    avdmanager create avd x86_64_api_25 -k "system-images;android-25;google_apis;x86_64"
    

  • Run the emulator

    emulator @x86_64_api_25
    
    emulator -list-avds
    emulator -avd <non_production_avd_name> -writable-system -no-snapshot
    emulator -avd Pixel_XL_API_31 -writable-system -http-proxy 127.0.0.1:8080
    

  • Install the APK

    adb install ./challenge.apk
    

  • Start the App

    adb shell monkey -p com.scottyab.rootbeer.sample 1
    

Mobile Security Framework Dynamic

⚠ Dynamic Analysis will not work if you use MobSF docker container or setup MobSF inside a Virtual Machine.

Requirements: * Genymotion (Supports x86_64 architecture Android 4.1 - 11.0, upto API 30) * Android 5.0 - 11.0 - uses Frida and works out of the box with zero configuration or setup. * Android 4.1 - 4.4 - uses Xposed Framework and requires MobSFy * Genymotion Cloud * Amazon Marketplace - TCP 5555 * Azure Marketplace - TCP 5555 * Android Studio Emulator (only Android images upto API 28 are supported) * AVD without Google Play Store

Dynamic Analysis from MobSF grants you the following features: * Web API Viewer * Frida API Monitor

Appium

Appium is an open-source project and ecosystem of related software, designed to facilitate UI automation of many app platforms, including mobile (iOS, Android, Tizen), browser (Chrome, Firefox, Safari), desktop (macOS, Windows), TV (Roku, tvOS, Android TV, Samsung), and more!

  • Install appium: npm install -g appium
  • Install and validate the uiautomator2 driver
    export JAVA_HOME=/usr/lib/jvm/default-java
    export ANDROID_HOME=/home/user/Android/Sdk/
    wget https://github.com/google/bundletool/releases/download/1.17.1/bundletool-all-1.17.1.jar
    sudo mv bundletool-all-1.17.1.jar /usr/local/bin
    appium driver install uiautomator2
    appium driver doctor uiautomator2
    
  • Start the server on the default host (0.0.0.0) and port (4723): appium server
  • Install the Appium Python client: pip install Appium-Python-Client
  • Use the appium/appium-inspector with the following capability
    {
    "platformName": "Android",
    "appium:automationName": "UiAutomator2"
    }
    

Examples:

Flutter

Repackage a Flutter Android application to allow Burp Suite proxy interception.

  • ptswarm/reFlutter - Flutter Reverse Engineering Framework
    pip3 install reflutter
    reflutter application.apk
    
  • Sign the apk with patrickfav/uber-apk-signerΒ 
    java -jar ./uber-apk-signer-1.3.0.jar --apks release.apk
    java -jar ./uber-apk-signer.jar --allowResign -a release.RE.apk
    

An alternative way to do it is using a rooted Android device with zygisk-reflutter.

  • yohanes/zygisk-reflutter - Zygisk-based reFlutter (Rooted Android with Magisk installed and Zygisk Enabled)
    adb push  zygiskreflutter_1.0.zip /sdcard/
    adb shell su -c magisk --install-module /sdcard/zygiskreflutter_1.0.zip
    adb reboot
    

SSL Pinning Bypass

SSL certificate pinning in an APK involves embedding a server's public key or certificate directly into the app. This ensures the app only trusts specific certificates, preventing man-in-the-middle attacks by rejecting any certificates not matching the pinned ones, even if they are otherwise valid.

⚠ Android 9.0 is changing the defaults for Network Security Configuration to block all cleartext traffic.

  • shroudedcode/apk-mitm - A CLI application that automatically prepares Android APK files for HTTPS inspection
    $ npx apk-mitm application.apk
    npx: 139 installΓ©(s) en 12.206s
    β•­ apk-mitm v0.6.1
    β”œ apktool v2.4.1
    β•° uber-apk-signer v1.1.0
    Using temporary directory:
    /tmp/87d3a4921ddf86cde634205480f89e90
    βœ” Decoding APK file
    βœ” Modifying app manifest
    βœ” Modifying network security config
    βœ” Disabling certificate pinning
    βœ” Encoding patched APK file
    βœ” Signing patched APK file
    Done!  Patched file: ./application.apk
    
  • 51j0/Android-CertKiller - An automation script to bypass SSL/Certificate pinning in Android
    $ python main.py -w #(Wizard mode)
    $ python main.py -p 'root/Desktop/base.apk' #(Manual mode)
    
  • frida/frida - Universal SSL Pinning Bypass
    $ adb devices
    $ adb root
    $ adb shell
    $ phone:/# ./frida-server
    
    // https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/
    $ frida -U --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f com.example.pinned
    
    $ frida -U -f org.package.name -l universal-ssl-check-bypass.js --no-pause
    Java.perform(function() {                
        var array_list = Java.use("java.util.ArrayList");
        var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl');
        ApiClient.checkTrustedRecursive.implementation = function(a1,a2,a3,a4,a5,a6) {
            var k = array_list.$new(); 
            return k;
        }
    },0);
    
  • m0bilesecurity/RMS-Runtime-Mobile-Security - Certificate Pinning bypass script (all + okhttpv3)
  • federicodotta/Brida - The new bridge between Burp Suite and Frida

Root Detection Bypass

Common root detection techniques:

  • Su binaries: su/busybox
  • Known Root Files/Paths : Superuser.apk
  • Root Management Apps: Magisk, SuperSU
  • RW paths: /system, /data directories
  • System Properties

Common bypass:

Android Debug Bridge

Android Debug Bridge (ADB) is a versatile command-line tool that enables communication between a computer and an Android device. It facilitates tasks like installing apps, debugging, accessing the device's shell, and transferring files, making it essential for developers and power users in Android development and troubleshooting.

Command Description
adb devices List devices
adb connect <IP>:<PORT> Connect to a remote device
adb install app.apk Install application
adb uninstall app.apk Uninstall application
adb root Restarting adbd as root
adb shell pm list packages List packages
adb shell pm list packages -3 Show third party packages
adb shell pm list packages -f Show packages and associated files
adb shell pm clear com.test.abc Delete all data associated with a package
adb pull <remote> <local> Download file
adb push <local> <remote> Upload file
adb shell screenrecord /sdcard/demo.mp4 Record video of the screen
adb shell am start -n com.test.abc Start an activity
adb shell am startservice Start a service
adb shell am broadcast Send a broadcast
adb logcat *:D Show log with Debug level
adb logcat -c Clears the entire log

Android Virtual Device

An Android Virtual Device (AVD) is an emulator configuration that mimics a physical Android device. It allows developers to test and run Android apps in a simulated environment with specific hardware profiles, screen sizes, and Android versions, facilitating app testing without needing actual devices.

emulator -avd Pixel_8_API_34 -writable-system
Command Description
-tcpdump /path/dumpfile.cap Capture all the traffic in a file
-dns-server X.X.X.X Set DNS servers
-http-proxy X.X.X.X:8080 Set HTTP proxy
-port 5556 Set the ADB TCP port number

Unlock Bootloader

Requirements:

  • Enable Settings > Developer Options > OEM unlocking
  • Enable Settings > Developer Options > USB Debugging

Unlock the bootloader will wipe the userdata partition. On some device these methods will require a key to successfully unlock the bootloader.

  • Method 1
    adb reboot bootloader
    fastboot oem unlock
    
  • Method 2
    adb reboot bootloader
    fastboot flashing unlock
    
  • Methods based on the chip
    • For Qualcomm devices, you can use EDL (Emergency Download Mode)
    • For MediaTek devices, BROM (Boot ROM) mode
    • For Unisoc devices, Research Download Mode.

References