20106-08-04 ../.. | Slides

Reverse Engineering an Android APK

Table of Contents

1 Reverse Engineering: General Overview

  1. Reverse Engineering Def: Given the program binary, re-generate "the" source code code that would produce the binary.
  2. The program binary may have been run through obfuscation tools, but is still an OS recognizable program binary.
  3. Source code is assumed unavailbale.
  4. From Machine Code to C src code; From VM byte code to Java; etc.

1.1 Reverse Engineering: Program Binaries (all OS)

  1. Sections of Machine Code (Linux term "text")
  2. Sections of Initialized Data (strings, …, manifest constants)
  3. Table of Contents of Methods, Imported Symbols, Exported Symbols
  4. http://wiki.yobi.be/wiki/Reverse-Engineering A pretty good source of info. Has overviews of tools. Not Android specific.

1.2 Reverse Engineering: Classic Unix/ Linux Tools

  1. file, size, nm
  2. ltrace, strace
  3. gdb can generate asm code from machine code sections
  4. Read the man pages for details

1.3 Reverse Engineering: Ethics

  1. Are we entitled to reversing an APK? Intelectual Property.
  2. There are plenty issues of legality.

2 Reverse Engineering Tools, Android Specific

  1. http://ibotpeaches.github.io/Apktool/ It can decode resources to nearly original form and rebuild them after making some modifications. Install in Linux/ MacOS/ Windows.
  2. https://github.com/JesusFreke/smali is an assembler/disassembler for the dex format used by Dalvik. Supports annotations, debug info, line info, etc.
  3. https://code.google.com/p/dex2jar/ is a tool for converting .dex format to .class format. Just one binary format to another binary format. Does not generate Java source. FOSS.
  4. TetCon 2016: A conference on Android Deobfuscation: Tools and Techniques. Videos, src code bundles, papers are downloadable.

2.1 Reversing Android Specific #2

  1. http://jd.benow.ca/ Java Decompiler (JD). Includes JD-GUI, JD-Eclipse, JD-IntelliJ. Can show equivalent Java source of a given .class file. Not FOSS, but "may be freely used for personal needs in commercial or non-commercial environments."
  2. https://santoku-linux.com/ A Linux PC distribution targeted at Android users/developers. Mobile Forensics, Malware Analysis, and Security. Recommended Visit.
  3. Androguard FOSS https://github.com/androguard Reverse engineering, Malware and goodware analysis of Android applications. Python, Rust; 2016
  4. https://github.com/strazzere/android-lkms "reversing and debugging on controlled systems/emulators."

2.2 Reversing Android Specific #3

  1. Web search for URLs.
  2. AndBug: "A Scriptable Android Debugging" Library; inactive since 2011
  3. APK Studio (not Android Studio) : "is an IDE for decompiling/editing & then recompiling of Android application binaries." Now (2015) cross-platform.
  4. Bytecode-Viewer: "A Java 8 Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger)"
  5. CodeInspect: "A Jimple-based Reverse-Engineering framework for Android and Java applications."
  6. Fino: "An Android Dynamic Analysis Tool"

2.3 Reversing Android Specific #4

  1. dedex: "A command line tool for disassembling Android DEX files."
  2. dextra: A utility that can supplant AOSP's dexdump and dx –dump. Supports ART.
  3. dexdisassembler: A GTK tool for disassembling Android DEX files.
  4. Introspy-Android: Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues. https://github.com/iSECPartners/Introspy-Android active 3 years ago. 2013.
  5. JEB: The Interactive Android Decompiler. Not FOSS.

2.4 Reversing #5

  1. FernFlower: JVM Decompiler. On GitHub
  2. JD-Gui: Yet another fast JVM Decompiler. On GitHub
  3. Cerbero Malware and forensic analysis. Not FOSS. Can reverse.
  4. Codeinspect: "Debug,Understand,Control apps without knowing the source code."
  5. Many more exist.

3 Dissection of a Malware/OKware APK

  1. ./dissected-simplelocker.html Describes the dissection of an example APK, namely SimpleLocker ransomware of 2014.
  2. ./dissected-dendroid.html Dendroid was on sale in the black market.
  3. ./dissected-malware.html Other examples.
  4. http://contagiominidump.blogspot.be/ Repo of malware for download on which you can practice.

4 Lab on Reversing

5 References

  1. http://contagiominidump.blogspot.be/ An on-going collection of malware examples collected from the real world.
  2. http://androidmalwaredump.blogspot.com/ "Contains a dump zone for Android malware samples for educational purposes only."
  3. http://reverseengineering.stackexchange.com "is a question and answer site for researchers and developers who explore the principles of a system through analysis of its structure, function, and operation."

5.1 References #2

  1. Thanasis Petsas, Reverse Engineering Android: Disassembly & Code Injection, 40+ slides, 2013.
  2. http://www.red-book.eu/m/documents/syssec_red_book.pdf 2013 A free PDF book of 190+ pages. Highly Recommended Reading.
  3. Pau Oliva Fora, Beginners Guide to Reverse Engineering Android Apps, slides, viaForensics, RSA Conf 2014. Recommended Reading.

Copyright © 2016 www.wright.edu/~pmateti • 20106-08-04