not my code!” (Closed source library, e.g. ads + analytics) • “It’s not my app, but crashes on my device!” (Device-specific variations, particularly custom ROMs)
thought “impossible”? e.g. good results from Camera API on Samsung • Too many libraries to choose from? See what everyone else went with! • Sure, write your own… But that doesn’t mean you can’t look at theirs first! • Nifty- visual effect? schwifty
pm list packages -f -3 $ adb pull "$(adb shell pm path $1 | cut -d : -f 2 | tr -d ‘\015’)" • Or from other sources, but be aware of TOS and malware… … to list installed packages … to pull package $1 in one line (with root)
[-v] [-a] file.{zip,jar,apk} List contents of Zip-compatible archive. aapt d[ump] [--values] [--include-meta-data] WHAT file.{apk} [asset [asset ...]] strings Print the contents of the resource table string pool in the APK. badging Print the label and icon for the app declared in APK. permissions Print the permissions from the APK. resources Print the resource table from the APK. configurations Print the configurations in the APK. xmltree Print the compiled xmls in the given assets. xmlstrings Print the strings of the given compiled xml assets. aapt p[ackage] [-d][-f][-m][-u][-v][-x][-z][-M AndroidManifest.xml] \ ... Package the android resources. It will read assets and resources that are supplied with the -M -A -S or raw-files-dir arguments. The -J -P -F and -R options control which files are output. aapt r[emove] [-v] file.{zip,jar,apk} file1 [file2 ...] Delete specified files from Zip-compatible archive. aapt a[dd] [-v] file.{zip,jar,apk} file1 [file2 ...] Add specified files to Zip-compatible archive. aapt aapt d[ump] [--values] [--include-meta-data] WHAT file.{apk} [asset [asset ...]] strings Print the contents of the resource table string pool in the APK. badging Print the label and icon for the app declared in APK. permissions Print the permissions from the APK. resources Print the resource table from the APK. configurations Print the configurations in the APK. xmltree Print the compiled xmls in the given assets. xmlstrings Print the strings of the given compiled xml assets.
raw files, anything, even dynamically loaded code native code libraries Certificate, signature and file hashes, to verify origin and integrity. Non-compiled resources Binary XML version of manifest Dalvik Executable - All the classes for the Dalvik VM Compiled resources (other)
$ apktool b -d SomeApp ... $ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore release-key.keystore SomeApp.apk release_key_alias_name Rebuild for debug: … install, run, and a debugger can be attached. (use smali dir as source dir on a new project) “Why is this crashing?” / “I wish I could debug this!”
and embeddable • Interactive, ipython shell (androlyze.py) • Includes DAD Dalvik decompiler • Site != active, but project is! https://github.com/androguard/androguard
a, d, dx = AnalyzeAPK(“/Users/jon/Desktop/target.apk") In [2]: a, d, dx Out [2]: (<androguard.core.bytecodes.apk.APK at 0x10a62c350>, <androguard.core.bytecodes.dvm.DalvikVMFormat at 0x10d7e7850>, <androguard.core.analysis.analysis.uVMAnalysis at 0x11b80dad0>) In [3]: a.get_main_activity() Out [3]: u'com.example.app.ui.MainHomeActivity' In [4]: d.CLASS_Lcom_example_app_ui_MainHomeActivity.source() more at https://code.google.com/p/androguard/wiki/RE https://github.com/androguard/androguard
Signature: show_Permissions(dx) Docstring: Show where permissions are used in a specific application :param dx : the analysis virtual machine :type dx: a :class:`VMAnalysis` object File: /opt/androguard-2.0/androguard/core/analysis/analysis.py Type: function In [6]: show_Permissions(dx) android.permission.READ_CONTACTS : R ['Landroid/provider/ContactsContract;', 'AUTHORITY_URI', 'Landroid/net/Uri;'] (0x0) ---> Lcom/android/ex/chips/BaseRecipientAdapter$DirectoryListQuery;-><clinit>()V R ['Landroid/provider/ContactsContract$CommonDataKinds$Email;', 'CONTENT_FILTER_URI', 'Landroid/net/Uri;'] (0x118) ---> Lcom/android/ex/chips/Queries;-><clinit>()V R ['Landroid/provider/ContactsContract$CommonDataKinds$Phone;', 'CONTENT_FILTER_URI', 'Landroid/net/Uri;'] (0x88) ---> Lcom/android/ex/chips/Queries;-><clinit>()V R ['Landroid/provider/ContactsContract$CommonDataKinds$Email;', 'CONTENT_URI', 'Landroid/net/ Uri;'] (0x11c) ---> Lcom/android/ex/chips/Queries;-><clinit>()V R ['Landroid/provider/ContactsContract$CommonDataKinds$Phone;', 'CONTENT_URI', 'Landroid/net/ Uri;'] (0x8c) ---> Lcom/android/ex/chips/Queries;-><clinit>()V
it? • Important? Keep it out of the app! • Protection effort vs reversing ease • Obfuscation + minification at least? • dexguard ($), SQLCipher (free), more if needed • Reverse your own apps!