Search This Blog

Thursday, 30 July 2015

Introduction - Reverse Engineering Android Applications


Reversing APK Files


The first step in the reverse engineering process is to retrieve the APK file. If the application is on the device and it has adb access you can run the command below to list all of the packages on the device. If you know the name of the application you can use grep to look for the specific application, in this case insecurebank.




To pull the application from the device you need to get the full path name of the APK file for the package.


Once you know the path you can run 'adb pull to retrieve the APK from the device.


Now that you have the APK file you can rename the file extension as a zip file and use the unzip command to decompress.



Building Android Applications


Developers create Android applications in the Java programming language. These files are then compiled into .class files. The class files are then given to the dx tool in order to generate .dex files.
These .dex files are then packaged as an APK with other files.

The classes compiled in dex format are understood by the Dalvik Virtual Machine and allows the application to be executed during runtime. Each application running on an Android device has its own Dalvik Virtual Machine


Decompiling Dex Files


In order to decompile the application we need to locate the classes.dex file, we want to convert this back into a Java JAR file. In Appie you can use the 'd2j-dex2jar classes.dex' command to convert.



The JAR file can now be decompiled into Java source code using JD-GUI.


Analyzing The Code


You can now go through the various classes to analyze the application logic, identify sensitive information etc. In the example below we can see the DoLogin class has a hardcoded developer backdoor.



If you login with the username - devadmin without a password it will give you access to the application.


We can confirm that the username 'devadmin' has allowed us to access the application.


The page below is the landing page post-authentication.


References: http://resources.infosecinstitute.com/android-hacking-and-security-part-18-introduction-to-reverse-engineering/

No comments:

Post a Comment