Android Reverse Engineering

Note: The quality of this article is not good. It’s a way for me to keep some notes.

What is Android Reverse Engineering

The goal is to explain how you can reverse engineer an android application. How you can see the source code of an *.apk file.

The target audience is android developers, architects and geeks.

 

Note

This text targets people with some experience. If you think that some part are too complex or you want to improve part of the document, don’t hesitate to send me a mail!

 

Why

It’s always interesting to see how an application is built. I’m curious and my goal is to understand how great code to run great applications is built.

  • Design patterns: See the architecture of an application, what libraries they use, how developers write code. As an example some code is written in HTML, or compiled in a *.so libraries to avoid writing a different code for android and iPhone.
  • Privacy: Understand why an application needs to access things they don’t need. As an example why this application needs to access your address book or be able to send SMS?
  • Integration: Android is really an amazing system because you can integrate application in many features of the operating system. As an example, with the application “local.ch”, you can see who is calling even if not in your address book – It looks simple, but the system that do it is just amazing. (This is where you see that Android is way more mature than iOS.). AndroidManifest.xml is where many secrets are stored. Finding “how to do it” is not always easy but always interesting.
  • Secret features: Sometime you have “secret features”. As an example you can play videos on “MoboPlayer” using another application, but the way to do it is not documented anywhere.
  • API: Many application are integrated with web services, API. It’s interesting to see how the integration is done, secrets that are stored in an application. As a developer or architect always think that the code of your mobile application is “public”! It’s common to see: public static String API_SECRET = “top3eCret@”;
  • Security and database: Copy and past part of a code is easy, think about it when implementing your complex encryption algorithm! 😛 Might not be that useful!

 

Write an android application

To get the maximum benefit of this article, you need to be able to write a simple android application and deploy this application.

You need to know what adb is, what is this strange file “AndroidManifest.xml”, to know how to write some java code. This part is out of the scope of this article.

 

Unlock and root your mobile phone

You need to unlock and root your mobile phone if you really want to understand how it works.

How to do it is not part of this article.

Unlock: This process is a way to “open your phone” and keep your privacy. By default your phone is locked, it means you cannot install code that was not certified by the manufacturer. It’s important because otherwise someone who steal your phone can access your data.

During the unlock process all your data are deleted ! Once your phone is unlocked, your data are not secure if your phone is stolen.

Root: By default all your applications run in their own sandbox. It means that an application cannot change the content of another application. Android is running on top of a Linux layer, the user called “root” is allowed to change and read everything.

When you “root” your phone, you are able to connect as root.

Once your phone is rooted, you can do
./adb shell (connect to your phone using a terminal)
then “su”

Note: install “BusyBox Free” from the “Play Store” if your are used to Linux. Busybox is a way to have some common Linux commands on an embedded Linux system.

 

Common path

Connect to your phone:
./adb shell
Then “su”

/data/app: The package (apk) of your installed application is here. It’s interesting if you want to analyse an application you have installed.

/data/data: The data of your applications is stored here.

/sdcard/: Where your sdcard is mounted.

adb push <local> <remote> – copy file/dir to device
adb pull <remote> [<local>] – copy file/dir from device

 

View the resources of the application

Imagine you have an application called ch.nuage.test.apk.

You want to see images, the source code of AndroidManifest.xml.

Download this application: http://code.google.com/p/android-apktool/
Then run : “apktool d ch.nuage.test.apk”

You will have a new directory with
– AndroidManifest.xml (in plain text!)
– Images, texts, of the application
– Smali: The pseudo-code (I prefer to read the code given in the next paragraph)

 

View the source code of the application

Imagine you have an application called ch.nuage.test.apk.

The goal of this part is to browse the source code of the application.

First “unzip” the code. Change the extension to “.zip” ch.nuage.test.apk => ch.nuage.test.zip, or try to unzip this file directly.

Inside you have a file called “classes.dex”, it’s what interest us.

Download dex2jar http://code.google.com/p/dex2jar/
Use dex2jar to transform the “dex” to a common java jar file.
dex2jar.sh classes.dex

UnZip/UnJar classes_dex2jar.jar. You should now have a folder with *.class files.

To see a “pseudo” java code, your can use this tool: http://java.decompiler.free.fr

Please note that

  • Comments have been removed 😛
  • Name of many variables has changed.
  • Name of many classes is now “a, b, c, d”
  • Some part of the code cannot be compiled or displayed correctly.

 

What next?

You can change, repackage applications, recompile, but it’s not in the scope of this article.

You something have libraries in the application (lib/*.so), you can see the code using a decompiler like http://www.hex-rays.com/products/ida/index.shtml – but it’s out of the scope of this article (and the software is too expensive for me.)

 

SqLite

Many databases are using sqlite3.

You can change easily these files by installing sqlite and editing the content using SQL requests.

 

Bonus

GameCIH might interest you too. http://www.cih.com.tw/

It’s a way to “speed up” an application or change value in the application like money, lives.

 

Conclusion

As you see it’s quite easy to see the content of an application.

So

  • Think about it when developing mobile software. (It’s the same on iPhone…). Your top secret password or API is not that secret… Your oAuth secret should perhaps be stored on your server and not on the mobile application.
  • It’s a good way to see what other people do to improve your skills.

 

 

Comments are closed.