Reverse_engineering_android_apps

01 Dec 2016

Here are some tools to help you with reversing Android apps.

First take the release build from Android studio, or alternatively use adb shell to list all available apps

adb shell pm list packages | grep YourAppName

aapt

Android Asset Packaging Tools can be used to dump the Android Manifest file

aapt dump xmltree /appFolder/app-release.apk AndroidManifest.xml

as well as resource and asset files included in the APK

aapt l -a /appFolder/app-release.apk

AXMLPrinter2

First, you can unzip an apk easily like this

unzip app-release.apk

Next, you can use AXMLPrinter2 to parse Android binary XML formats directly. For example, to look at the Android Manifest file

java -jar AXMLPrinter2.jar AndroidManifest.xml

Drozer

Drozer allows you to assume the role of an Android app and interact with other apps. One of the modules in drozer, app.package.maifest will parse the manifest file and display it on screen.

run app.package.maifest com.company.appName

Smali

smali/baksmali is an assembler and disassembler for the DEX format that is used by Dalvik. Baksmali will disassemble the APK file into the Jasmin syntax but one thing about this tool is that it can take the ProGaurded obfuscated names and unravel them so you can see the names of the methods. This means it is a good idea to still name sensitive methods with something more innocent.

java -jar baksmali-2.1.2.jar app-release.apk

Files are outputed to a /out folder. You can then use Smali to take the outputed files and convert them into a DEX file.

java -jar smali-2.1.2.jar -o classes.dex /out/

Dex2Jar

Dex2Jar. Dex files created from the above method can then be translated back to something that resembles the original source code. You can convert the DEX file to a standard Java CLASS file.

d2j-dex2jar.sh /app-release.apk -o /AppName.jar

JD-GUI

Once you have your jar file from the above method, you can open it to get all the class names and most source code by opening the jar folder in JD-GUI.

IDA Pro

You can dissassemble and debug Dalvik code since IDA Pro v6.1. IDA is good because of its support for scripting and it has a graph-view which can unwind the flow of the app. There’s also lots of scripts people write for it to assist in unwinding obfuscated code.

Others

*Dextra supports ART and OAT.

*ApkTool will reverse-engineer the entire Android backage back to a workable form, including all resources and origional source code.

*Jadx. This will let you browse decompiled DEX code. It also decompiles most of the entire project.

*JAD. This will convert Java Class files back to source files.