We covered the second part of Android APK reverse engineering where we used Ghidra and Jadx-GUI to decompile an android APK sample to uncover and extract any hardcoded and encrypted key values. We discovered that the app implements a function to employs an encryption routine to check whether the user’s provided-input matches an encrypted value in order to decide whether to give perks or not. Frida is another tool that can be used to dynamically analyze a running Android app and if given the right process ID it may be able to recover encrypted values.

OSINT Study Notes

Windows Active Directory Penetration Testing Study Notes

Building android applications is the best way to learn Android reverse engineering. I would advise you to start there if you have never developed an Android application before. Select any of the accessible guides and films that pique your curiosity, then start creating. It is much simpler to comprehend how to reverse engineer something when you are familiar with how developers produce things.

Definition of Android Reverse Engineering

When reverse engineering an Android application, the compiled code and resources are usually broken down into a human-readable format using specialized tools. As we go through this blog article, we’ll talk about the different tools that are out there and how to use them to identify hardcoded data and possibly even static application vulnerabilities.

This can be a difficult procedure because it necessitates a certain amount of Java knowledge and Android app development experience. Nonetheless, the majority of Android apps can be effectively reverse engineered with the correct resources and knowledge.

Android Reverse Engineering Tools

  • APKtool: An effective tool for APK file reverse engineering. It can reconstruct application resources after modifying the code, decoding them to almost their original state.
  • JADX: This program can decompile DEX (Dalvik Executable) files and translate them into understandable Java source code using both a command-line and graphical interface.
  • Dex2jar and JD-GUI: With the aid of the utility dex2jar, DEX files can be converted to Java JAR files, which can then be viewed using the Java source code viewer JD-GUI.
  • Radare2 (also known as “r2”): This is an open-source, free reverse engineering framework that may be used to decompile, alter, and examine Android apps..
  • Strings: a straightforward tool that takes a binary file and extracts and shows readable strings from it. It is a useful tool for reverse-engineering Android programs and can extract strings from Android APK files.

Frida For Reverse Engineering and Android Penetration Testing

Frida: Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Frida can do the below:

  • Read app memory (Full memory access)
  • Call methods/functions
  • Hook methods/functions

You can install Frida on Linux with below commands:

pip install frida-tool
pip install frida

Or simply download the latest release according to your OS from here.

Frida can be invoked with below command:

frida -U  -l injection_script.js <process name or PID>

Example of scripts that can be used are found here.

We will deep dive more into Frida in later posts around Android reverse engineering.

APKtool vs Jadx

Reverse engineering makes use of these instruments. Java source code is provided by Jadx, and Dalvik bytecode is extracted using Apktool. Further details regarding the Android operating system are available here. Launch Android Studio, make two text views, and then use the onCreate method to set their values.

Android Reverse Engineering Methodology

The AndroidManifest.xml file is where we should begin our investigation since it has all the important details about our APK. What components it has, what permissions it needs, and more. For the program to operate correctly, the Android OS needs that file to provide the necessary information.

Since decompiled Java code is easier to comprehend, we will prefer to analyze it when reverse engineering DEX bytecode. Having said that, the decompilation method may frequently fail to decompile essential functionality code.

Native code is utilized by a lot of Android apps. Because native code is written in C/C++, it is compiled for a particular computer architecture.

While malware writers use it to: (1) achieve stealth; and (2) make the code more difficult to study since it demands assembly and reverse engineering abilities, developers utilize it for optimization considerations.

We would utilize disassembly tools like Ghidra or IDA Pro to analyze Native code.

Other important avenues to look into when reverse engineering an Android apk:

META-INF/

classes.dex

lib/

assets/

Check out the video below for detailed explanation.

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles