The examiner may need to deal with applications that stand as a barrier to accessing the required information. For instance, take the case of the gallery on a phone that is locked by an app locker application. In this case, in order to access the pictures and videos stored in the gallery, you first need to enter the passcode to the app locker. Hence, it would be interesting to know how the app locker app stores the password on the device. You might look into the SQLite database files. However, if they are encrypted, then it's hard to even predict that it's a password. Reverse engineering applications would be helpful in such cases where you want to better understand the application and how the application stores the data.
To state it in simple terms, reverse engineering is the process of retrieving source code from an executable. Reverse engineering an Android app is done in order to understand the functioning of the app, data storage, the security mechanisms in place, and more. Before we proceed to learn how to reverse engineer an Android app, here is a quick recap of the Android apps:
Thus, the dex files, XML files, and other resources that are required to run an application, are packaged into an Android package file (an APK file). These APK files are simply a collection of items within a ZIP file. Therefore, if you rename an APK extension file to .zip
, then you will be able to see the contents of the file. However, before this, you need to get access to the APK file of the application that is installed on the phone. Here is how the APK file corresponding to an application can be accessed.
Apps that come preinstalled with the phone are stored in the /system/app
directory. Third-party applications that are downloaded by the user are stored in the /data/app
folder. The following method helps you gain access to the APK files on the device, and it works on both rooted and nonrooted devices:
As shown in the preceding command line output, the list of package names is displayed. Try to find a match between the app in question and the package name. Usually, the package names are very much related to the app names. Alternatively, you can use the Android Market or Google Play to identify the package name easily. The URL for an app in Google Play contains the package name, as shown in the following screenshot:
adb pull
command:You can also use applications such as ES Explorer to get the APK file of an Android application. Now, let's analyze the contents of an APK file. An Android package is a container for an Android app's resources and executables. It's a zipped file that contains the following files:
AndroidManifest.xml
: This contains information about the permissions and moreclasses.dex
: This is the class file converted to a dex file by the dex compilerRes
: The application's resources, such as the image files, sound files, and more, are present in this directoryLib
: This contains native libraries that the application may useMETA-INF
: This contains information about the application's signature and signed checksums for all the other files in the package.Once the APK file is obtained, you can proceed to reverse engineer the Android application.
APK files can be reverse engineered in different ways to get the original code. The following is one method that uses the dex2jar and JD-GUI tools to gain access to the application code. For our example, we will examine the com.twitter.android-1.apk
file. The following are the steps to successfully reverse engineer the APK file:
apk
extension to zip
to see the contents of the file. Rename the com.twitter.android-1.apk
file totwitter.android-1.zip
, and extract the contents of this file using any file archiver application. The following screenshot shows the files extracted from the original file twitter.android-1.zip
:classes.dex
file discussed in the earlier sections can be accessed after extracting the contents of the APK file. This dex file needs to be converted to a class file in Java. This can be done using the dex2jar tool.classes.dex
file into the dex2jar tools directory, and issue the following command:C:UsersRohitDesktopTrainingAndroiddex2jar-0.0.9.15>d2j- dex2jar.bat classes.dex dex2jar classes.dex -> classes-dex2jar.jar
classes-dex2jar.jar
file in the same directory, as shown in the following screenshot:Once we get access to the code, it is easy to analyze how the application stores the values, permissions, and more information that may be helpful to bypass certain restrictions. When malware is found on a device, this method to decompile and analyze the application may prove useful, as it will show what is being accessed by the malware and provide clues to where the data is being sent. The following sections focus in detail on Android malware.