The examiner may need to deal with applications that stand as a barrier to accessing the required information. For instance, take the case of the gallery on a phone that is locked by an app locker application. In this case, in order to access the pictures and videos stored in the gallery, you first need to enter the passcode to the app locker. Hence, it would be interesting to know how the app locker app stores the password on the device. You might look into the SQLite database files. However, if they are encrypted, then it's hard to even predict that it's a password. Reverse engineering applications would be helpful in such cases where you want to better understand the application and how the application stores the data.
To state it in simple terms, reverse engineering is the process of retrieving source code from an executable. Reverse engineering an Android app is done in order to understand the functioning of the app, data storage, the security mechanisms in place, and more. Before we proceed to learn how to reverse engineer an Android app, here is a quick recap of the Android apps:
- All the applications that are installed on the Android device are written in the Java programming language.
- When a Java program is compiled, we get bytecode. This is sent to a dex compiler, which converts it into a Dalvik bytecode.
- Thus, the class files are converted to dex files using a dx tool. Android uses something called Dalvik virtual machine (DVM) to run its applications.
- JVM's bytecode consists of one or more class files depending on the number of Java files that are present in an application. Regardless, a Dalvik bytecode is composed of only one dex file.
Thus, the dex files, XML files, and other resources that are required to run an application, are packaged into an Android package file (an APK file). These APK files are simply a collection of items within a ZIP file. Therefore, if you rename an APK extension file to .zip, then you will be able to see the contents of the file. However, before this, you need to get access to the APK file of the application that is installed on the phone. Here is how the APK file corresponding to an application can be accessed.
Apps that come preinstalled with the phone are stored in the /system/app directory. Third-party applications that are downloaded by the user are stored in the /data/app folder. The following method helps you gain access to the APK files on the device, and it works on both rooted and nonrooted devices:
- Identify the package name of the app by issuing the following command:
List of package names present on the device
As shown in the preceding command line output, the list of package names is displayed. Try to find a match between the app in question and the package name. Usually, the package names are very much related to the app names. Alternatively, you can use the Android Market or Google Play to identify the package name easily. The URL for an app in Google Play contains the package name, as shown in the following screenshot:
Facebook App in Google Play Store
- Identify the full pathname of the APK file for the desired package by issuing the following command:
- Pull the APK file from the Android device to the forensic workstation using the
adb pullcommand:
You can also use applications such as ES Explorer to get the APK file of an Android application. Now, let's analyze the contents of an APK file. An Android package is a container for an Android app's resources and executables. It's a zipped file that contains the following files:
AndroidManifest.xml: This contains information about the permissions and moreclasses.dex: This is the class file converted to a dex file by the dex compilerRes: The application's resources, such as the image files, sound files, and more, are present in this directoryLib: This contains native libraries that the application may useMETA-INF: This contains information about the application's signature and signed checksums for all the other files in the package.
Once the APK file is obtained, you can proceed to reverse engineer the Android application.
APK files can be reverse engineered in different ways to get the original code. The following is one method that uses the dex2jar and JD-GUI tools to gain access to the application code. For our example, we will examine the com.twitter.android-1.apk file. The following are the steps to successfully reverse engineer the APK file:
- Rename the
apkextension tozipto see the contents of the file. Rename thecom.twitter.android-1.apkfile totwitter.android-1.zip, and extract the contents of this file using any file archiver application. The following screenshot shows the files extracted from the original filetwitter.android-1.zip:
Extracted files of an APK file
- The
classes.dexfile discussed in the earlier sections can be accessed after extracting the contents of the APK file. This dex file needs to be converted to a class file in Java. This can be done using the dex2jar tool. - Download the dex2jar tool from https://code.google.com/p/dex2jar/, drop the
classes.dexfile into the dex2jar tools directory, and issue the following command:C:UsersRohitDesktopTrainingAndroiddex2jar-0.0.9.15>d2j- dex2jar.bat classes.dex dex2jar classes.dex -> classes-dex2jar.jar
- When the preceding command is successfully run, it creates a new
classes-dex2jar.jarfile in the same directory, as shown in the following screenshot:
The
classes-dex2jar.jarfile created by the dex2jar tool - To view the contents of this jar file, you can use a tool such as JD-GUI. As shown in the following screenshot, the files present in an Android application and the corresponding code can be seen:
The JD-GUI tool
Once we get access to the code, it is easy to analyze how the application stores the values, permissions, and more information that may be helpful to bypass certain restrictions. When malware is found on a device, this method to decompile and analyze the application may prove useful, as it will show what is being accessed by the malware and provide clues to where the data is being sent. The following sections focus in detail on Android malware.