Android Pentent Series P1

What is APK ?

APK stands for Android Package (sometimes Android Package Kit or Android Application Package). It’s the file format that Android uses to distribute and install apps. As a result, APKs contain all the elements that an app needs to install correctly on your device.

APK is basically ZIP file. (You can rename the file extension to .zip to open and see its contents.)

but in this way files will be unreadable so that in later part will show the write way to see in readable form

What is apk components ?

AndroidManifest.xml

The manifest file describes the app structure, its components (activities, services, content providers, and intent receivers), and requested permissions. It also contains general app metadata, such as the app’s icon, version number, and theme.

Here is an example of a manifest file, including the package name (the convention is a reversed URL, but any string is acceptable). It also lists the app version, relevant SDKs, required permissions, exposed content providers, broadcast receivers used with intent filters and a description of the app and its activities:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

<manifest
    package="com.owasp.myapplication"
    android:versionCode="0.1" >

    <uses-sdk android:minSdkVersion="12"
        android:targetSdkVersion="22"
        android:maxSdkVersion="25" />

    <uses-permission android:name="android.permission.INTERNET" />

    <provider
        android:name="com.owasp.myapplication.MyProvider"
        android:exported="false" />

    <receiver android:name=".MyReceiver" >
        <intent-filter>
            <action android:name="com.owasp.myapplication.myaction" />
        </intent-filter>
    </receiver>

    <application
        android:icon="@drawable/ic_launcher"
        android:label="@string/app_name"
        android:theme="@style/Theme.Material.Light" >
        <activity
            android:name="com.owasp.myapplication.MainActivity" >
            <intent-filter>
                <action android:name="android.intent.action.MAIN" />
            </intent-filter>
        </activity>
    </application>
</manifest>

Classes.dex

This is the actual code of the app. “dex” is the short form of Dalvik Executable. The source code will be in the extension “.java or .kt”. When it is compiled it will become “.class”. But in android all these class files are further optimized and packed into dex file for running easily in the android run time.

lib/

Native libraries for the application, Under the lib/ directory, there are the cpu-specific directories. Ex: armeabi, mips is used for storing libraries and precompiled code and savelinux shared object (.so) files.The .so files are libraries created by the developer or from third-party If an attacker found a way to modify or replace these file and get them to execute this could result in arbitrary code execution

assets/

Any other files that may be needed by the app. Additional native libraries or DEX files may be included here. This can happen especially when malware authors want to try and “hide” additional code, native or Dalvik, by not including it in the default locations.

META-INF/

contains files related to the integrity and authenticity of the app This folder contains 3 files

MANIFEST.MF

It contains various information used by the java run-time environment when loading the jar file, such as which is the main class to be run from the jar file, version of package, build number, creator of the package, security policies/permissions of java applets and java webstart packages, the list of file names in the jar along with their SHA1 digests, etc.

CERT.SF

This contains the list of all files along with their SHA-1 digest.

CERT.RSA

This contains the signed contents of the CERT.SF file along with the certificate chain of the public key used for signing the contents

res/

res is where the resources of app which is not compiled to resources.arsc is stored. As you can see there are many sub folders inside it. Each folder contains different type of resources. For example values folder have file strings.xml which have all const for app may be have api key for example or aws Cognito

What is Android components ?

Activities :

An activity is the entry point for interacting with the user. in-short Activity performs actions on the screen.
Each activity needs to be declared in the Android Manifest with the following syntax:

1
2

<activity android:name="ActivityName">
</activity>

Fragments : represents a behavior or a portion of the user interface within the activity. Fragments don’t need to be declared in manifest files because they depend on activities.

Example in Java:

1
2
3

public class MyFragment extends Fragment {
    ...
}

Services :

A service is a component that runs in the background to perform long-running operations. For example, a service might play music in the background while the user is in a different application

1

<service android:name=".ExampleService" />

Broadcast receivers :

They handle communication between Android OS and applications.

Content provicers :

content provider component supplies data from one application to others on request. The data may be stored in the file system, the database or somewhere else entirely.

every component will be in anothe part in future so here just intro .

Tools need to setup

1. Apktool :
   can use apktool to decode the apk and make change in smali code and then return it to apk and then signing it .
   
   
2. keytool & apksigner
   
3. Android studio
   
4. emulator
   
5. apk studio
   
6. jadx-gui
   
7. drozer learn drozer from here
8. frida learn frida

You can install tools in windows and add it in path of env that will make use of tools more easy from cmd.

Reverse APK

This is just a quick intro about Reverse APK

Reverse Apk

application reverse engineering is used to find bugs like Tampring code or source cod can be reviewed bu using Reverse engineering

Decompiling the APK

APKs are zip file archives that store the android app. They are no longer the java source code files, so decompiling them only gives you the “compiled” byte code.

The tool apktool supports decompiling: ` apktool file.apk ` Use -r to avoid decompiling the resources (e.g., images, etc.). This is useful if you want to later re-compile it because you made changes, etc.

or can use tool like jadx-gui will be more easy or mobsf

Reverse Engineering Android Applications

Source code obfuscation

Android Runtime (ART) executes .dex files, which are part of the APK package. Dalvik bytecod (.dex) can be translated to equivalent Java bytecode. Conversion is not perfect and cannot be reversed, but Java code can be easily read and analyzed. Understanding the code, specifically implemented security mechanisms gives the attacker great advantage and significantly increases the chance of exploiting the application.

To mitigate that risk, developers can obfuscate the source code. Obfuscation is a process of making a code difficult to understand by humans, but without changing its semantics and functionality. The most typical techniques used by obfuscators are changing methods/parameters names, modifying the flow of the code and encrypting string and assets.

Most popular obfuscators for Android code are ProGuard and DexGuard. The first one is available for free, but offers less protection against reverse engineering.

Code Signing

Apks have to be signed by the developer.But you can be your own developer. But you still have to sign them. So after you have decompile the apk, you can recompile it as follows: apktool b <path-to-decompiled> -o unsigned.apk

A signing program is available from the following git repository: https://github.com/glitterballs/release-tools.git Go to its SignApk directory and run the following: java -jar signapk.jar certificate.pem key.pk8 unsigned.apk signed.apk You can create your own certificate and key to do the signing if you want.

Once you download app from the play store that is secure download and then you can reverse apk and tampring code and then build apk again and sign it to install app in device

It use to sign apk this app Easy way https://m.apkpure.com/ar/apk-signer/com.haibison.apksigner

Or you can do that with manual way with keytool & jarsigner

Dalvik & Smali ?

Most android applications are written in java , kotlin is also supported and interoprable with java

Instead of the Java code being run in Java Virtual Machine (JVM) like desktop applications, in Android, the Java is compiled to the Dalvik Executable (DEX) bytecode format.
For earlier versions of Android, the bytecode was translated by the Dalvik virtual machine. For more recent versions of Android, the Android Runtime (ART) is used.
If developers, write in Java and the code is compiled to DEX bytecode

to reverse engineer, do the opposite direction

Smali is the human readable version of Dalvik bytecode. Technically, Smali and baksmali are the name of the tools (assembler and disassembler, respectively), but in Android, we often use the term “Smali” to refer to instructions.
SMALI is like the assembly language: between the higher level source code and the bytecode.

Resourse for Android :

English playlist for basic Android

Labs :

1. InjuredAndroid will be better if sovle lab first and then see how he solve it Solve
2. Insecureshop
3. InsecureBankv2
4. ovaa

will be better if you solve labs in this order.

Referance :

1. Oversecured
2. Android Notes
3. awesome Android security
4. Android Reverse
5. Reports
6. MSTG OWASP TOP 10 MOB