Android Apk Reverse Engineering
What’s the reverse engineering? Here is the definition from Wiki.
Reverse engineering, also called back engineering, is the process by which a man-made object is deconstructed to reveal its designs, architecture, or to extract knowledge from the object; similar to scientific research, the only difference being that scientific research is about a natural phenomenon.
As an android programer, you might interest with how does the app feature works or what kind of library they using. Or you want to find out the architectures/components of the app under the hood. Then we can try to extract the app source to check how it works. The first thing we can consider to achieve our target is reverse engineering.
An Simple Example
That’s take an example. There is an an algorithm app on playstore. We can install to our android device. And our target is unlock all the algorithm items. And install to our device. Then we can see all the algorithm items detail rather than get blocking.
Step by step
- Download the app from app store or install by somewhere.
- You need find the target app and pull from the android device.
- Decompile the apk with apktool
- Extract the source code with jadx from the app.
- Make a little change to check it’s workable.
- Compile the code with apktool to build an app.
- Sign a key into the app.
- Install the app by adb or manually install .
Get the target app package name from the device
Get current foreground package name
> adb shell dumpsys activity recents | grep 'Recent #0' | cut -d= -f2 | sed 's| .*||' | cut -d '/' -f1
Alternatively, find all list from package manager
> adb shell pm list packages
Get the apk path via package manager
> adb shell pm path wiki.algorithm.algorithms
Pull the apk via above link from device
> adb pull {apk path in device} path/to/desired/destination
And you can rename the apk. I rename it toalgorithms.apk
Decompile the app with apktool
> apktool d algorithms.apk
See source code by jadx
We can use jadx-gui to check our code in java. It’s very convenient because check smali file is paint point for most of java developer.
//folder of the decompile app
> jadx-gui algorithms.apk
Although the app obfuscate some method and class. We still can see some info via the code. After check the code we found there is an obfuscation method j()
looks like a purchase status. But we need to modify the smali file instead of modify this directly.
In the MenuActivity, we change the mark value v1
to 0x1
. That means the we treat the default value z
as true.
Compile the source file with apktool
> apktool b algorithms
Sign debug key
We don’t have the password of the release key. For easier verify, we just sign with debug key. The default debug keystore info is as below.
//Default debug keystore info
Keystore name: “debug.keystore”
Keystore password: “android”
Key alias: “androiddebugkey”
Key password: “android”
CN: “CN=Android Debug,O=Android,C=US”
CLI to sign the debug key
> jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore ~/.android/debug.keystore algorithms.apk androiddebugkey
Finally, we got the app with all unlock item :) Awesome, but as an android developer perspective. We need to think about how to prevent this kind of hack things.
Enhancement
To enhance the decompile skill. The first thing is to learn smaili. And for further maybe can try to decompile the .so .o if the apk wrap the C/C++ lib.
App Bundles
For the app which support the App Bundles. It has some split apk in the devices. For example like Medium app.
> adb shell pm path com.medium.readerpackage:/data/app/com.medium.reader-ZUsrEBPYC0pS79TVRrVlbQ==/base.apkpackage:/data/app/com.medium.reader-ZUsrEBPYC0pS79TVRrVlbQ==/split_config.xxhdpi.apk
If you try to install one apk. You might get the following error:
> adb install medium.apkPerforming Streamed Installadb: failed to install base.apk: Failure [INSTALL_FAILED_VERIFICATION_FAILURE]
So we need to use adb mutiple install to install all the parts.
> adb install-multiple base.apk split_config.xxhdpi.apkSuccess
Prevent Hacker
We can do something like below to prevent our app got hack thing. We also need to think about how to protect our sensitive data like key, private info…
Obfuscation:
One of the way is transfer the readable code into obfuscated code.
- ProGuard
- DexGuard
Native Code(C/C++):
Native code is depends on ARM and hard to do reverse since the hacker also need know some ARM reverse engineer knowledge. So if you have some verification code can consider to apply on native code.
Self-Validation:
- verification of DEX
- verification of apk
- verification of signature