Android Reverse Engineering 101 – Part 1
2015-12-26 01:02
471 查看
Android Reverse Engineering 101 – Part 1
This is the first in a series of articles about reverse engineering Android applications.In this series I will cover the anatomy of the APK and AAR package formats and few tools commonly used to reverse engineering or inspecting applications: aapt, dex2jar, apktool and Androguard.
Part 1 – APK and AAR format
Part 2 – aapt
Part 3 – dex2jar
Part 4 – apktool
Part 5 – Androguard
Is this just for hackers?
Short answer is no.There are many reasons why you would take into consideration these tools besides trying to hack or inject malicious code into an application, specially if you are a developer.
First, there may be an application with a particular layout or animation which you would like to replicate: using these tools you could access the XML resource files of interest.
Then, you may have a look at how specific business logic has been implemented by an application: it’s not a matter of stealing third-party software, but simply double check if you can improve your own code or get any useful hint for improvements.
Last but not least, it is always a good practice to test your own application for security reasons: to check if the code or the resources have been effectively obfuscated or to be sure that unwanted files have not been packaged into the final release APK. You would be surprised about how many APK files are full of information like API keys, authentication tokens or unused resources.
APK format
The APK bundle is the format used to package any application you develop or that you can get from Google Play Store or any other channel. In other words, for each application present on your device, there is a corresponding APK file (this is true also for pre-installed applications).An APK file is essentially a ZIP file, so you can get one, rename it and then extract it to have access to its content.
Entry | Notes |
---|---|
AndroidManifest.xml | the manifest file in binary XML format. |
classes.dex | application code compiled in the dex format. |
resources.arsc file | containing precompiled application resources, in binary XML. |
res/ | folder containing resources not compiled into resources.arsc |
assets/ | optional folder containing applications assets, which can be retrieved by AssetManager. |
lib/ | optional folder containing compiled code - i.e. native code libraries. |
META-INF/ | folder containing the MANIFEST.MF file, which stores meta data about the contents of the JAR.The signature of the APK is also stored in this folder. |
APK file content example.
WHAT’S DEX?
In short, DEX, or Dalvik Executable is a file format that contains compiled code written for Android and can be interpreted by the Dalvik virtual machine or by the Android Runtime (ART).When an APK file is produced by the Android build system (like when you “run” your application project from Android Studio), the Java classes are first compiled into
.classfiles and later a tool called dx will convert these files in the DEX format. dx is part of the Android toolchain, the Build Tools, and you can find it at this location:
$ANDROID_SDK/build-tools
Specific details about the layout and the contents of a DEX file can be found here.
HOW CAN YOU GET AN APK FILE?
There are few ways to do that:if you need any arbitrary application, you can rely on online services like this one, getting the APK file directly from your desktop browser.
if the application is installed on your device, you could simply rely on a backup utility like this one, and it will make a copy of the apk on a public folder on your device memory or on the SD card.
inside folder
/system/app, you can find pre-installed applications, such as: calculator, Chrome, camera, … it depends on the particular ROM installed on your device.
inside folder
/data/app, you can find user installed applications.
In order to get an APK from your device, you can first list the available packages with the following command (remember to attach your device to the USB):
adb shell pm list packages -f
Having the path of the APK file, you can now pull it:
adb pull -p PATH/base.apk OUTPUT.apk
-poption simply displays the transfer progress, while the output filename is not mandatory, if omitted,
base.apkis used instead.
adb pull -p
You may wonder how backup applications are able to give you an APK: in fact, if you try to access the
/data/appfolder from any file manager application installed on your device, you can see that is not possible, access is denied.
But it’s indeed true that programmatically you can have access to the APK of the user installed applications.
First you need to retrieve the list of the applications:
final Intent mainIntent = new Intent(Intent.ACTION_MAIN, null); mainIntent.addCategory(Intent.CATEGORY_LAUNCHER); List<ResolveInfo> infos = getPackageManager().queryIntentActivities(mainIntent, 0);
Then, through the
ResolveInfo, you can access the
publicSourceDir fieldof the
ApplicationInfoclass, which is the full path to the publicly available parts of
sourceDir, including resources and manifest.
File apkFile = new File(pkgInfo.activityInfo.applicationInfo.publicSourceDir); if(apkFile.exists()) { ... }
AAR format
The AAR bundle is the binary distribution of an Android Library Project: for example, the Android Support Library you may use in your application is packaged using this format. Also, if your Android project is set to release a library and not an application for the store, the format would this one as well.An AAR file is essentially a ZIP file, so you can get one, rename it and then extract it to have access to its content.
These are the main entries you will find in an AAR file, even though there could be other files.
Entry | Required | Notes |
---|---|---|
AndroidManifest.xml | mandatory | the manifest file in plain XML. |
classes.jar | mandatory | Java classes of the library. |
res/ | mandatory | folder containing resources used by the library. |
R.txt | mandatory | output of aapt with –output-text-symbols. It’s basically a list of all resources referenced by the library (strings, colors, dimens, attrs, layouts, …). |
assets/ | optional | folder containing assets used by the library. |
libs/*.jar | optional | folder containing any external library. |
jni//*.so | optional | folder containing native libraries. |
proguard.txt | optional | Proguard configuration file. |
lint.jar | optional | custom Lint rules. |
AppCompat-v7 23.1.0 aar file content.
One difference, compared to the apk, is the format of the
AndroidManifest.xmlfile and the resources located in the
resfolder: in the aar package they are in plain XML, so you can easily open them.
Please note, for example, that the Support Library you usually declare as a dependency in your projects, come in the aar format and you can retrieve them at:
$ANDROID_SDK/extras/android/m2repository/com/android
In the rest of this series, I will focus anyway on the APK format only, because it’s the one used to package the applications installed on any device and distributed through Google Play Store or other channels.
In the next article, I will speak about aapt and dex2jar tools and how you can use them to retrieve important information about the apk file under analysis.
相关文章推荐
- 10.Android之ProgressDialog进度对话框学习
- Android App打包自动生成版本号Versin Name与Version Code方法之完美方案
- 【Android】《第一行代码—Android》第四章总结
- android 图片二次采样,质量压缩,LruCache缓存
- Android Studio设置内存大小
- Android时间选择器TimePicker和数字选择器NumberPicker和TimePickerDialog
- Mac OS X 10.10.3下android-5.1.1_r9 源码下载与编译
- Android之原生动作
- Android 打电话,发短信,调用系统浏览器
- Eclipse for android 实现代码自动提示智能提示功能
- Android Fragment全解析+Fragment与Activity通信
- Android动画使用方式详解
- Intent 和Intent-filter
- Android ListView观察者模式浅析
- LogHtml-Android本地日志工具
- Apktool反编译工具的使用
- android findviewByid()关于空指针
- android View的事件体系
- android adt中R程序丢失
- Android之Toast