APKs
APKs¶
Layout after unzipping the APK:
- AndroidManifest.xml Details application metadata, components, permissions and other information
- classes.dex Java CLASS files compiled into DEX (Dalvik Executable) format to be executed by Dalvik Virtual Machine
- /META-INF/ Contains hashes of application resource files and certificate information (used to sign the application)
- /lib/ Libraries used by application developed by third-party organization(s)
- /res/ Raw resources used by application
- /assets/ Application assets, such as pictures, JavaScript files, etc.
- resources.asc File containing pre-compiled resources used by application (e.g., XML layout file)
You can extract packages from Android without root access with Apk Extractor
Signatures¶
Jar Signing (v1):
- All entries in the META-INF/MANIFEST.MF file
- Does not protect all files in the apk
APK Signature Scheme (v2):
- Signature and Hash of the entire APK file
APK Signature Scheme (v3):
- Same as v2 but also includes a chain of past certificates from older versions of the application.
Android Manifest File¶
android:allowClearUserData
If set to false the application is not able to delete the userdata folder. This is set to true by default.
android:debuggable
If set to true the application debugable. This is set to false by default.
android:requestLegacyExternalStorage:
If the target API is < 29 then its set to true by default.
If the target API is > 29 then its set to false by default.
If set to true ignore Android 10 restrictions to segment the /sdcard/ folder to app specific locations.
android:networkSecurityConfig:
Sets the Android Builtin Certificate Pinning information Network Security Config examples
android:hasFragileUserData:
When set to true give the user an option to keep the app data when uninstalling the app. The default value is false.
android:fullBackupContent:
Set XML file for what files can be backed up.
If you dont want anything to be backed up use https://gist.github.com/UmeshJangid/677127c92743cdcf5e65361b9a5b0056
android:usesCleartextTraffic
If the target API is < 27 then its set to true by default.
If the target API is > 27 then its set to false by default.
This prevents Insecure Connections to be made.
Third party libraries may not honor this flag.
WebView honors this attribute for applications targeting API level 26 and higher.
This flag is ignored on Android 7.0 (API level 24) and above if an Android Network Security Config is present.
This attribute was added in API level 23.
android:sharedUserId
Apps signed by the same signing certificate can view and modify each other data directory
####
compileSdkVersion:
uses-sdk Tag¶
android:minSdkVersion
The Android system will prevent the user from installing the application if the system's API Level is lower than the value specified in this attribute. If not specified than the Default is API 1
android:targetSdkVersion
- This means that the App was designed and tested for this API version. This also is used in Android compatibility issues.
android:maxSdkVersion
- This is the maximum API version and will not be installed on a device that does not meet the Requirement
Convert APK to readable Java¶
Use the apk2jar.sh:
/opt/Memory/Mobile/Android/apk2jar.sh base.apk
Get links from APK:
Apktool to LinkFinder
apktool d app.apk; cd app;mkdir collection; find . -name \*.smali -exec sh -c "cp {} collection/\$(head /dev/urandom | md5 | cut -d' ' -f1).smali" \;; linkfinder -i 'collection/*.smali' -o cli
JADX¶
Case Insensitive Class Renaming:
If there is a class with a capital B and an Lowercase b by default it will rename the class. This is good for reading the code but is bad for hooking since this is not the correct class.
To change this Go to File -> Preferences -> Rename -> System case sensitivity Uncheck.
ReverseAPK¶
Download Here
- Analyze AndroidManifest.xml
- Static analysis
Run on APK:
/opt/Android/tools/reverse-apk.sh game.apk | tee reverse-game.log
Qark Static Analysis on APK¶
Run on APK:
qark --apk path/to/my.apk
Run on Java Files:
qark --java path/to/parent/java/folder
qark --java path/to/specific/java/file.java
Installing Packages¶
If you encounter INSTALL_FAILED_TEST_ONLY then this is a debug app and must be installed with the -t flag.
If you encounter INSTALL_PARSE_FAILED_NO_CERTIFICATES then this apk is not signed. Sign with the instructions in the next section.
Install APK:
>>> adb install -r app-EiwDev-debug\ \(1\).apk
Performing Push Install
app-EiwDev-debug (1).apk: 1 file pushed. 4.5 MB/s (21642547 bytes in 4.607s)
pkg: /data/local/tmp/app-EiwDev-debug (1).apk
Failure [INSTALL_FAILED_TEST_ONLY]
Install Test Build:
>>> adb install -r -t app-EiwDev-debug\ \(1\).apk
Performing Push Install
app-EiwDev-debug (1).apk: 1 file pushed. 4.6 MB/s (21642547 bytes in 4.483s)
pkg: /data/local/tmp/app-EiwDev-debug (1).apk
Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]
Modifying APKs¶
Signing APK¶
Unzip the APK to a directory:
unzip base.apk -d base
Decompile the APK:
apktool d base_backup.apk -o base_apktool -f --force-manifest --no-assets --no-res --no-src -v
Change the Manifest File:
<application android:debuggable="true" android:allowBackup="true"
Rebuild the APK:
apktool b base_apktool base_resign.apk
Resign the apk:
/opt/android-sdk/build-tools/28.0.3/apksigner sign --ks /home/bridings/.android/debug.keystore --in base_resign.apk --out base_sign.apk --key-pass pass:android --ks-pass pass:android
Check Signature:
/opt/android-sdk/build-tools/28.0.3/apksigner verify --verbose base_sign.apk
Deobfuscation¶
https://www.youtube.com/watch?v=s0Tqi7fuOSU
https://recon.cx/media-archive/2019/Session.005.Maddie_Stone.The_path_to_the_payload_Android_Edition-J3ZnNl2GYjEfa.mp4