Link to this headingAPKs

Layout after unzipping the APK:

  • AndroidManifest.xml Details application metadata, components, permissions and other information
  • classes.dex Java CLASS files compiled into DEX (Dalvik Executable) format to be executed by Dalvik Virtual Machine
  • /META-INF/ Contains hashes of application resource files and certificate information (used to sign the application)
  • /lib/ Libraries used by application developed by third-party organization(s)
  • /res/ Raw resources used by application
  • /assets/ Application assets, such as pictures, JavaScript files, etc.
  • resources.asc File containing pre-compiled resources used by application (e.g., XML layout file)

You can extract packages from Android without root access with Apk Extractor

Link to this headingSignatures

Jar Signing (v1):

  • All entries in the META-INF/MANIFEST.MF file
  • Does not protect all files in the apk

APK Signature Scheme (v2):

  • Signature and Hash of the entire APK file

APK Signature Scheme (v3):

  • Same as v2 but also includes a chain of past certificates from older versions of the application.

Link to this headingAndroid Manifest File

android:allowClearUserData
If set to false the application is not able to delete the userdata folder. This is set to true by default.

android:debuggable
If set to true the application debugable. This is set to false by default.

android:requestLegacyExternalStorage:
If the target API is < 29 then its set to true by default.
If the target API is > 29 then its set to false by default.

If set to true ignore Android 10 restrictions to segment the /sdcard/ folder to app specific locations.

android:networkSecurityConfig:
Sets the Android Builtin Certificate Pinning information Network Security Config examples

android:hasFragileUserData:
When set to true give the user an option to keep the app data when uninstalling the app. The default value is false.

android:fullBackupContent:
Set XML file for what files can be backed up.
If you dont want anything to be backed up use data-extraction-rules

android:usesCleartextTraffic
If the target API is < 27 then its set to true by default.
If the target API is > 27 then its set to false by default.

This prevents Insecure Connections to be made.

Third party libraries may not honor this flag.
WebView honors this attribute for applications targeting API level 26 and higher.
This flag is ignored on Android 7.0 (API level 24) and above if an Android Network Security Config is present.
This attribute was added in API level 23.

android:sharedUserId
Apps signed by the same signing certificate can view and modify each other data directory

compileSdkVersion:

Link to this headinguses-sdk Tag

android:minSdkVersion
The Android system will prevent the user from installing the application if the system’s API Level is lower than the value specified in this attribute. If not specified than the Default is API 1

android:targetSdkVersion

  • This means that the App was designed and tested for this API version. This also is used in Android compatibility issues.

android:maxSdkVersion

  • This is the maximum API version and will not be installed on a device that does not meet the Requirement

Link to this headingConvert APK to readable Java

Use the apk2jar.sh:

/opt/Memory/Mobile/Android/apk2jar.sh base.apk

Get links from APK:
Apktool to LinkFinder

apktool d app.apk; cd app;mkdir collection; find . -name \*.smali -exec sh -c "cp {} collection/\$(head /dev/urandom | md5 | cut -d' ' -f1).smali" \;; linkfinder -i 'collection/*.smali' -o cli

Link to this headingJADX

Case Insensitive Class Renaming:
If there is a class with a capital B and an Lowercase b by default it will rename the class. This is good for reading the code but is bad for hooking since this is not the correct class.

To change this Go to File -> Preferences -> Rename -> System case sensitivity Uncheck.

Link to this headingReverseAPK

Download Here

  • Analyze AndroidManifest.xml
  • Static analysis

Run on APK:

/opt/Android/tools/reverse-apk.sh game.apk | tee reverse-game.log

Link to this headingQark Static Analysis on APK

Run on APK:

qark --apk path/to/my.apk

Run on Java Files:

qark --java path/to/parent/java/folder qark --java path/to/specific/java/file.java

Link to this headingInstalling Packages

If you encounter INSTALL_FAILED_TEST_ONLY then this is a debug app and must be installed with the -t flag.

If you encounter INSTALL_PARSE_FAILED_NO_CERTIFICATES then this apk is not signed. Sign with the instructions in the next section.

Install APK:

>>> adb install -r app-EiwDev-debug\ \(1\).apk Performing Push Install app-EiwDev-debug (1).apk: 1 file pushed. 4.5 MB/s (21642547 bytes in 4.607s) pkg: /data/local/tmp/app-EiwDev-debug (1).apk Failure [INSTALL_FAILED_TEST_ONLY]

Install Test Build:

>>> adb install -r -t app-EiwDev-debug\ \(1\).apk Performing Push Install app-EiwDev-debug (1).apk: 1 file pushed. 4.6 MB/s (21642547 bytes in 4.483s) pkg: /data/local/tmp/app-EiwDev-debug (1).apk Failure [INSTALL_PARSE_FAILED_NO_CERTIFICATES]

Link to this headingModifying APKs

Link to this headingSigning APK

Unzip the APK to a directory:

unzip base.apk -d base

Decompile the APK:

apktool d base_backup.apk -o base_apktool -f --force-manifest --no-assets --no-res --no-src -v

Change the Manifest File:

<application android:debuggable="true" android:allowBackup="true"

Rebuild the APK:

apktool b base_apktool base_resign.apk

Resign the apk:

/opt/android-sdk/build-tools/28.0.3/apksigner sign --ks /home/bridings/.android/debug.keystore --in base_resign.apk --out base_sign.apk --key-pass pass:android --ks-pass pass:android

Check Signature:

/opt/android-sdk/build-tools/28.0.3/apksigner verify --verbose base_sign.apk

Link to this headingDeobfuscation

Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Native Library
Path to the payload: Android Edition

Link to this headingLibraries