Android apk file static analysis possibility

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Android apk file static analysis possibility

Postby Wingzero » Mon Sep 18, 2017 2:38 am

Hi there,

Though we usually ask iOS and macOS questions here, but I have an android question (since you wrote android book and master them)

We all know mach-O file contains lots of information, like the class definition, the cstring text section.

So let's say we have a func in iOS :
Code: Select all
[sdk initWithAPIKey:@"12345"]
. We can detect this @"12345" in cstring section, and if we dig deeper, we also can dig out that the method "initWithAPIKey:" will get the address of @"12345" and finally made the call, so we know its @"12345" rather than other string is sent to "initWithAPIKey", thanks to the mach-O design.

Now my question is, is it possible to do static analysis an Android binary file just like mach-O, even more, can we do analysis like above? (ideally, giving a java function foo(String s), I want to know what s is sent to foo). Thank in advance!
Wingzero
 
Posts: 34
Joined: Thu Jul 27, 2017 2:35 am

Re: Android apk file static analysis possibility

Postby Siguza » Mon Sep 18, 2017 10:43 am

I have hardly ever looked at any Android stuff, but I downloaded an example apk, unzipped it and found a "classes.dex" inside. A quick Google search revealed that there are many ways of converting that to regular java class files, which can then be thrown into your favourite decompiler. (To my amazement, I also just learned that radare2 works on plain .dex files and can disassemble java bytecode!)

I know that Android can also have native Apps, but I couldn't find an example apk on the web just now. I'm certain whatever form that has though, there will be tools to convert it into some format that your favourite disassembler will like, if it doesn't support that format itself already. :P

(In other news, there actually seems to be an abandoned android internals forum... uhm, J?)
User avatar
Siguza
Unicorn
 
Posts: 159
Joined: Thu Jan 28, 2016 10:38 am

Re: Android apk file static analysis possibility

Postby scknight » Mon Sep 18, 2017 7:30 pm

Here are my go to tools for APKs

APKTool to unpack an Android APK into all it's resources and smali
https://ibotpeaches.github.io/Apktool/

Dex2Jar for converting dex files into jars
https://github.com/pxb1988/dex2jar

Java Decompiler for browsing the jars
http://jd.benow.ca/

That's cool that radare2 works with some of this as well
scknight
 
Posts: 27
Joined: Thu Nov 10, 2016 1:01 pm

Re: Android apk file static analysis possibility

Postby morpheus » Tue Sep 19, 2017 1:36 am

I'm amazed people still use dex2jar.

My Dextra (http://NewAndroidBook.com/tools/dextra.html) will give you Dex2jar + java decompiler. That will get you almost full java source. And it's trivial to then grep it for what you need.

Also, you can always look at the class, string, field and method pools . See extra page for details. And thanks for asking :-)

Shame on you guys for recommeding radare! :-P And yeah. Somehow people weren't into the Android forum. I'll resurrect it when I finally wrap Volume II of that together..
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Android apk file static analysis possibility

Postby Wingzero » Tue Sep 19, 2017 3:36 am

lol I will give Dextra a try definitely, and thanks everyone whos answering!

BTW @morpheus, is there any material/book about the android binary file layout (maybe after converting byte code to some soft of format that human readable?) I barely know Java, but I know some tools like dex2jar, JD-GUI and some other open source tools for decompiling. I searched you book on Chinese stores, no footprint at all after you announced your latest android book..

Ideally, I have a research project that can write code to parse mach-O file, like which func uses which string parameter (using func_starts and open source project capstone, which can turn machine code to asm code), I am very curious if this can work on android side.

So I am looking for the equivalent part of cstring section, function_starts for android, and how to convert byte code to human readable code (like asm code), if any project like capstone. I know it's kind of in depth topic, so wondering if any book covers it.

UPDATE:
I have looked into Dextra, looks amazing. Is it open source? I saw the decompiler can produce java code and recognize the string parameter correctly, which is exactly what I want. I don't need the decompiled code, just need which function uses what string.
Wingzero
 
Posts: 34
Joined: Thu Jul 27, 2017 2:35 am

Re: Android apk file static analysis possibility

Postby backendbilly » Wed Sep 20, 2017 3:47 am

Don't neglect Frida (http://frida.re). I use it very frequently on both iOS and Android and it never failed me thus far. You can use it on jailbroken, non-jailbroken, rooted, and non-rooted phones. Give it a try.
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: Android apk file static analysis possibility

Postby Siguza » Wed Sep 20, 2017 7:38 am

JS injection on iOS in non-jailbroken mode works only on Apps specially built for it though (I mean, anything else would be a free sandbox escape, if not privilege escalation - and you're not just getting 0days like that :P).
User avatar
Siguza
Unicorn
 
Posts: 159
Joined: Thu Jan 28, 2016 10:38 am

Re: Android apk file static analysis possibility

Postby backendbilly » Thu Sep 21, 2017 1:45 am

That's correct unless you go with J's advice and backport an app (stock app) with the necessary private DYLD shared cache. For all other apps, just use a jailbroken iOS 10 and inject.
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: Android apk file static analysis possibility

Postby Wingzero » Thu Sep 21, 2017 2:05 am

backendbilly wrote:That's correct unless you go with J's advice and backport an app (stock app) with the necessary private DYLD shared cache. For all other apps, just use a jailbroken iOS 10 and inject.

No offense but it's a android question LOL
Wingzero
 
Posts: 34
Joined: Thu Jul 27, 2017 2:35 am


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 4 guests