[A]ndroid [A]pplication [P]entest [G]uide
  • AAPG
  • 1. MANUAL STATIC ANALYSIS
    • 1.1 Decompile APK
    • 1.2 Check certificate
    • 1.3 Analyze AndroidManifest.xml
    • 1.4 Source Code Analysis
  • 2. AUTOMATED STATIC ANALYSIS
  • 3. MANUAL DYNAMIC ANALYSIS
    • 3.1 Install application & use it
    • 3.2 Bypass detections
    • 3.3 Analyze local storage
    • 3.4 Attack surface
      • 3.4.1 Activities
      • 3.4.2 ContentProvider
      • 3.4.3 Services
    • 3.5 Log analysis
    • 3.6 More HOW and WHAT! (still work in progress)
  • 4. APK TAMPERING
    • 4.1 DIY - Simple Reverse Meterpreter (Non-Xamarin)
    • 4.2 Quick Proof-of-Concept (Meterpreter)
Powered by GitBook
On this page
  • 1.1.1 UNZIP
  • 1.1.2 APKTOOL
  • 1.1.3 DEX2JAR
  • 1.1.4 JADX (recommended)
  • 1.1.5 DE-OBFUSCATION
  • 1.1.6 XAMARIN

Was this helpful?

  1. 1. MANUAL STATIC ANALYSIS

1.1 Decompile APK

1.1.1 UNZIP

I'm aware unzipping is just unpacking and not decompiling:

unzip app_name.apk
  • quick & dirty way

  • AndroidManifest.xml is not readable

  • However .dex files can be found & opened with d2j-dex2jar

  • certificates + signature-files are available

1.1.2 APKTOOL

compiles .dex files to .smali

apktool d path/to/your/app_name.apk

decompiles everything but .dex to .smali

apktool d --no-src app_name.apk

not all files do get extracted (i.e certs + signature files & more are missing)

1.1.3 DEX2JAR

d2j-dex2jar app_name.apk

extracts decompiled .jar only & app_name-error.zip (open with jd-gui)

1.1.4 JADX (recommended)

jadx -d path/to/extract/ app_name.apk

or (w/ jadx deobfuscator)

jadx -d path/to/extract/ --deobf app_name.apk 

or just a single .dex file

jadx -d path/to/extract/ classes.dex 
  • .java files will be extracted to path/to/extract/sources/

  • all resources are available (source code, certificates, AndroidManifest.xml, ...)

1.1.5 DE-OBFUSCATION

jadx -d path/to/extract/ --deobf app_name.apk

or just a single .dex file

simplify -i file_name.smali -o class.dex
  • there is no 100% success guaranteed --> works only with simple obfuscated files

  • to get the file_name.smali --> decompile with APKTOOL

1.1.6 XAMARIN

unzip apk and retrieve *.dll files

7z e app_name.apk
  • Xamarin Apps are written in C#, therefore you have to decompile it on a windows machine (i.e. w/ dnSpy)

  • Main Source-Code can be found within app_name.dll (but usually there are more too)

Previous1. MANUAL STATIC ANALYSISNext1.2 Check certificate

Last updated 5 years ago

Was this helpful?