Reverse engineering and Static analysis for Mobile Pentesting

Reverse Engineering and Static Analysis

After conducting extensive research on Android penetration testing, reverse engineering, and static analysis, I came across that there are numerous powerful tools available for analysts to analyze Android applications.

• APKInspector – APKinspector is a powerful GUI tool for to analyze the Android applications.
• APKTool – A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications.

To disassemble an Android APK file, the following command can be used:

apktool d "apk file"

Rebuilding decoded resources back to binary APK/JAR with certificate signing

apktool b "modified folder"

keytool -genkey -v -keystore keys/test.keystore -alias Test -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -validity 10000

jarsigner -keystore keys/test.keystore dist/test.apk -sigalg SHA1withRSA -digestalg SHA1 Test

Sign – Sign.jar automatically signs an apk with the Android test certificate.

Jadx – Dex to Java decompiler: Command line and GUI tools for produce Java source code from Android Dex and Apk files.

Oat2dex – A tool for converting .oat file to .dex files.

Deoptimize boot classes (The output will be in “odex” and “dex” folders)

java -jar oat2dex.jar boot "boot.oat file"

Deoptimize application

java -jar oat2dex.jar "app.odex" "boot-class-folder output from above"

Get odex from oat

java -jar oat2dex.jar odex "oat file"

Get odex smali (with optimized opcode) from oat/odex

java -jar oat2dex.jar smali "oat/odex file"

FindBugs + FindSecurityBugs – FindSecurityBugs is a extension for FindBugs which include security rules for Java applications.

Qark – This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs.

SUPER – SUPER is a command-line application that can be used in Windows, MacOS X and Linux, that analyzes .apk files in search for vulnerabilities. It does this by decompressing APKs and applying a series of rules to detect those vulnerabilities.

AndroBugs – AndroBugs Framework is an efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications. No need to install on Windows.

Simplify – A tool for de-obfuscating android package into Classes.dex which can be use Dex2jar and JD-GUI to extract contents of dex file.

simplify.jar -i "input smali files or folder" -o "output dex file"

ClassNameDeobfuscator – Simple script to parse through the .smali files produced by apktool and extract the .source annotation lines.

Android backup extractor – Utility to extract and repack Android backups created with adb backup (ICS+). Largely based on BackupManagerService.java from AOSP. Tip!! “adb backup” command can also be used for extracting application package with the following command:

adb backup "package name"

dd if=backup.ab bs=1 skip=24 | python -c "import zlib,sys;sys.stdout.write(zlib.decompress(sys.stdin.read()))" > backup.tar

So, there you have it folks! A bunch of tools and techniques for conducting Android app penetration testing, reverse engineering, and static analysis. These tools can help you get inside an app’s guts and find any security vulnerabilities lurking in there. But hey, don’t go crazy just yet! You need to know what you’re doing and have the right skills to use these tools effectively. Otherwise, you might end up breaking something important! Stay safe, stay crazy!