Reversing Android Apps

# Reverse Engineering Android APKs ![[cover_androidrev.png]] ```date Date: 24 Jan 2023 12:00 ``` This is a quick reference for how I usually approach reverse engineering Android apps for the purposes of research, pentesting, bug bounty, etc. I plan to write a more in-depth guide at some point in the future. # Installing Tools ``` sudo pacman -S android-tools jdk-openjdk jre-openjdk paru -S android-apktool-git apk-editor-studio-bin jadx-gui-desktop burpsuite frida-tools frida python-frida-tools ``` # Configuration & Optimization ``` # Android VM optimization sudo modprobe -r kvm_intel sudo modprobe kvm_intel nested=1 # Confirm above optimization grep -E --color=auto 'vmx|svm' /proc/cpuinfo # Java VM optimization sudo archlinux-java set java-18-openjdk export _JAVA_OPTIONS=-Xmx6G export _JAVA_OPTIONS=-Xmx12G ``` # Pull APK file via ADB ``` # Find APK on device (or Android VM) adb shell pm list packages | grep <APP_NAME> # What is the path of the APK? adb shell pm path <APP> # Pull a copy locally adb pull <PATH> . ``` # Decompile APK, Java Classes ``` apktool d <APP>,apk -o out/ jadx -d out classes.dex ``` # Recompile & Zip Align APK ``` apktool b out/ --use-aapt2 -o APP_patched.apk zipalign -p -b 4 APP_patched.apk ``` # APK Signing ``` keytool -genkey -v -keystore release.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000 apksigner sign --ks release.keystore APP_patched.apk ``` # APK Install ``` adb install APP_patched.apk ``` # Make Android System Writable ``` # Emulator must have the following flag emulator -writable-system -avd <AVD_NAME> adb shell mount -o rw,remount,rw /system ``` # Generate & Push Android System Root Cert ``` # Generate Cert openssl req -x509 -days 730 -nodes -newkey rsa:2048 -outform der -keyout server.key -out ca.der -extensions v3_ca -config openssl.cnf openssl rsa -in server.key -inform pem -out server.key.der -outform der openssl pkcs8 -topk8 -in server.key.der -inform der -out server.key.pkcs8.der -outform der -nocrypt # Get <CERT_IDENTIFIER> openssl x509 -inform PEM -subject_hash_old -in ca.cer | head -1 # Push cert to Android system adb push ca.cer /system/etc/security/cacerts/<CERT_IDENTIFIER>.0 ``` # Frida SSL Unpinning ``` adb push frida-server-15.1.27-android-x86 /data/local/tmp/frida-server adb shell "chmod 755 /data/local/tmp/frida-server" adb shell "/data/local/tmp/frida-server &" wget https://raw.githubusercontent.com/httptoolkit/frida-android-unpinning/main/frida-script.js frida --no-pause -U -l ./frida-script.js -f com.APP_NAME com.android.chrome ``` # APK Logs ``` adb logcat -c ``` `<3 m0x` #notes #android #reversing