This is a quick reference for how I usually approach reverse engineering Android apps for the purposes of research, pentesting, bug bounty, etc. I plan to write a more in-depth guide at some point in the future.

Installing Tools

1
2
sudo pacman -S android-tools jdk-openjdk jre-openjdk
paru -S android-apktool-git apk-editor-studio-bin jadx-gui-desktop burpsuite frida-tools frida python-frida-tools

Configuration & Optimization

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
# Android VM optimization
sudo modprobe -r kvm_intel
sudo modprobe kvm_intel nested=1

# Confirm above optimization
grep -E --color=auto 'vmx|svm' /proc/cpuinfo

# Java VM optimization
sudo archlinux-java set java-18-openjdk
export _JAVA_OPTIONS=-Xmx6G
export _JAVA_OPTIONS=-Xmx12G

Pull APK file via ADB

1
2
3
4
5
6
7
8
# Find APK on device (or Android VM)
adb shell pm list packages | grep <APP_NAME>

# What is the path of the APK?
adb shell pm path <APP>

# Pull a copy locally
adb pull <PATH> .

Decompile APK, Java Classes

1
2
apktool d <APP>,apk -o out/
jadx -d out classes.dex

Recompile & Zip Align APK

1
2
apktool b out/ --use-aapt2 -o APP_patched.apk
zipalign -p -b 4 APP_patched.apk

APK Signing

1
2
keytool -genkey -v -keystore release.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
apksigner sign --ks release.keystore APP_patched.apk

APK Install

1
adb install APP_patched.apk

Make Android System Writable

1
2
3
# Emulator must have the following flag
emulator -writable-system -avd <AVD_NAME>
adb shell mount -o rw,remount,rw /system

Generate & Push Android System Root Cert

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# Generate Cert
openssl req -x509 -days 730 -nodes -newkey rsa:2048 -outform der -keyout server.key -out ca.der -extensions v3_ca -config openssl.cnf
openssl rsa -in server.key -inform pem -out server.key.der -outform der
openssl pkcs8 -topk8 -in server.key.der -inform der -out server.key.pkcs8.der -outform der -nocrypt

# Get <CERT_IDENTIFIER>
openssl x509 -inform PEM -subject_hash_old -in ca.cer | head -1

# Push cert to Android system
adb push ca.cer /system/etc/security/cacerts/<CERT_IDENTIFIER>.0

Frida SSL Unpinning

1
2
3
4
5
adb push frida-server-15.1.27-android-x86 /data/local/tmp/frida-server
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"
wget https://raw.githubusercontent.com/httptoolkit/frida-android-unpinning/main/frida-script.js
frida --no-pause -U -l ./frida-script.js -f com.APP_NAME com.android.chrome

APK Logs

1
adb logcat -c

<3 m0x

Installing Tools#

Configuration & Optimization#

Pull APK file via ADB#

Decompile APK, Java Classes#

Recompile & Zip Align APK#

APK Signing#

APK Install#

Make Android System Writable#

Generate & Push Android System Root Cert#

Frida SSL Unpinning#

APK Logs#