This is a quick reference for how I usually approach reverse engineering Android apps for the purposes of research, pentesting, bug bounty, etc. I plan to write a more in-depth guide at some point in the future.
1
2
| sudo pacman -S android-tools jdk-openjdk jre-openjdk
paru -S android-apktool-git apk-editor-studio-bin jadx-gui-desktop burpsuite frida-tools frida python-frida-tools
|
Configuration & Optimization#
1
2
3
4
5
6
7
8
9
10
11
| # Android VM optimization
sudo modprobe -r kvm_intel
sudo modprobe kvm_intel nested=1
# Confirm above optimization
grep -E --color=auto 'vmx|svm' /proc/cpuinfo
# Java VM optimization
sudo archlinux-java set java-18-openjdk
export _JAVA_OPTIONS=-Xmx6G
export _JAVA_OPTIONS=-Xmx12G
|
Pull APK file via ADB#
1
2
3
4
5
6
7
8
| # Find APK on device (or Android VM)
adb shell pm list packages | grep <APP_NAME>
# What is the path of the APK?
adb shell pm path <APP>
# Pull a copy locally
adb pull <PATH> .
|
Decompile APK, Java Classes#
1
2
| apktool d <APP>,apk -o out/
jadx -d out classes.dex
|
Recompile & Zip Align APK#
1
2
| apktool b out/ --use-aapt2 -o APP_patched.apk
zipalign -p -b 4 APP_patched.apk
|
APK Signing#
1
2
| keytool -genkey -v -keystore release.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
apksigner sign --ks release.keystore APP_patched.apk
|
APK Install#
1
| adb install APP_patched.apk
|
Make Android System Writable#
1
2
3
| # Emulator must have the following flag
emulator -writable-system -avd <AVD_NAME>
adb shell mount -o rw,remount,rw /system
|
Generate & Push Android System Root Cert#
1
2
3
4
5
6
7
8
9
10
| # Generate Cert
openssl req -x509 -days 730 -nodes -newkey rsa:2048 -outform der -keyout server.key -out ca.der -extensions v3_ca -config openssl.cnf
openssl rsa -in server.key -inform pem -out server.key.der -outform der
openssl pkcs8 -topk8 -in server.key.der -inform der -out server.key.pkcs8.der -outform der -nocrypt
# Get <CERT_IDENTIFIER>
openssl x509 -inform PEM -subject_hash_old -in ca.cer | head -1
# Push cert to Android system
adb push ca.cer /system/etc/security/cacerts/<CERT_IDENTIFIER>.0
|
Frida SSL Unpinning#
1
2
3
4
5
| adb push frida-server-15.1.27-android-x86 /data/local/tmp/frida-server
adb shell "chmod 755 /data/local/tmp/frida-server"
adb shell "/data/local/tmp/frida-server &"
wget https://raw.githubusercontent.com/httptoolkit/frida-android-unpinning/main/frida-script.js
frida --no-pause -U -l ./frida-script.js -f com.APP_NAME com.android.chrome
|
APK Logs#
<3 m0x