Skip to main content

Android Static Analysis - Part 1

We shall start with the tools first. 

Gather all the necessary item so it will be less painful to wait.
Probably will add image for guidance from time to time.


What Do You Need?

  • A Computer with Windows OS or GNU/Linux (I prefer Kali Linux and/or Ubuntu)
    • I don't use mac, so I don't have any idea at all
  • Android SDK installer
  • Genymotion Community Edition (Shit Expensive yo!)
    • Make sure you download it with the virtualbox installer, just in case
    • Not necessarily used for static analysis, but good to have, will explain later.
  • Java 7 or Java 8 (OpenJDK also fine)
  • Dex2Jar
  • APKTool 
  • JD-GUI 
  • To be updated later

My Setup 

Previously, I have a laptop with Kali Linux installed, where all those tools are downloaded and installed in it. Easy!

Then, everything changed when the fire nation attacked. Well, the laptop dead from overheating. So now I only have a work laptop, running Windows OS in it. So,
  • I install VMware Workstation (VMware Player also ok) on Windows. 
  • Then install Kali Linux in it.
  • Smali and APKTool are already pre-installed in it.
  • I download JD-GUI and Dex2Jar, and configure the path in Kali Linux.
  • Download JDK7 and JRE 7 (Can use version 8, much patched, very secure, wow)
  • I configure Android SDK on Windows (Plus Android Studio)
  • Then install 7zip.
  • To be updated later.

My Way of Doing Things (Based on My Setup)

To analysis a .apk file, one must have the .apk file.
By the power of googling, one can find many ways to find it. Another way is if you have an Android emulator with installed Google Play, just sign in and install the application.

Then, using the magic of ADB, use this command:
adb pull /data/app/<packageName>/someAPKname.apk
You should also be able to get the .apk file to do static analysis. This may not working in actual phone unless rooted.

Then, I shall open the .apk file using 7zip.
Right click > goto 7zip > Open Archive
 Now you can see the content of the .apk file. Basically, .apk file is a compressed file containing several file (file-ception):
  • AndroidManifest.xml
    • cert.rsa
    • cert.sf 
  • classes.dex
  • res
    • drawable
      • *bunch of images used by the application
    • layout 
      • main.xml
      • some other stuff
  • resources.arsc
*This basic .apk file structure may be different from what you will find, mainly because different developer have different approach.

My weirdest finding is a .apk file within .apk file and the file size is so freaking big.

To be continued in Part 2


Popular posts from this blog

Memilih Kamera Pertama Anda. Bahagian 2 Tambahan - Kamera Point and Shoot

Edisi Khas untuk kamera Point and Shoot. Penulis merasakan kamera jenis ini tidak mendapat perhatian yang baik dengan ciri yang kompak, ringan dan mudah dibawa. Kebanyakan keluaran lewat 2015 mempunyai spesifikasi yang bagus, setara dengan DSLR dan Mirrorless. Contoh Kamera Point and Shoot keluaran Sony yang terkini bernama Sony ZV-1 Saiz Sensor - Kebanyakan kamera sebegini sensor sebesar 1 inci sehingga APS-C.  Megapixel - Normalnya bermula 12 MP sehingga 26 MP. Hasil gambar juga baik, cuma kekurangan fungsi Penstabil (Stabiliser) menyebabkan kualiti gambar adalah bergantung kepada tetapan (setting) yang betul serta tangan pengambil gambar yang teguh. Saiz Kamera - Kerana saiz yang kompak, ia senang dibawa kemana-mana sahaja, tanpa memakan ruang pada beg mahupun poket. Saiz kecil juga nampak natural, tidak seakan menceroboh momen dengan saiz yang besar, membuatkan orang berasa tidak senang duduk. Versatil - Mempunyai kebolehan merakam video, jadi

ARP for Dummy like Me!

ARP used to map IP address to MAC address on data link layer. It mainly used when Host is connected over Ethernet. In long explanation, This protocol used to locate address of a Host (Physical/Virtual) in network.  The address is searched or "resolved" by sending an "information" to a server (other host).  The server after received the information will then identify itself and respond back with the network information.  The responded information contain the required address.  This always happen over Ethernet. Ethernet address dependent to the hardware which is Network Interface card. So, during ARP request, it try to ask which IP associated with which MAC address. If you have used wireshark, maybe you can remember on Info section, there are always message saying "Who has $IP". For example:  Situation where ARP is used. Someone with IP X.X.X.X try ping $IP = Y.Y.Y.Y. We assume, the source PC did not have the IP information from the Targe

TWRP cannot flash Magisk on Redmi 4x

I tried flash an Android phone with TWRP as its bootloader and it keep rejecting to install Magisk. So this is how I solve it. (Tested on 23 August 2018 on Redmi 4x AOSP Extended v5.7) 1. In TWRP, go to : Home -> Mount -> select Cust (if not selected) -> Home 2. Then go back to main TWRP page, later: Home -> Advanced ->Terminal -> run following commands a. mount | grep cust -> It will show something like this /dev/block/mmcblk0xxx on /cust type ext4 .... -> copy the directory, and save it somewhere else. b. umount /cust -> go back to Home -> Mount -> uncheck Cust -> Home c. Go back to Advanced ->Terminal -> run following commands mount -t ext4 -o ro /dev/block/mmcblk0xxx /vendor 3. Finally go to Home -> Install and locate your magisk .zip file to flash it. Note: What if you already format the storage due to TWRP keep asking for password to decrypt storage despite you never encrypt it in the first place. (This is common