Static Analysis for Android and iOS

Penetration Testing Wiki

Learn how to analyze and bypass security for APK and IPA files.

Frameworks

APKInspector

APKinspector is a powerful GUI tool for analysts to analyze the Android applications.

APKTool

Tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications.

To decompile:

apktook d package.apk

To build after the modifications:

apktook b package

References:

Sign an apk

Recompile APK:

apktool b decompiled/apk/directory -o app-patched.apk

Zipalign APK to make it compatible with Android:

zipalign -p 4 app-patched.apk app-aligned.apk

Sign APK with Android debug key (Password: android):

apksigner sign --ks ~/.android/debug.keystore app-aligned.apk

If you don’t have Android Studio installed, use those commands instead, to sign the apk:

Create a signing key

keytool -genkey -v -keystore my-release-key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-alias

Sign the APK:

apksigner sign --ks my-release-key.jks app-aligned.apk

Androguard

Androguard
Androguard

Androguard is a full python tool to play with Android files.

For decoding Android XML (AXML):

androguard axml res/xml/network_security_config.xml

For decoding resources.arsc:

androguard arsc resources.arsc

Mobile Security Framework – MobSF

Mobile Security Framework
Mobile Security Framework

Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis.

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
pip install -r requirements.txt
python manage.py runserver

or using Docker:

docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest
firefox http://localhost:8000

Reverse Engineering

.smali reverse engineering tools

  • baksmali
  • smali

Steps:

  1. Unzip
unzip test.apk


2. Baksmali

baksmali classes.dex -o smaliClasses


3. Smali

smali smaliClasses -o classes.dex


4. Zip -r

zip -r test.apk AndroidManifest.xml classes.dex res/ resources.arsc


5. Jarsign

java -jar signapk.jar testkey.x509.pem testkey.pk8 test.apk test-patched.apk


6. Zipalign

zipalign -v 4 test-patched.apk final-apk.apk

Android apk reverse engineering

Unziping the APK, we can convert all Dalvik dex files to a jar file:

d2j-dex2jar -f classes.dex

Directly from the jar file we can decompile it to get the source code:

java -jar jd-gui/build/install/jd-gui-osx/JD-GUI.app/Contents/Resources/Java/jd-gui-1.4.0.jar $FILE.jar

Android:allowBackup

curl https://github.com/nelenkov/android-backup-extractor/releases/download/20181012025725-d750899/abe-all.jar -o abe.jar
adb backup -apk -f out.ab $PACKAGE
java -jar abe.jar unpack out.ab out.tar
tar xvf out.tar

References:

Unity Engine Reverse Engineering

Download https://github.com/Perfare/Il2CppDumper (Unity il2cpp reverse engineer )

apktool d package.apk
copy package\lib\armeabi-v7a\libil2cpp.so .
copy package\assets\bin\Data\Managed\Metadata\global-metadata.dat .
Il2cppDumper.exe libil2cpp.so global-metadata.dat package_re\

Now open package_re\DummyDll\Assembly-CSharp.dll with DnSpy

iOS Reverse Engineering

To reverse engineer IPA files use Hopper: https://www.hopperapp.com/ (Hopper Disassembler, the reverse engineering tool that lets you disassemble, decompile and debug your applications).

Or Veracode iRET framework: https://www.veracode.com/blog/2014/03/introducing-the-ios-reverse-engineering-toolkit

AndroidManifest.xml Analysis

You can always exclude a task from the Recents screen entirely by setting the <activity> attribute, android:excludeFromRecents to true.

Source: https://developer.android.com/guide/components/activities/recents

Other useful resources inside the apk file:

  • res/values/strings.xml