Android Application Security Assessments - Part 5: Reverse Engineering The .apk File
There are times in security engagements when having an application’s source code can make your life infinitely easier. Fortunately, there are publicly available tools to make this a painless process.
If you you are looking for how to install apps into your environment, take a look here, or check here for a list of all the previous entries in this series.
Convert The Android Application Package File (.apk) File To A Java Archive (.jar)
Remember that copy of the .apk file that our project team gave us (or that we downloaded from the Marketplace)? You are going to need that.
The Android .apk file is essentially a compressed file, containing the manifest file, certificates, resources, assets and the program code, compiled in the Dalvik Executable (.dex) format.
Converting your target .apk file into a .jar file is pretty simple.
- Download dex2jar, a tool for converting Android's .dex format to Java's .jar format.
- Run the following command:
a. Linux: $ ./dex2jar targetfile.apk
b. Windows: C:\>dex2jar targetfile.apk
The above assumes that you are in the directory containing dex2jar, or that dex2jar is included in your PATH
You should now see your Java Archive of your target file in the dex2jar folder. Almost there…
Convert the Java Archive (.jar) to Java (.java) files
- Uncompress your .jar file to a new project folder:
a. Linux: $ jar xf targetfile_dex2jar.jar
b. Window: Right-Click targetfile_dex2jar.jar and select ‘Open With’ > ‘WinZip’ (or your personal favorite file archive utility).
- Convert your .jar file to .java files
a. Linux: $./jad -r -sjava -dproject_folder project_folder/**/*.class
b. Windows: C:\>jad -r -sjava -dproject_folder project_folder/**/*.class
i.The above assumes that you are in the directory containing jad, or that jad is included in your PATH
ii.I would be remiss if I did not point out JadClipse, an Eclipse plug-in for Jad.
You now have the source code for your target application. From here you can perform a code and configuration review or use your favorite source code security tool.
Next we will will conclude this series with some additional tools and tips for your Android Assessments.
About What's@Stake
This is where you will find thought leadership in the areas of Security Strategy and Security Assessment by Symantec’s Security Business Practice. Through the acquisition of @stake in late 2004, Symantec has become the leader in third-party security assessment services such as Penetration Testing, Vulnerability Assessment, and Security Program Assessment. Now combined with a premiere team of CISO-level Security Strategists, this team offers their insights on the latest security trends, strategies to address them, and the latest research on the vulnerabilities and attack methods used in their assessments.
Frequently Used Documents
PCI Assessment Services
Penetration Testing and Vulnerability Assessment Services
Mobile Security Assessment Services
Security Program Assessment
Comments 4 Comments • Jump to latest comment
Hi while using jad, got below errors
You could try apktool.
http://code.google.com/p/android-apktool/
hi
Before you even think of opening a file extension you should search for a file extension resource first. You need to understand what it does exactly so you can properly open it in a safe environment. Before I opened my .apk file extension, I've read this resource artile on it to know what I am dealing with : http://dotwhat.net/apk/9197/
Would you like to reply?
Login or Register to post your comment.