Android Application Security Assessments - Part 5: Reverse Engineering The .apk File
There are times in security engagements when having an application’s source code can make your life infinitely easier. Fortunately, there are publicly available tools to make this a painless process.
Convert The Android Application Package File (.apk) File To A Java Archive (.jar)
Remember that copy of the .apk file that our project team gave us (or that we downloaded from the Marketplace)? You are going to need that.
The Android .apk file is essentially a compressed file, containing the manifest file, certificates, resources, assets and the program code, compiled in the Dalvik Executable (.dex) format.
Converting your target .apk file into a .jar file is pretty simple.
- Download dex2jar, a tool for converting Android's .dex format to Java's .jar format.
- Run the following command:
a. Linux: $ ./dex2jar targetfile.apk
b. Windows: C:\>dex2jar targetfile.apk
The above assumes that you are in the directory containing dex2jar, or that dex2jar is included in your PATH
You should now see your Java Archive of your target file in the dex2jar folder. Almost there…
Convert the Java Archive (.jar) to Java (.java) files
- Uncompress your .jar file to a new project folder:
a. Linux: $ jar xf targetfile_dex2jar.jar
b. Window: Right-Click targetfile_dex2jar.jar and select ‘Open With’ > ‘WinZip’ (or your personal favorite file archive utility).
- Convert your .jar file to .java files
a. Linux: $./jad -r -sjava -dproject_folder project_folder/**/*.class
b. Windows: C:\>jad -r -sjava -dproject_folder project_folder/**/*.class
i.The above assumes that you are in the directory containing jad, or that jad is included in your PATH
ii.I would be remiss if I did not point out JadClipse, an Eclipse plug-in for Jad.
You now have the source code for your target application. From here you can perform a code and configuration review or use your favorite source code security tool.
Next we will will conclude this series with some additional tools and tips for your Android Assessments.