Yes, hacking your app is THAT easy! - Part 5 (Android Source Code Analysis)

In Part 1 we looked at Android File System Analysis.  We saw how to backup an app using adb, unpack it using abe, then I left it to you to analyze the file system.  We also saw how to repack and restore to your device.  

In part 2, we looked at iOS File System Analysis.  Using a tool, we essentially did the same as in part 1, by pulling out the files from the file system and analyzing them.

Now in part 5 we will look at parsing through the Android source code for apps to determine if the permissions they are requesting are being used maliciously or for other purposes.

  • Yes, hacking your app is THAT easy! - Part 3 (Android Network Analysis)
  • Yes, hacking your app is THAT easy! - Part 4 (iOS Network Analysis)
  • Yes, hacking your app is THAT easy! - Part 6 (iOS Source Code Analysis)

First off, yes I am aware that I did not post parts 3 and 4 yet.  I am working on those, but I needed to do some source code analysis on Android so I decided to write this up first.

With Android's openness and the fact that Android uses a similar architecture for apps to Java, reviewing the source code on Android is quite easy.  Analyzing takes some work.  

First, we need some tools.
Once you download the tools, place them into a common folder and extract them.  (Install 7Zip)

One of the first things we want to do is look at the Android Manifest file.  This file is used by Android to look at what permissions are requested by the app.  The contents of this file will become helpful in a later step.  The problem is that we need to first get to the manifest file, and decrypt it.  Luckily, that is what our APK Parser is for. 

To start, fire up a command prompt and navigate to the folder where you placed the tools.  Then, run the command:  java -jar APKParser.jar <APK file>  

As an example, I am analyzing the app Money Manager Expense & Budget** (Play Link).  I download the apk file from the link above and save with the rest of my tools.

**I do not recommend using this app, I am just using it for the purposes of this analysis.


You will notice I added in the "> moneymanager.xml"  This, for those that do not know, will redirect output to a file.  This way we can open in Notepad++ or another text editor to review later.

Looking at this file we see that the app requires many different permissions:

CHECK_LICENSE

WRITE_EXTERNAL_STORAGE
INTERNET
READ_PHONE_STATE
SEND_MAIL
READ_SMS
READ_MMS
RECEIVE_MMS
RECEIVE_WAP_PUSH
RECEIVE_SMS
GET_TASKS
RECEIVE_BOOT_COMPLETED
READ_EXTERNAL_STORAGE
ACCESS_NETWORK_STATE
ACCESS_WIFI_STATE
WAKE_LOCK
BILLING

Some of these look a little sensitive, but who knows what they are used for.  That's what we want to find out.

Next we want to convert the classes.dex file (The java-like app code file) to a jar file so we can decompile and see the source.  First, we need to extract the .apk file to view the .dex file.  An apk file is similar to a zip file so using 7Zip we can extract the contents.  Then, we can use our DEX2JAR tool to convert the dex file to a jar file.  To do so, run the command d2j-dex2jar.bat <path to classes.dex>\classes.dex.


This will create a file where you ran from called classes-dex2jar.jar.  You may want to rename this file to the app name to make it easier for you.  

Now that we have a jar file, we can use JDGui to decompile and show us the source.  So fire up JD-Gui.exe and open the classes-dex2jar.jar (or if you renamed, that file).  


Now we can perform a search or manually look through the code.  Using Ctrl + Shift + S will bring up the search dialog.  Check all the boxes and type in your search.  Since our app has SMS permissions, why not search for 'sms'? (Note:  The search IS case-sensitive.  If you are not finding what you are looking for, try changing the case!)


Then you can click through the sections that show up and look at the code.  This portion of the code has some sms functionality in it.  


Analyzing the source code does not require you to be an expert in the Java language, and even if you do not  fully understand everything that is going on, you can at least see if there is anything suspect going on.  

Why not take your favorite app, and see what you can find in the code.  You might be surprised!  Happy Hacking!

Popular Posts