What’s an APK file?
Android
application package (APK) is the package file format to install application
software on Google’s Android operating systems. APKs are similar to installers
where code is first compiled and its parts are packaged into one file. An APK
file contains program’s code (*.dex files), manifest file, resources, assets
and certificates.
Organized Structure of APK File
The
file structure of an APK file looks as below:
Specific
files related to the app like fonts, 3rd party SDKs and integration
of it can be found in com folder.
Manifest file
An
Android app must have “AndroidManfiest.xml” file in APK’s root folder as seen
in the file structure above. It includes permissions needed by the app while it
is installed on the device, activities and other details. There are Android apps
which helps to view manifest of an installed app. Manifest file can also be
parsed and read from APK file using appropriate tools (listed in Appendix).
Dex (Dalvik Executable)
Android
apps are written in Java and executed in DVM (Dalvik Virtual Machine). This is
different from JVM (Java Virtual Machine).
DVM is built for Android OS. The
Java bytecode is transformed into DVM bytecode and stored as .dex (Dalvik
Executable) and .odex (Optimized Dalvik Executable) files. The terms odex and
deodex is associated with Dalvik bytecode operations.
When Java
compiler has produced JVM bytecode, Dalvik compiler deletes .class files and
recompiles them into Dalvik bytecode. After this, Dalvik compiler merges this
into one .dex file. During this process, interpretation, translation and
reconstruction happens in class definitions, function code executed by target
VM, method names, reference names, etc.
There is a limitation on what .dex file can include and how
much it can. Due to this, APK can have one .dex file or more than one .dex file
associated with it.
A hint about this limit can be obtained from the JAR obtained
during conversion of .dex to JAR and viewing in JAVA decompiler. This tells
about the complexity of the app and how to plan tests across multiple .dex
files associated with the app for better coverage. With Android 5.0’s ART, dex
file is converted to OAT file in this way è Java -> Class à Dexà OAT. Analysis of this can lead to devising better
tests.
JAR Decompilation
JAR
file contents can be viewed using Java decompiler. Usually, the decompiled content in bytecode
will be obfuscated by programmers. This gives visibility into classes and
methods. While this does not comprise entire source code, it does provide hints
with respect to the business logic used in programming the app. Reading through
source code surely helps testers to identify what tests can be done and what
recommendations can be given to the development team.
If
the code is not obfuscated, it has to be brought to the attention of product
owners and programmers. Obfuscation is
possible using tools like ProGuard and DexGuard.
Key Tests to be performed on a
decompiled JAR file
1. Readable Business Logic
Presence
of obfuscated code indicates the developer may have put some security mechanism
in place. If
the code is in plain text format, it means the code is readable and
understandable to an extent, providing visibility to compiled functions and
classes. Some part of this code might be patented already or about to be
patented. And, this part of code may have the core logic of the app. Keeping the
code in the open in logically readable format, may incur heavy loss to the
organization in revenues and reputation.
Solution
Code must
be obfuscated at all times. Obfuscation is a procedure where organization masks
source code to avoid others from viewing or copying the code/algorithms to
build similar apps. ProGuard is one of the tools that can be used by programming team to
obfuscate code.
2. Manifest
file
Permissions
are easily visible to anyone who views manifest file, hence giving an overview
of what kind of permissions are needed for the app. This is again an unsafe
option.
Solution
It is advisable that manifest files are encrypted using methods that
will make it hard for the hacker to decrypt and see. In web technologies, a few
encryption algorithms are used. In mobile, you may have to explore if there are
similar algorithms or techniques for encryption or obfuscation. [Android store guidelines insists that permissions are visible to users. It’s upto
testers to review these permissions used and identify potential risks]
3. getDeviceID()
usage
It
is fair for anyone to track individual installations on specific devices on a
diverse user base. It sounds plausible just to
call TelephonyManager.getDeviceId() and use that value to identify
the installation. There are problems with this: Firstly, it doesn’t work
reliably. Secondly, when it does work, that value survives device wipes
(“Factory resets”) and thus one could end up making a nasty mistake when one of
the customers wipes their device and passes it on to another person.
Solution
There are many good
reasons for avoiding an attempt to identify a particular device. For those who
want to try, the best approach is probably the use of ANDROID_ID on anything
reasonably modern, with some fallback heuristics for legacy devices.
It is recommended to
study the operation of permissions and activities in the app. If these are used
and not handled well, the app may allow using the data which it processes on
the device. The decompiled JAR can be of help here.
4. Accessibility
to Resource files
Resource XMLs,
important images and other files may be easily downloadable and directly
consumable by anyone who does so. It is important to secure these files.
Solution
Images should not be accessible for anyone post de-compilation
process of the APK.
Summary
It is a common myth that JAR decompilation is
related to Security Testing. However, it is not true. Decompiling helps to
learn the app better. One can learn how functionality works; understand the
performance of the app and possible areas where the memory usage is a concern for
the app. Next time you decompile an app,
look at the treasure trove in front of you and explore innumerable
possibilities.
My team and I have applied above key tests for
a few android apps we tested. It gave good insight to developers about the app
itself and how it is perceived in the google world. Some of them who didn’t
know much about the threats associated with APK files learned a lot from this
exercise. Additionally, it also helped my team build credibility with the development
team.
Token of Thanks
My community colleague Ravisuriya reviewed this article thoroughly and supporting me patiently in my learning. Thanks Ravi, for your precious time.
Token of Thanks
My community colleague Ravisuriya reviewed this article thoroughly and supporting me patiently in my learning. Thanks Ravi, for your precious time.
P.S: I
cannot share the actual APK report format for obvious confidentiality
reasons, however, this article gives a short overview of different things that
can be done with decompiled JARs.
Appendix
[for additional reading]
What’s the need to review java code?
1.
Basic Health Check of the app (via java
source code and other confidential data)
2.
To perform security audits (provided code
is not obfuscated)
- Sensitive Data Exposure
- Inadequate Access Controls
- Code Injection
Vulnerabilities
- Broken Authentication and
Session Management
3.
Reverse engineering third-party protocols
or APIs
APK
Protection
Protecting
an APK file is an area to be concerned about in this free internet era.
Developers must have an eye on this while building APK files. There are many
methods to protect APK files. There are several articles that brief you about them.
I have listed out high level headers here, so you can go read them up in detail
on Android developer site
- Secure Java source code
- Encrypting class files
- Code Obfuscation
Tools that might help in the process of
JAR decompilation
1. Dex2jar – Tool to work with android *.dex and java
*.class files
4. APKtool – It is a third party reverse engineering tool
for android apps
5. Winzip / WinRAR – Compression/decompression utility
6. Proguard- ProGuard is a free Java class file
shrinker, optimizer, and obfuscator.
7. APK Protect – This is an APK protection solution
References