Android Hacking --the-very-basics

There is a plethora of material available revolving around Web Application hacking as well as Network hacking and Reverse Engineering PC software but when it comes to Mobile Application Hacking, not only the number of resources are less but they are scattered.This post attempts to serve as the guide to the basics of Android Application Hacking.

We can roughly divide the application into two segments:

  • The one which contains all the application logic within the APK file.(Example: Some games like Subway Surfer)
  • The one which has all the logic on the server side and just acts as an UI front, mostly communicating back and forth with the server using an API.(Example Airbnb App)

We will be covering both segments in brief, but before that let us get acquainted with the tools of the trade:

  • Dex2JAR (Used for converting the classes.dex file in the APK to a JAR file)
  • JD-GUI (Used for converting the JAR file to the source Code[JAVA])
  • Apktool (Used for converting the APK file to an intermediate format called the SMALI format.)

The catch is that the Dex2JAR and the JD-GUI combo can only be used to decompile the read the source code, even though most of the method and variable names are lost, it is the best one can get, and are mostly used to understand the application logic and the way its methods function.

When there is a need for being able to recompile the code and produce a working APK, APKTOOL is the tool we need.

I hope I can expect you to install the above-mentioned application's setup in your respective environment and add those to your system's PATH.

Obtaining the APK files


Now that the dependencies are met let, to continue our adventure we need the APK file which can either be obtained from any of the multiple websites on the internet which offer the APK files of most of the apps available on the official Google Play Store or We can Pull the APK file directly from our device:

To find the full package name of the app:

adb shell pm list packages | grep 'package you are looking for'

To get the full path name of the app's apk:

adb shell pm path 'full package name here'

To actually pull the apk from the device:

adb pull 'full path from last command' 'full path of destination'

Use . as the destination to save in the current folder.

Assuming that at this point we have the APK file, we move forward.

The Applications Which have all the logic within the APK


These Applications can generally be modified in any way of the attacker's choice, by decompiling the code, changing the code accordingly and recompiling it.

Here the core logic of the application can be modified by making changes to the SMALI code. In the case of complex games where there are libraries written in native languages are involved there a few more tools in the game like .net reflector. Those are beyond the scope of this post and deserve a full post on them.

In the case of normal applications (normal meaning not involving dealing with native libraries) they can be converted to source code by running the following commands:

d2j-dex2jar application_name_here.apk

and then

jd-gui application_name_here-dex2jar.jar

This will present you with a GUI which will enable you to go through the packages & classes. There you can look for vulnerabilities like hardcoded credentials and other client side logics ( example score counter in simple games ).

Other runtime modifications can be converted to xposed modules for ease of exploitability.

Analysing the Android Manifest file may reveal any activities (exported=true attribute in the manifest) which can be directly invoked from the command line:

Find the name of the current activity in focus using:

adb shell dumpsys window windows | grep 'mCurrentFocus'

then

adb am start -n yourpackagename/.activityname' to invoke the activity.

The Applications Which communicate with Webservers


This section of the applications serve as a mobile ui for the web services and they make HTTP requests very analogous to the AJAX requests made by the website but in this case, the requests are made to dedicated API endpoints for mobile devices.

Here the security testing of this part is same as the tricks and methods used in API testing and Web Application testing.