How anyone can hack your Android APK (pt 2)

White hat hackers are hackers that expose security vulnerabilities in software in order to make it better.

This is the second part of my Android APK security tutorial. In the first part we explored how to secure your app against hackers. In this tutorial, we will open up our own APK, decompile it, and try to “hack” into our own app.

Floor_Sign_Yield_Caution_Sign_Creative_Safety_Supply__92002.1386024365.450.450.jpg

 

WARNING: THIS TUTORIAL IS MEANT TO TEACH YOU HOW TO EXPOSE YOUR OWN SECURITY VULNERABILITIES. DO NOT USE THIS INFORMATION TO TRY AND STEAL SOMEONE ELSE’S HARD WORK!

 

 

Before we learn how to decompile an Android APK, we need to first understand the steps Android goes through when it makes an APK. Here is a diagram that explains these steps really well:

reverse-engineering-android-apps-7-638

Don’t worry if this looks confusing, I’ll explain every step of the way!

.java files: You start off by writing code in java files.

 

.java files-> .class files: The compiler takes all of those java files and turns them into .class files. If you are using proguard or another obfuscation tool, the code is obfuscated here also.

 

.class files -> .dex files: Using the dex tool the .class files become .dex files. In Java, all files are turned into bytecode in order to run on the JVM. Similarly, in Android, all .class files are turned into .dex files in order to run on the Dalvik Virtual Machine, which is like the JVM but for Android. (Here’s more about the Dex File Format) More obfuscation can happen here as well.

 

.dex -> .apk: After all of the app resources (such as pictures, audio, XML files) are added to the package, everything is compiled into an APK file, which is executable on any Android device.  Because all the resources are added at the end, it’s easiest for a hacker to gain access to items such as your app logo, images, and other res objects.

 

Signature: After you have created your .apk, you need to sign it, as a developer, to verify that it is your application and will go under your name.

 

That’s it! Now that you understand the process of how an Android app is compiled, it will be much easier to grasp how you can decompile your own apps to test their security.

 

Step one: Download an unarchive tool. This is necessary to open a zipped up file, like an APK, easily. I use theunarchiever, available here.

Step two: Grab your .APK file, and change its extension from .APK -> .ZIP. Here’s how I did that on my own desktop:

renameZip.gif

Step three: Open it with the unarchiever (or whatever software you chose in step one)

Screen Shot 2017-12-24 at 11.34.50 AM.pngAfter extracting, you should have a folder appear on your desktop (or wherever you are completing these steps) that looks like this:

Screen Shot 2017-12-24 at 11.35.45 AM.png

See that file that says Classes.dex? That is the third step of the chart that I explained earlier!

Step four: Download dex2jar. You can download it from SourceForge, but you can find it everywhere. I find that for me, I need to use 0.0.9.15 on my machine to get it to work, so I have uploaded that here on Github if you need it.

Step five: Move classes.dex into the extracted dex2jar. This is a little complicated, so lucky for you, I did another screen recording:

movingDex.gif

Step six: Now, I’m sure you’re familiar with basic command line/terminal, so simply navigate to wherever your dex2jar is stored. For example,

cd /Users/ruchirbaronia/Desktop/dex2jar-2.0

Step seven: Run the following:

./d2j-dex2jar.sh classes.dex

If you get the message dex2jar classes.dex -> classes-dex2jar.jar then you’re good! Go straight to step eight. If you get something like “Permission denied” or “command not recognized” try the following command before running the one above:

chmod +x ./dex2jar.sh

./dex2jar.sh

 

Step eight: A .jar file called classes-dex2jar.jar should have generated in your dex2jar. Take this step to bask in the glory of being one step closer to having decompiled your APK!

Screen Shot 2017-12-24 at 12.01.35 PM.png

Step nine: Download and open gui jd-gui-1.4.0. This is just a graphical interface where you can view all the code from your JAR file right on your computer without the need for a special IDE. 

Step 10: Simply open the newly created .jar file in the gui, and you now have access to all of the code from your APK!openingJar.gif

Now, you can use this information to check if Proguard worked properly and make sure your code is properly obfuscated! Again, only use this information to secure your own apps, and never try and steal someone else’s hard work! Please share this article if you learned something from it, and comment if you have any questions!