Rapid android application pentesting

This is a quick guide to get started with Android application testing. I wont delve into details of testing, but instead cover what is necessary to do in order to get started. The topics I go through are:

  1. Get a hold of an Android device through emulation or physical device
  2. Find and download the APK you want to test
  3. Decompile the APK
  4. Sign, Build and Install the updated APK

Find a suitable Android device

First, get ahold of a suitable Android device emulator, e.g. using the Android SDK or a commercial product such as Genymotion, Alternatively, set your device to USB debugging and connect your phone with a USB cable.

Get a hold of the APK

You need the APK file you want to attack. Normally developers have multiple ways of allowing you access to the APK file, however if it is located on the Android Play store, install it to your device, then pull the APK file with ADB.

Locate your package using ADB

Use the packet manager to list all packages on your device.

Then figure out its path on the device

Use the packet manager to locat the path of the installed package.

Pull the file from the device onto your workstation

Use adb pull a long with the path of the APK you discovered in the last step.

Decompile the APK

Grab apktool to easily decompile th APK into its different parts.

This will give us a directory tree containing assets, smali code, resources and manifests. You can also open up the APK with a zip viewer, e.g. 7zip and view and extract the contents.

Dalvik Excutable into Java

The APK is essentially only a compressed container. You can open it up in e.g. 7zip and review its files. One of the files is a dex file, a Dalvik Executionable, which is essentially the compiled Android application. This file can b decompiled into Java code using dex2jar.

The Dalvik Executable has now been converted into a Java JAR container. This can be further disassembled and inspected by a tool such as jd-gui.

java jar decompiled

Create keystore, build, sign, uninstall and deploy

Once you have made the necessary modifications to the source code, either through modifying e.g. assets or smali, you are now ready to deploy the modified application.

Create a keystore

Build the modified code back into APK

This will create a release folder containing the updated APK.

Sign the updated APK

Uninstall the APK from the device to allow for reinstall

Install the updated APK

Put it all together

The above commands can get tedius to write over and over when making small modifications to your APK. Instead pull them all together into one single line of command as this (commands after the keystore has been created):