Mobile Security Research
Vulnerability research and introspection.
Mobile App Pentesting
App security and penetration testing.
Mobile App DevOps
App development and continuous testing.
Mobile malware and threat hunting.
Virtual learning platform for professors and trainers.
Reverse engineering an Android application typically involves using specialized tools to decompile the applications compiled code and resources into a human-readable form. As we go through this blog post, we will discuss the various available tools and examples of how they can be used to find hardcoded data and potentially find static application vulnerabilities.
This process can be challenging, as it requires a certain level of familiarity with Android app development and knowledge of Java. However, with the right tools and expertise, it is possible to reverse engineer most Android applications successfully.
Several tools can be used for reverse engineering Android mobile applications. Some of the more popular ones include:
It's worth noting that reverse engineering Android applications is a complex process that requires a good understanding of java and smali code. The above list of tools is not exhaustive, but instead, a lot of the common tools used to get started with Android reverse engineering.
For this blog post and examples, we will work with an android vulnerable challenge application publicly available on GitHub, Cybergym- CyberGym GitHub.
Let’s start from the beginning when we have an APK file for deeper analysis. An Android application APK file is essentially a ZIP archive and can be extracted using APKtool from the above list of tools. You can unzip an APK file, but the ability to read all the binary contents will not be there.
Utilizing APKtool, you can run the following command (replacing the binary name if it differs for you).
apktool d com.cybergym.lab1.apk
Once you have decompiled the android APK file, a folder with the same name will be created. The screenshot below will show an example of a decompiled android application.
Now that we have a good understanding of the android file structure and how to decompile an android application, we can look into reverse engineering tools and how they can be used to find vulnerabilities or solve application challenges.
We need to install the application to understand what is required to complete the challenge and use that information; hopefully, we can use reverse engineering tools and techniques to solve the challenge.
Using a Corellium virtualized device, I have installed the CyberGym level one APK and launched it, as shown in the screenshot below.
The application is looking for a 4-digit pin. My first thought is just brute force the pin because of the limited combinations it could be. When entering a pin to test, though, the application allows only three attempts and then requires time in-between guesses. All this means it is best we try to use reverse engineering tools to solve this.
Above, we mentioned a couple of different reverse engineering tools. JADX leads the pack allowing users to open an APK directly and have it decompiled to readable java code for analysis. Older tools like Dex2jar and JD-GUI work similarly but take a more extended approach.
We will start with using a JADX command to open the graphical interface, decompile the android binary and allow us to perform more in-depth analysis.
On the left-hand side of the JADX application, you can see the APK file structure. We will start with the “MainActivity” to better understand the application and what is being done.
We notice some interesting things as we look into the MainActivity from this application.
Let's dig deeper into the code, starting with the kkk.db file.
The highlighted code above creates a table with the name ‘name’. Two columns are utilized within that table for ‘user’ and pass’. Lastly, the values in those columns are ‘moksh’ and ‘password.’
Now let's look into the second DB and see what we can decipher:
As you can see in the above code, a table is created with the name ‘a’. Within that table, two columns are created ‘z’ and ‘a’. The values being stored for ‘z’ and ‘a’ are random, which is generated by a random number function (see screenshot below).
Just from some quick reverse engineering, we can understand what the application is doing and help us perform deeper analysis to solve this challenge.
We will now pull the application databases from the local android files to see if we can identify some of the critical data that is being stored within these databases. Corellium makes it extremely easy to review local files and download them for analysis. For a full tutorial and explanation, check the blog post on local data stored for Android.
Now that we have the databases locally, we can open them up to see the contents. Once we do that, we are prompted with a password screen, meaning we need to go back to the source code for additional analysis.
As I navigate through the code, I see many references to ‘sqlcipher,’ which is added encryption for SQLite databases. Using the advanced search functionality within JADX, I can find references to ‘sqlcipher’ to confirm that is what is being used for encryption.
If you remember, initially, we found a key hardcoded in the ‘MainActivity’ early on in this activity which turns out to be the PRAGMA key used for the database encryption.
We will need a command-line utility called ‘sqlcipher’ to decrypt the database. If you have a mac, you can use the following command to install.
brew install sqlcipher
Once we have ‘sqlcipher’ installed, the databases available locally and the PRAGMA key, we are set to decrypt the contents and solve this challenge.
>> PRAGMA Key = ‘123456’;
>> PRAGMA cipher_migrate;
>> SELECT * FROM a;
Using the above commands, you can load the encrypted database, enter the PRAGMA key, migrate the version (depending on your ‘sqlcipher’ version and then look at the results from the database.
This varies for everyone, but taking the results from the database and entering them in the challenge will give you the solution.
Hopefully, that shows some of the power behind tools like JADX for android and the ability to take an APK file, perform analysis on it and, through investigations, continue to exploit and find additional vulnerabilities within an application.
Keep an eye out for future blog posts where we will dig deeper into code modification after reversing dynamic code changes using Frida and the ability to leverage Corellium, even more, to speed up the process.