APK Teardown in a Nutshell

Published in

Commencis

5 min readMar 15, 2017

In short, converting/decompiling machine-readable binary code into higher-level programming language by applying reverse engineering techniques, so that it can be read by a human.

The tool that accomplishes this is called a decompiler and it is APKTool in this case. It is a well-known tool for reverse engineering Android APK files, resources and executables.

But, what can we achieve as QA Engineers ?
Well, it depends. Solid “Code Review” process highly reduces the possibility of encountering some sort of unexpected anomalies. However, before the release, you may want to have a final check, just in case. Actually, it doesn’t matter, whether we have a “Code Review” process or not. Since we’re all responsible for the term “quality”, it’s better for us to spend some time on reverse engineering and dig deep.

Thus, we can analyse the software deeper, perform vulnerability research and compatibility check, view and eliminate unnecessary permissions, find out oversized or duplicate icons, logos, images or any other media files, reveal unused or unsupported font families, etc. We can also see which 3rd party SDKs are in use by navigating through the smali folder.

So, let’s begin…

APKTool Installation for Mac OS X

1. Navigate to https://ibotpeaches.github.io/Apktool/install/ and download Mac wrapper script (right click and save link as apktool).

2. Navigate to https://bitbucket.org/iBotPeaches/apktool/downloads/ and download the newest version. The current latest version is; apktool_2.2.2.jar.

3. Rename the downloaded jar file to apktool.jar.

4. Move both files (apktool.jar & apktool) to usr/local/bin (root user needed). Please visit; https://support.apple.com/en-us/HT204012 for more detailed information about root users.

5. Make sure apktool file is executable (chmod +x).
Open Terminal, type “cd /usr/local/bin” and press Enter.
Type “ls” to double-check that apk files are available under the bin folder.
Type “chmod +x apktool” and press Enter.
apktool file is now executable.

6. Move your project apk file to usr/local/bin (i.e. WhatsAppv2.17.79.apk). Make sure your project apk file is executable as well (chmod +x).
Type “chmod +x WhatsAppv2.17.79.apk” and press Enter.
WhatsAppv2.17.79.apk file is now executable.

7. Now, we’re ready to decode.
APKTool decode option can be invoked using “d” as shown below.
Type “apktool d WhatsAppv2.17.79.apk” and press Enter.
You’ll see the decoding steps as shown below.

8. Now, open Finder and navigate to usr/local/bin.
Observe that a folder has just been created as “WhatsAppv2.17.79”.
We’re all set to browse through assets, lib and res folders and files. Let me introduce them and their content firstly.

The assets/ directory usually contains fonts, graphics, JS and CSS files, etc. Since this directory does not have strict guidelines such as; lib/, it may differ depending on the project.
The lib/ directory contains native libraries that the application may use via Android NDK.
The res/ directory contains the application’s resources such as; images, colours, animations, sounds, layouts, menus, etc.
AndroidManifest.xml provides essential information about the application to the OS, which the system must have before it can run any of the app’s code. It is more or less the link between the app and the OS.

Now you can check code shrinking and control all the sensitive information.

What is Smali ?
“Smali” and “Baksmali” are the Icelandic equivalents of “assembler” and “disassembler”. So, Smali/Baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM implementation. Dalvik, by the way, written by Dan Bornstein, who named it after the fishing village of Dalvík in Eyjafjörður, Iceland.

You’ll see the smali folder, as above; folder that includes folders and files without proper names such as; smali/b/a/a/e.smali. ProGuard is the reason for that. It detects, shrinks, optimizes, and obfuscates the code by removing unused code, classes, fields, methods and attributes, and renaming the remaining classes, fields, and methods using short meaningless names. It is used to make the code obfuscated and protect against reverse-engineering.

Anyway, you can open .smali files with a text editor of your choice such as; Sublime Text, Notepad++ or Atom and you’ll get a view like this.

Dexplorer Installation

As an alternative way; you can use Dexplorer on your mobile device in order to have a quick look through java packages and files, permissions, signatures and much more. Just go to Google Play Store and install Dexplorer. The current version is; v.1.1.6.

1. Start Dexplorer.

2. Tap on the menu button and navigate to Preferences.

3. Scroll down to Visibility and uncheck “Hide system applications”.

4. Now you’re able to see all the applications on your mobile device.

5. Let’s use the same example as above; “WhatsAppv2.17.79” and browse through folders and files. As you can see below, you can view assets, lib and res folders and files such as; AndroidManifest.xml.

6. As highlighted above, in the introduction part, by using Dexplorer on your mobile device, you can view and eliminate unnecessary permissions, find out oversized or duplicate icons, logos, images or any other media files, reveal unused or unsupported font families, etc. You can also see which 3rd party SDKs are in use by navigating through the src/com/ directory. Depending on the application, you may see subfolders such as; adobe, crashlytics, newrelic, google, github, netmera, facebook, paypal, etc.

Conclusion

As QA Engineers, reverse engineering is an important topic that we should not skip. We may not find any critical issues visible to our end users but we can increase the in-app quality entirely. In order to achieve this; we should stay focussed and know what to look for.