Week 5 - Analysing Android Apps Flashcards
adb - SDK tool
Most commonly used to interact with devices and emulators (install new apps, gain a shell on the system, read system logs, forward network ports, or do a multitude of other useful tasks).
Monitor - SDK Tool
Useful for viewing processes running on a device and taking screenshots of the device’s screen (useful for pen testers who need to gain evidence of an action for reporting purposes).
android - SDK Tool
Used to manage and create new Android emulators.
aapt - SDK Tool
Converts code into binary form to be packaged with apps.
Also useful for reverse-engineering APKs by converting app binaries to readable text.
Physical Devices vs Emulators
Emulators provide root access by default, physical devices do not.
Emulators do not operate correctly for certain apps (eg: USB, headphones, Wi-Fi, Bluetooth, etc) that require physical hardware.
Emulators do not allow making/receiving real phone calls (this can, however, be emulated to a degree using an interface).
Android Apps and the Common User
Users may or may not pay attention to permission requirements when installing.
Users experience apps through app UI.
As analysts, we are more interested in what happened behind the scenes when the app installed.
How did this app reach your device?
How did it go from a packaged download to an installed app that can be used securely?
Android OS
Consists of a stripped-down and modified Linux kernel, with some differences.
It includes an application virtual machine for running Java-like apps.
Each app is usually assigned its own unique user ID (UID) (10000 to 99999) and group ID (GID).
Special accounts like “system” and “root” exist.
Developers must assign unique package names to their apps.
Dalvik VM
A Google-customized Java Virtual Machine (JVM) bundled with core libraries.
It was designed to replace the JVM on resource-constrained hardware.
Multiple can run simultaneously.
They run Dalvik bytecode, converted from Java code into Dalvik Executable (DEX) files using the dx SDK utility.
Use Just In Time (JIT) compilation, which dynamically compiles bytecode into machine code during each app run.
Android Runtime (ART)
Each Android app runs in its own process with its own instance of ART.
Uses Ahead Of Time (AOT) compilation, translating the entire bytecode into machine code during app installation.
AOT compilation is a one-time event during installation, and it doesn’t require compilation at runtime.
Uses more storage space but offers faster execution.
Android Package (APK)
Android apps are usually distributed in the form of zipped archives with file extension .apk (Android Package)
APKs contain code, resources, and metadata.
aapt - APK Packaging Process
Converts XML resource files to binary form.
Source code and output from aapt are compiled into .class files by Java compiler.
aidl - APK Packaging Process
Converts .aidl files to .java.
Source code and output from aidl are compiled into .class files by Java compiler.
dx utility - APK Packaging Process
Converts .class files to a single classes.dex file.
apkbuilder tool - APK Packaging Process
Combines all resources, both compiled and non-compiled, and the DEX file into an APK.
jarsigner tool - APK Packaging Process
Signs the APK.
zipalign tool - APK Packaging Process
Aligns app resources for optimal loading into memory, reducing RAM usage.
/assets - APK Folder Structure
Contains files to bundle with the app.
/res - APK Folder Structure
Contains activity layouts, images, etc., for code access.
/lib - APK Folder Structure
Contains native libraries bundled with the application, split by CPU architecture.
/META-INF - APK Folder Structure
Contains the app’s certificate, inventory list of files in the zip archive, and their hashes.
classes.dex - APK Folder Structure
Executable file containing the app’s Dalvik bytecode.
AndroidManifest.xml - APK Folder Structure
Contains app configuration information, including security parameters.
resources.asrc - APK Folder Structure
Contains strings and resources that can be compiled into this file instead of being placed in the res folder.
Installing Packages
Google Play could have required users to visit a website (through Google Play app) and select their desired app.
GTalkService is invoked when the user clicks “Install.”
GTalkService maintains a connection to Google via a pinned SSL connection.
Users can also install APKs from other stores, including Samsung Apps, Amazon Appstore, GetJar, SlideMe, F-Droid, and others.
Users may install any APK of their choice through an Android SDK tool called Android Debug Bridge (ADB).
List connected devices
adb devices
Get a shell on a device
adb shell
Perform a shell command and return
db shell <command></command>
Push a file to a device
adb push /path/to/local/file /path/on/android/device
Retrieve a file from a device
adb pull /path/on/android/device /path/to/local/file
Forward a TCP port on the local host to a port on the device
adb forward tcp:<local_port> tcp:<device_port></device_port></local_port>
View the device logs
adb logcat
BusyBox
A single binary with many useful Linux utilities that do not come as part of the Android image. Includes utilities like ifconfig, ping, traceroute, cp, grep, chmod, echo, mv, nc, netstat, pwd, rm, and many others.
Services
Allow long-running tasks to run in the background.
Continue to work even when the user has opened another application.
Main purposes: perform long-running operations, supply functionality for other applications.
Each service class must have a corresponding <service> declaration in AndroidManifest.xml.</service>
Correct permissions are required to call these components.
Broadcast Receivers
Listen for and respond to events that occur in the Android system and other apps.
Events are represented by the Intent class.
Applications can register for system or application events and get notified when they happen.
Example: The SMS app uses Broadcast Receivers.
Content Providers
Used to store and share data between applications.
Allow access to the internally-stored data of different apps.
Act as interfaces connecting data in one process with code running in another process.
Examples include the Calendar provider, Contacts provider, and Browser bookmarks.
Intents
Mechanisms for asynchronous Inter-Process Communication (IPC) in Android.
Allow one application to send messages directly to a specific component to control tasks or transport data.
Activate components like activities, broadcast receivers, and services.
Intents contain information necessary for the receiver to take action and are parsed by the OS.
AndroidManifest.xml
Lists all components usable by an app, except for Broadcast Receivers.
Installing an Application
Involves tasks performed by the Package Manager Service and installed to ensure the OS recognizes the app.
Steps include determining installation location, handling updates, storing APK, determining UID, creating app data directory, extracting libraries, and more.
Running an Application
A single app VM starts when Android OS boots.
The zygote process listens for requests to launch new apps.
It forks itself with new app parameters and code when it receives a request.
