Week 5 - Analysing Android Apps

Question 1

adb - SDK tool

Answer 1

Most commonly used to interact with devices and emulators (install new apps, gain a shell on the system, read system logs, forward network ports, or do a multitude of other useful tasks).

Question 2

Monitor - SDK Tool

Answer 2

Useful for viewing processes running on a device and taking screenshots of the device’s screen (useful for pen testers who need to gain evidence of an action for reporting purposes).

Question 3

android - SDK Tool

Answer 3

Used to manage and create new Android emulators.

Question 4

aapt - SDK Tool

Answer 4

Converts code into binary form to be packaged with apps.

Also useful for reverse-engineering APKs by converting app binaries to readable text.

Question 5

Physical Devices vs Emulators

Answer 5

Emulators provide root access by default, physical devices do not.

Emulators do not operate correctly for certain apps (eg: USB, headphones, Wi-Fi, Bluetooth, etc) that require physical hardware.

Emulators do not allow making/receiving real phone calls (this can, however, be emulated to a degree using an interface).

Question 6

Android Apps and the Common User

Answer 6

Users may or may not pay attention to permission requirements when installing.

Users experience apps through app UI.

As analysts, we are more interested in what happened behind the scenes when the app installed.

How did this app reach your device?

How did it go from a packaged download to an installed app that can be used securely?

Question 7

Android OS

Answer 7

Consists of a stripped-down and modified Linux kernel, with some differences.

It includes an application virtual machine for running Java-like apps.

Each app is usually assigned its own unique user ID (UID) (10000 to 99999) and group ID (GID).

Special accounts like “system” and “root” exist.

Developers must assign unique package names to their apps.

Question 8

Dalvik VM

Answer 8

A Google-customized Java Virtual Machine (JVM) bundled with core libraries.

It was designed to replace the JVM on resource-constrained hardware.

Multiple can run simultaneously.

They run Dalvik bytecode, converted from Java code into Dalvik Executable (DEX) files using the dx SDK utility.

Use Just In Time (JIT) compilation, which dynamically compiles bytecode into machine code during each app run.

Question 9

Android Runtime (ART)

Answer 9

Each Android app runs in its own process with its own instance of ART.

Uses Ahead Of Time (AOT) compilation, translating the entire bytecode into machine code during app installation.

AOT compilation is a one-time event during installation, and it doesn’t require compilation at runtime.

Uses more storage space but offers faster execution.

Question 10

Android Package (APK)

Answer 10

Android apps are usually distributed in the form of zipped archives with file extension .apk (Android Package)

APKs contain code, resources, and metadata.

Question 11

aapt - APK Packaging Process

Answer 11

Converts XML resource files to binary form.

Source code and output from aapt are compiled into .class files by Java compiler.

Question 12

aidl - APK Packaging Process

Answer 12

Converts .aidl files to .java.

Source code and output from aidl are compiled into .class files by Java compiler.

Question 13

dx utility - APK Packaging Process

Answer 13

Converts .class files to a single classes.dex file.

Question 14

apkbuilder tool - APK Packaging Process

Answer 14

Combines all resources, both compiled and non-compiled, and the DEX file into an APK.

Question 15

jarsigner tool - APK Packaging Process

Answer 15

Signs the APK.

Question 16

zipalign tool - APK Packaging Process

Answer 16

Aligns app resources for optimal loading into memory, reducing RAM usage.

Question 17

/assets - APK Folder Structure

Answer 17

Contains files to bundle with the app.

Question 18

/res - APK Folder Structure

Answer 18

Contains activity layouts, images, etc., for code access.

Question 19

/lib - APK Folder Structure

Answer 19

Contains native libraries bundled with the application, split by CPU architecture.

Question 20

/META-INF - APK Folder Structure

Answer 20

Contains the app’s certificate, inventory list of files in the zip archive, and their hashes.

Question 21

classes.dex - APK Folder Structure

Answer 21

Executable file containing the app’s Dalvik bytecode.

Question 22

AndroidManifest.xml - APK Folder Structure

Answer 22

Contains app configuration information, including security parameters.

Question 23

resources.asrc - APK Folder Structure

Answer 23

Contains strings and resources that can be compiled into this file instead of being placed in the res folder.

Question 24

Installing Packages

Answer 24

Google Play could have required users to visit a website (through Google Play app) and select their desired app.

GTalkService is invoked when the user clicks “Install.”

GTalkService maintains a connection to Google via a pinned SSL connection.

Users can also install APKs from other stores, including Samsung Apps, Amazon Appstore, GetJar, SlideMe, F-Droid, and others.

Users may install any APK of their choice through an Android SDK tool called Android Debug Bridge (ADB).

Question 25

List connected devices

Answer 25

adb devices

Question 26

Get a shell on a device

Answer 26

adb shell

Question 27

Perform a shell command and return

Answer 27

db shell <command></command>

Question 28

Push a file to a device

Answer 28

adb push /path/to/local/file /path/on/android/device

Question 29

Retrieve a file from a device

Answer 29

adb pull /path/on/android/device /path/to/local/file

Question 30

Forward a TCP port on the local host to a port on the device

Answer 30

adb forward tcp:<local_port> tcp:<device_port></device_port></local_port>

Question 31

View the device logs

Answer 31

adb logcat

Question 32

BusyBox

Answer 32

A single binary with many useful Linux utilities that do not come as part of the Android image. Includes utilities like ifconfig, ping, traceroute, cp, grep, chmod, echo, mv, nc, netstat, pwd, rm, and many others.

Question 33

Services

Answer 33

Allow long-running tasks to run in the background.

Continue to work even when the user has opened another application.

Main purposes: perform long-running operations, supply functionality for other applications.

Each service class must have a corresponding <service> declaration in AndroidManifest.xml.</service>

Correct permissions are required to call these components.

Question 34

Broadcast Receivers

Answer 34

Listen for and respond to events that occur in the Android system and other apps.

Events are represented by the Intent class.

Applications can register for system or application events and get notified when they happen.

Example: The SMS app uses Broadcast Receivers.

Question 35

Content Providers

Answer 35

Used to store and share data between applications.

Allow access to the internally-stored data of different apps.

Act as interfaces connecting data in one process with code running in another process.

Examples include the Calendar provider, Contacts provider, and Browser bookmarks.

Question 36

Intents

Answer 36

Mechanisms for asynchronous Inter-Process Communication (IPC) in Android.

Allow one application to send messages directly to a specific component to control tasks or transport data.

Activate components like activities, broadcast receivers, and services.

Intents contain information necessary for the receiver to take action and are parsed by the OS.

Question 37

AndroidManifest.xml

Answer 37

Lists all components usable by an app, except for Broadcast Receivers.

Question 38

Installing an Application

Answer 38

Involves tasks performed by the Package Manager Service and installed to ensure the OS recognizes the app.

Steps include determining installation location, handling updates, storing APK, determining UID, creating app data directory, extracting libraries, and more.

Question 39

Running an Application

Answer 39

A single app VM starts when Android OS boots.

The zygote process listens for requests to launch new apps.

It forks itself with new app parameters and code when it receives a request.