So you've just completed your app and you're ready to release it. However, you store some user credentials and any code you want to keep secret, and you are not sure if your app is secure enough.
How can you check? It's time to take a look from the outside to see what vulnerabilities are lurking as you learn to hack an Android app. Then look at your forensic hat!
The purpose of this tutorial is to help you become a security conscious app developer. It is also an introduction for anyone interested in pursuing the field of mobile forensics.
During the process, you learn how to:
- Access a private data app.
- Analyze databases.
- Reverse engineering code.
Since you are working with a number of devices, is a training in itself, you use the Pixel XL API Q Emulator to begin with the basics.
Download and extract the materials for this tutorial using Download the materials button at the top or bottom of this page. You will notice that this tutorial has only one final project. This is because the scenario is that you have finished your project and you are now focused on extracting the data.
Open and run the startup project in Android Studio 3.3.0 or later to see what to work with.
You are using a sample app called Snitcher, which allows users to send anonymous crimes to law enforcement crimes. . OK, it doesn't really send the information to the police. But this type of app gives you plenty of privacy.
You will see a simple sign-up screen. After entering a password and selecting SIGN UP you must enter the password when you start the app in the future.
After that step, you get a list of errors to be reported. Oh wait, all the reports are too expensive! Well, who wouldn't protect a furry friend from harm?
Touch an entry in the list to proceed to the reporting screen:
Explore the project in Android Studio. To get SQLite database code and logic out of the way, the project uses a library called Room to store the reports.
To learn more about SQLite and Room, see our Room Impact Guide.
Unpacking data from a real device
You will start with an example review for a real device. This will give you a sense of the process and the complications you will face along the way.
You will not be able to follow this section unless you have a rooted device, then read it instead of trying it on your own device. That is, unless you want to mess up devices for fun. :]
Examine installed apps on a device
One of the easiest things to do with ADB is to list the apps installed on a device.
adb shell # 1 pm list packages -f # 2 exit
- The first command starts the adb screen so you run commands on the device.
- The second line shows the installed packages on the device.
You should see a long list of installed packages on your device. If you have installed the Snitcher app on your device, you should see a similar line in your output:
package: /data/app/com.raywenderlich.android.nittcher-ei0L3AJk3xo5M3Gs9SVuTQ == / base.apk = com. raywenderlich.android.snitcher
Here, com.raywenderlich.android.nittcher is the Snitcher app's package name.
Unpacking data from a package
Once you find the package you are looking for (in this case com.raywenderlich.android.nittcher ), try to see if you can run the app over adb to extract data with the appropriate permissions.
It is easy to retrieve data from applications that allow remote installation sites or store data to public areas, but in most cases, you need to access the data in the private storage area.
In some versions, you can access private storage of debugable versions of the app:
adb shell adb exec-out run-as com.raywenderlich.android.cuts cat databases / reports-db> reports-db
Here you use run-as to execute commands with the same permissions as the app.
If that doesn't work, you can also try to change file permissions or use adb pull command:
adb shell run-as com.raywenderlich.android.nittcher # 1 chmod 666 databases / reports-db # 2 exit cp /data/data/com.raywenderlich.android.nittcher/databases/reports-db/ddcard/ # 3 run-as com.raywenderlich.android.nittcher chmod 600 databases / reports-db # 4 adb pull / sdcard / reports-db. # 5
Here's what goes on in this code:
- Tells adb to execute commands with the same app permissions.
- Performs chmod which allows you to change file permissions. The permission 666 means that all users can read and write to the file.
- Copies a reports-db file to sdcard, which is a public area of the device.
- Performs chmod again to reset the file permissions. Permission 600 means that only the owner (app) can read and write to the file.
- Now that you have put the file in a public domain, this file copies from the device to your work directory on your computer.
And just like that, you have a copy of an app's local database on your computer.
However, many devices disable these features for security purposes. If so, the next thing you look for will be a backup of the device. Device backup can contain APKs, as well as the private data for each app:
ADB backup - apk-shared com.raywenderlich.android.section
Here, use the backup command to write an archive of the app and its data to the computer work register. The default file is backup.adb .
Feel free to experiment and do research if you are comfortable doing it on a test unit. But for time and safety, this tutorial will use the Android emulator to jump to the next step.
Unpacking data from the emulator
Now that you have access to the file system of a device, it is time to extract the data. Build and run the app in the emulator, then continue and create a report.
On the report screen, fill in the details and press SEND REPORT button. In Android Studio, select See ▸ Utilities Windows 19 Device File Explorer and select Emulator Pixel_XL_API_Q in the drop-down menu:
Here are some places where Android holds important data:
- All apps store user data in the directory / data / data .
- You can find a list of apps on the device at /data/system/packages.list .
- You can see when you last used an app on / data / system / package usage. list
- The operating system stores Wi-Fi connection information, such as a list of access points, on /data/misc/wifi/wpa_supplicant.conf .
WhatsApp stores its messages in /databases/msgstore.db . Forensic companies exploit it to back up the database and recover messages.
Knowing where apps store information also makes it easy to search for items or to undo data. In the case of WhatsApp, forensic examiners have been able to recover deleted messages that their users thought were gone for good.
To try to handle Snitcher's data on the device, navigate to / data / data . You will see a list of all packages:
Find com.raywenderlich.android.nittcher entry:
Right click on it and select Save as … :
Save the file to a location on your computer and open it to see content. You see important directories like:
Open MyPrefs .xml ] file in folder shared_prefs . You will notice at least one entry with a timestamp. Score!
Timestamps are very important to any kind of forensic or criminal investigation, since they provide you with evidence that the user is doing something at a particular time!
Examine other files
Now, select users .dat file in the files directory .
Android serializes objects in a particular disc format, but you can still search for strings using the tool strings already included in Mac and Linux.
In the terminal, write strings and a space followed by the path of the users.dat file. After you press in place, you can drag the users.dat file into the terminal window to fill the path. Press enter and you get an output of items.
If you are using Windows, you can download the string tool.
When you look at the output, you see extrat followed by nameq and passwordq . You can use that order to deduce that you look at the extra information about each account, followed by a username and password!
There are some other tools you can use to recover data:
- A witch and text viewer is useful for searching unknown file types for information and patterns.
- A live data image tool that may be useful is dd. You can find it at / system / bin .
- To extract the current memory state of the device, check out the LiME.
In the films, forensic investigators are investigating crime scenes that drink martinis and jump from trains while fighting villains. In reality, forensic investigators spend much of their time peering into a text viewer. You can still try to jump from train while peering into a text viewer. :]
Then navigate to the database folder. It looks like there are some files in there; Here's how to examine them.
Now that you have downloaded the database files, go to the sqlitebrowser home page.
Click the download button at the top of the page. Select your operating system, download the file and install the program. Start DB Browser and select Open Database button at the top:
In the folder you downloaded via Device File Explorer, select the reports -db file from the catalog databases .
If it does not appear in the list, select All Files from Filter option at the bottom. If there is no reports-db file, look for the file reports-master-db :
Provided everything worked , should see the data tables displayed on the Database Structure tab. Click the tab Browse data :
Now click on Table selector right below the tab and select reports ]:
You will see all the secret reports!
This is an example of why you should not store the user's sensitive information in plain text. A much better solution is to encrypt the data before saving it.
Restoring Deleted Data
The data you have restored so far is contained in a stored SQLite block. For SQLite there are non-allocated blocks and free blocks . When you delete something from the database, SQLite does not immediately overwrite the block. Instead, it marks only the block as free . To read the data block, you will use a hex viewer that also displays ASCII to search for keywords that may still be present.
Experts call the process of finding and recovering data when you do not have access to the file structure file carving . Sometimes it helps to search for a particular string of content. Other times, you will look for the heading of a known file format.
For example, say you are seeking deleted data for pictures. In JPEG format, the first two bytes and the last two bytes are always FF D8 and FF D9 .
Here are a few details on how to recover deleted data:
- There are some valuable information about SQLite file carving here.
- Scalpel is an open data cutting tool.
- DiskDigger is an automated recovery tool available for Android. It scans the device for photos, documents, music and videos.
- An example of a commercial tool for viewing and restoring SQLite records is sqliteviewer.
So now you've looked at all the user data inside the app, but the investigation doesn't stop there. You can get a lot of information by analyzing the app itself. This includes the code and files Android Studio bundles with APK.
When you build the app, Android Studio produces an APK file. This is like a zip file that has a structure of Java jar files. Inside the archive are resources along with a DEX file. DEX stands for Dalvik Executable.
When Android Studio compiles your app, it sets the code in that DEX file and is named classes.dex . It contains bytecode, an intermediate set of instructions that a Java Virtual Machine (JVM) runs, or that ART (Android Runtime) is later converted to native code. So what is JVM and ART?
Apps run on a Java Virtual Machine. Traditionally on Android was JVM Dalvik. In recent years, Android has replaced Dalvik with ART for performance reasons. ART converts DEX to native code by running the tool Dex2Oat to create a natural ELF binary.
So now you think, because this is a Kotlin app, reverse engineer, it must be complex.
But the good news is that like Java, Kotlin is a JVM language. While Kotlin has its own syntax, kotlinc converts the compiler code into a DEX file containing Java bytecode. Because kotlinc gathers Kotlin to the same byte code as Java, most of the reverse tools are the same as for apps built in Java!
So now you think – enough theory already. Show me an example!
Open the file ReportDetailActivity in Android Studio. Find
sendReportPressed () at the bottom.
Here's what happens in the method:
- You add the report to the local database.
- You are preparing a network request address to send the report. APIs usually have a client ID and private token, so only authorized apps can make the network call. Because Snitcher is an example, networking never completes.
- You inform the user that the process is complete.
Go to the top of the file and note that you've added authorization details to the companion object:
You may think this is good because Android Studio gathers the code and the end user never sees it. However, some forensic investigators can easily find and use these authorization details to steal data. You can even use the Android studio to find it!
Android Studio includes a tool called APK Analyzer, which lets you inspect your finished app. It presents a view with a summary of what is inside your pile. It also lets you see the byte code for your app.
Start the analyzer by selecting Build ▸ Analyze APK to open a dialog for the file system. If necessary, navigate to the debug folder snitcher-final / app / build / outputs / apk / debug . Select the file app-debug.apk and click OK to open the APK analyzer:
Note : If the apk file is missing, select Build ▸ Building Package / APK (s) ▸ Build APK (s) to generate it.
In the APK Analyzer, select the file classes.dex . Navigate to com 19 raywenderlich ▸ android ▸ snitcher :
Right -Click ReportDetailActivity and select Show bytecode :
You will see
#static field section :
Note that the secret token is clearly shown! This allows someone to imitate that you are doing the network API call.
Attackers also reverse engineering applications hoping to patch or unlock security checks out of the code.
A good example is when a function is only available with a paid subscription or after a user reaches a level in a game. By reverse engineering the app, hacker can find ways to access these levels without having to go through security checks.
Sometimes hackers do not repair programs to steal intellectual property or clone the app. Or they might abuse a private API.
Therefore, you should never store sensitive API keys, tokens or passwords anywhere in the APK. Instead, the items sent to the app have been encrypted upon approval.
Using Reverse Engineering Tools
You have just reversed developed code and it was easy to do because you have the original project open in Android Studio. But this is not the only way to show the byte code.
As long as you can get an APK, whether you use the methods you've previously learned or by downloading an APK from a site like APKMirror, you can transform the code without having the Android Studio project.  ApkTool will convert the entire Android package back to a usable form, including all resources and original source code. There are also electronic versions that will do this.
slumber / back pain is a set of tools for transforming bytecode into another intermediate but more readable language. From there, you can convert the code back to Java.
There are also many other tools you can use:
- Android Asset Packaging Tools can dump the Android Manifest file.
- You can use AXMLPrinter2 to analyze Android binary XML formats.
- Use Dex2Jar to convert a DEX file to a standard Java CLASS file.
- You can get all the class names and most source code by opening a folder in the JD GUI.
- Dextra supports ART and OAT.
- Jadx allows you to browse decompiled DEX code. It also decompiles most of the entire project.
- JAD will convert Java Class files back to source files.
As you can see, it is relatively easy for everyone to do this. Therefore, it is also a good idea to rename sensitive methods, such as
setUserAuthenticated () with something more innocent.
Developers use obfuscation to hide or hide proprietary logic or secret algorithms. Sometimes developers use manual obfuscation such as strict splitting, dummy code, hiding the names of methods or using reflection to muddy app flow.
Look at Getting Started with the ProGuard Guide to learn how to confuse your code.
Working with Locked Devices
So you've learned to extract data from an app and get some tips on how to secure it. From a forensic point of view, these skills are useless when the user has locked a device with a password. To gain access, you must bypass the security.
Breaking units is beyond the scope of action, but here is a brief summary:
A very important goal in forensic medicine is to prevent tampering with evidence. Delayed evidence is not allowed in court. To avoid this, it is best to change the unit as little as possible. You should copy the data as soon as possible and work with it away from the original device.
It is also important to maintain the current state of the device. For example, a device is much harder to access when the battery is drained and the device turns off.
It is an agreement between obtaining access and changing part of the device that secures it. Still, almost all solutions to access a locked device involve messing it up.
Root and Unlock Bootloader
Rooting involves accessing the root account of the device to bypass its limitations.
There are many tools to turn a device, such as OneClickRoot, KingoRoot and SuperUserDownload.
Rooting usually involves flashing a partition on the device, such as a custom recovery image. Some examples are Twrp.me or ClockworkMod Recovery.
These tools do not work if the manufacturer has locked the boot loader. A locked boot loader prevents anyone from modifying the firmware.
Usually the manufacturer writes the image with a private key. This way, you cannot blink unsigned code on the device. There are boot commands for OEM chargers, but they do a drying of the device.
To perform a root with a locked boot loader, you must exploit a vulnerability in the operating system. This also applies to iOS, where most of the jailbreakers originate from a known exploitation.
Some previous examples of Android vulnerabilities are:
To see an updated list of funnily-named Android vulnerabilities, see Android Utilities.
Bypass of the lock screen
Another way to hack on an Android device is to bypass the lock screen. Users often use a pattern, pin or Smart Lock as a reliable face to secure their devices.
- Android stores pattern lock on /data/system/gesture.key .
- OS hashing pin and password on /data/system/password.key .
- Android salts they have and store them on /data/system/locksettings.db .
Tools such as andriller and androidpatternlock attempt to crack these files.
While you do not want to change proof, you can bypass some of the lock screens by deleting the files. You can also experiment with LiME to extract passwords and keys from memory.
Where to go from here?
Congratulations! You've split the surface of how it's hacking an Android app using forensic analysis. :]
To learn how to secure the data, continue to the encryption guide for Android.
Code protection tools such as DexGuard offer confusion and encryption of classes and strings, as well as resources and resource files. DexGuard also provides app integrity control.
Reverse engineers also look at the data an app sends and receives over the network to understand how the app works. To learn more about how it works and how to secure the data, see Network Data Guide.
For a deeper dive into advanced forensic techniques:
If you are interested in professional reverse engineering, some are popular commercial products:
- IDA Pro: You can disassemble and debug Dalvik code since IDA Pro v6. 1. IDA works well because of its support for scripting and because it has a graph view that deviates from the flow of the app. There are also a lot of scripts that people write to help settle confused code.
- JEB: JEB can understand ARM and ELF formats. It has a powerful user interface for both Dalvik and native code.
Last but not least, check out the Drozer. It lets you assume the role of an Android app and interact with other apps. One of the modules in Drozer, app.package.manifest will analyze the manifest file and display it on the screen.
If you have any questions, please ask in the discussion below.