Evaluating websites are one of my core areas. I got several tools to help me out. Several commercial available ones, and a couple of self-made ones. Nothing beats human ingenuity, though. However – being tasked with black box evaluation of some Android apps I quickly had to gather up a way of taking an APK apart and peek inside. Missing the tools needed I set out on a quest to extend by tool chain.
- A browser of your choice. Mine is Chrome. For whatever reasons.
- 7-Zip extraction tool for extracting Android APK Tool
- Android APK Tool
- APK Downloader (online downloader)
- Notepad++, or something similar
There is not much to set up other than download said tools and extracting the Android APK tool (and make sure that your computer meets the requirements).
Getting an APK
- Find an app of your choice by searching for it on play.google.com
- On the app display page copy the URL
- Paste URL from step 2 into the search field on the APK Downloader site. Follow onscreen instructions.
The decompiling process is done by using the Android APK Tool. This tool is written in Java and is executed by running it from CLI mode.
Fire up your terminal, Dos prompt or PowerShell and navigate to where you extracted the Android APK Tool.
Execute the following:
java -jar apktool.jar d
The decompiled source files can now be found in the output folder you specified. Use Notepad++ or similar to view the content.
What I found
The first app did contain some interesting stuff. Buried in a resource folder I found a Python script to generate a local database. The script contained a hard-coded username and password.
This is interesting! Googling the password revealed that the password is the name of a well-known European comics figure. The developer behind it might be a comic fan and that might make it easier to guess the password next time one of his apps comes along.
The paired username and password is also interesting because of recycling. It might be the default password to many things. Yeah – it is quite dumb to recycle username and password on various services. But it happens. A lot.
The second app wasn’t all that exciting. The only thing I could figure out was that the makers had reused some code from other apps and some REST calls. REST calls are always interesting to figure out how things work – or how to test the security on the REST calls. Code reuse is also interesting since a security hole might also be present in several apps issued by the maker. All in all, app 2 did not contain much interesting stuff.
All testing was done with permissions from the makers.