Part 1 – Reverse engineering using Androguard

By -

Welcome to the very first article of this series on “Reverse Engineering android applications”. To read an overview of the series, refer to the serious announcement blog post.

“Learning is no harm, even if done by Reverse Engineering”

As quoted above, learning is no harm, if reverse engineering is done for the learning and analysis purpose. If you want to see how reverse engineering done using basic tools which are famous among android developers, refer to the Part 9: Reverse engineering android application blog post shared by Paresh in lazy android developers series.

In this part, we shall cover how reverse engineering can be done by using Androguard, how to download and setup Androguard and how to decompile an apk using Androguard. We would look into the deep analysis in future parts of this series.

In this Part

Reverse Engineering using Androguard

  • What is Androguard
  • How to download and install Androguard
  • How to decompile an apk using Androguard

I would request you to watch this demo video on what we are going to learn in this article.

What is Androguard?

Androguard is a python based tool, which can run on Linux/Windows/OSX, provided python is installed in the system. Check: http://code.google.com/p/androguard/

It is powerful tool to disassemble and to decompile android apps. It can be used for the Static Analysis of an application. If you are wondering what is static Analysis, refer this Stackoverflow answer Static code analysis . We often use code obfuscators. Using any reverse engineering tool we can measure the obfuscation level and can converts Android xml files to readable format. We will see all these details later in this article.

How to Download and Install Androguard?

Remark: Linux system is used while performing the tutorial. Wherever needed, steps for windows system would be mentioned.

Download it as a Virtual Machine (Advisable for Windows Users)

Remark:“It is advisable for windows users to download this Virtual Machine, because managing all prerequisites for the Androguard, is headache in Windows”.

Directly download the full pack Virtual machine with all modules required to run the tool.

  • A.R.E (Android Reverse Engineering) Virtual Machine is the easiest way to get all the set of tools for Android malware analysis and Reverse Engineering including Androguard. Refer this document on downloading A.R.E virtual machine: https://redmine.honeynet.org/projects/are/wiki
  • You can use Androguard directly from Santoku distribution. Santoku is a Linux Distribution, with complete suit of tools of Mobile Forensics, Mobile Security, Reverse Engineering and Mobile malware analysis. Download and run Santoku as a Virtual machine. Refer this document on downloading Santoku https://santoku-linux.com/download

Note:If you have downloaded any of above virtual machine, then directly skip the download steps for Ubuntu system and go to installation directly.

Downloading in Ubuntu/Debian system

Before we proceed further for the installation, let’s check out the prerequisites in the system.

sudo easy_install ipython
sudo easy_install pygments

Now download & install Androguard. We can use either of the ways:

  • Using Mercurial version
    • Make sure Mercurial is installed in your system. Follow this docs for installation of mercurial. http://mercurial.selenic.com/wiki/Download
    • Run this command into Terminal or Command line in windows.
      hg clone https://androguard.googlecode.com/hg/ androguard
      

      hg clone androguard

  • Using Git
    • Androguard project is available on GitHub, we can use git clone in terminal or command line to install Androguard.
      git clone https://github.com/androguard/androguard.git
      

      git clone androguard

Installing the Tool:

If you have downloaded the A.R.E (Android Reverse Engineering) virtual machine, start the virtual machine with username and password provided at A.R.E website and navigate to Androguard folder.
If you have downloaded Androguard in live system using hg or git, navigate to the Androguard folder or just copy it to any handy location and navigate to it.

Simply fire the setup.py in with install command.

sudo python setup.py install (For Linux)

sudo python installing androguard

Note: Make Sure you have followed all steps required for installation, as actual work begins from here!

Let’s Run Androguard – Decompiling the app

Androguard supports 3 decompilers.

  • DAD
  • dex2jar + jad
  • DED

To know about each of them in detail follow this document on Decompilers. In this part, we will cover how to use the DAD Decompiler in Androguard.

Step 1: Run this command in terminal

./androlyze.py -s

androlyze androguard

Step 2: This command will start own input prompt, waiting for input.
androlyze - 2 - androguard
Now let’s define the path of apk and type of decompiler we want to use to decompile the app.

Input this command into the prompt and replace path_to_apk with path of the apk we want to analyse.

a,d,dx = AnalyzeAPK("path_to_apk", decompiler="dad")

androlyze androguard - analyze apk

Remark:In this example we have used anonymous app “demo.apk”.

Depending on the apk, it might take some time to execute and after successful execution of command, it will prompt for APK or DVM specific commands.

androlyze androguard - analyze apk 2

Let’s examine list of all Activities in the app. Enter this command in input prompt, it will display all activities in app as output.

a.get_activities()

androguard get_activities()

To get list of all permissions as output, input this command:

a.get_permissions()

androguard get_permissions

To get list of all class names as output, input this command:

d.get_classes_names()

To get list of all strings defined in app as output, input this command:

d.get_strings()

To get list of all methods in a class as output, input this command:

d.get_methods()

Refer to this document for all such APK (a.get) and DVM (d.get) specifics commands.

In Summary

This bring us to the end of this part. In this part, we talked about Androguard, how to download and install it and we have also talked about decompiling an apk using Androguard. We shall talk about doing deep analysis using Androguard and other tools in the next part.

Harsh Dattani

Freelance android developer, pursuing masters in Cyber Security and Co-organizer at Google Developers Group Baroda

Loading Facebook Comments ...
Loading Disqus Comments ...