Introduction
Mobile applications are often viewed as black-box applications. However, these applications often suffer from the same (or similar) vulnerabilities as their web application counterparts.
In a previous post, I showed how we can perform dynamic analysis on iPhone applications by intercepting the inbound/outbound traffic with the Burp proxy. In this post, we'll explore static analysis of Android apps by looing at a couple of online tools that make decompiling apps into equivalent Java and Smali code trivial.
Step One: Get the APK
Show Java - A Java Decompiler FREE A decompiler to extract the source code of an APK (android app), jar & dex file. Features. Select either CFR 0.138, JaDX 0.8.0 or FernFlower (analytical decompiler) to use as the decompiler. Runs directly on your. Decompile an Android APK Android App Decompiler is a useful Tool to unextract and decompiles Android APK. When you runed the Decompiler than created an folder with all Files from then APK and the dex (dalvik executable format) being converted to an jar file. You must only now use an Java Decompiler like jd-gui and you have all files of the App.
The first step in analyzing an Android app is to get the actual APK that's loaded onto the device. Fortunately, there is a site called APK Downloader which allows us to do just that. Download xcode for mac. By getting the link to the app of your choice from the Google Play Store and pasting it into APK Downloader, you can download a local copy of the app APK.
Step Two: Unpack and Decompile
After we have the APK, we need to unpack and decompile the contents into its equivalent Java code. This used to be a pretty lengthy process using tools such as the android apktool. Fortunately for us, someone has also setup a web-based service which automatically performs the decompilation process on a given APK.
How To Decompile An Apk
By uploading the APK to decompileandroid.com, the user will be presented with the option to download the decompiled contents of the app, including the Java source code. Awesome.
Things to Look For
Decompiling Android apps can allow researchers to analyze the exact code that is running on the app for vulnerabilities, as well as reveal any hardcoded credentials or other sensitive data. For example, in June of 2014, researchers from Columbia university created a tool called PlayDrone which automatically crawled thousands of Android apps found on the Google Play store and discovered the existence of sensitive credentials in many of them.
How To Decompile Code
Conclusion
Hopefully this short post not only shows researchers how to easily decompile Android apps, but also sends a gentle reminder to app developers that the source code of the app can easily be recovered. As such, precautions should be taken to ensure there is no sensitive information 'hidden in plain sight'. As always, leave any questions or comments below!
-Jordan (@jw_sec)
Eltima team is glad to announce that new build of Flash Decompiler Trillix for Mac was recently released! Please welcome Flash Decompiler 4.1 for Mac, which now provides all Mac users with an option to decompile files created in Flash 10. Flash 5, 6, 7, 8, 9 are of course supported, as well as Flex!
We've also implemented new build of Flash'in'App (version 2.5) into Flash Decompiler Trillix. So now Flash Decompiler offers you more options while working with Flash, such as possibility to disable 'hand cursor' or mute option, etc.
Besides functional improvements, we've added German, Russian and French localizations, so now Flash Decompiler becomes more and more international :)
We've enhanced Flash Decompiler for Mac greatly, but anyway we are open for your ideas and suggestions!
Android App Decompile
In a previous post, I showed how we can perform dynamic analysis on iPhone applications by intercepting the inbound/outbound traffic with the Burp proxy. In this post, we'll explore static analysis of Android apps by looing at a couple of online tools that make decompiling apps into equivalent Java and Smali code trivial.
Step One: Get the APK
Show Java - A Java Decompiler FREE A decompiler to extract the source code of an APK (android app), jar & dex file. Features. Select either CFR 0.138, JaDX 0.8.0 or FernFlower (analytical decompiler) to use as the decompiler. Runs directly on your. Decompile an Android APK Android App Decompiler is a useful Tool to unextract and decompiles Android APK. When you runed the Decompiler than created an folder with all Files from then APK and the dex (dalvik executable format) being converted to an jar file. You must only now use an Java Decompiler like jd-gui and you have all files of the App.
The first step in analyzing an Android app is to get the actual APK that's loaded onto the device. Fortunately, there is a site called APK Downloader which allows us to do just that. Download xcode for mac. By getting the link to the app of your choice from the Google Play Store and pasting it into APK Downloader, you can download a local copy of the app APK.
Step Two: Unpack and Decompile
After we have the APK, we need to unpack and decompile the contents into its equivalent Java code. This used to be a pretty lengthy process using tools such as the android apktool. Fortunately for us, someone has also setup a web-based service which automatically performs the decompilation process on a given APK.
How To Decompile An Apk
By uploading the APK to decompileandroid.com, the user will be presented with the option to download the decompiled contents of the app, including the Java source code. Awesome.
Things to Look For
Decompiling Android apps can allow researchers to analyze the exact code that is running on the app for vulnerabilities, as well as reveal any hardcoded credentials or other sensitive data. For example, in June of 2014, researchers from Columbia university created a tool called PlayDrone which automatically crawled thousands of Android apps found on the Google Play store and discovered the existence of sensitive credentials in many of them.
How To Decompile Code
Conclusion
Hopefully this short post not only shows researchers how to easily decompile Android apps, but also sends a gentle reminder to app developers that the source code of the app can easily be recovered. As such, precautions should be taken to ensure there is no sensitive information 'hidden in plain sight'. As always, leave any questions or comments below!
-Jordan (@jw_sec)
Eltima team is glad to announce that new build of Flash Decompiler Trillix for Mac was recently released! Please welcome Flash Decompiler 4.1 for Mac, which now provides all Mac users with an option to decompile files created in Flash 10. Flash 5, 6, 7, 8, 9 are of course supported, as well as Flex!
We've also implemented new build of Flash'in'App (version 2.5) into Flash Decompiler Trillix. So now Flash Decompiler offers you more options while working with Flash, such as possibility to disable 'hand cursor' or mute option, etc.
Besides functional improvements, we've added German, Russian and French localizations, so now Flash Decompiler becomes more and more international :)
We've enhanced Flash Decompiler for Mac greatly, but anyway we are open for your ideas and suggestions!
Android App Decompile
Discover new decompilation possibilities with Flash Decompiler 4.1 for Mac!
