One of the best ways to develop secure Android applications is to engage in penetration (pen) testing, in effect trying to break into your application just as an attacker might do. This is the fourth in a series of posts on pen testing Android applications. In the first we set up the testing environment and captured traffic. In the second, we discussed some tools and proxy techniques—Drozer, Apktool, and a “man in the middle” proxy—that come in handy during a security review of Android applications. In the third, we looked at reviewing Android’s manifest file.
During pen testing of Android applications it is often necessary to modify the app’s source code to bypass SSL pinning, check for tampering protection, bypassing application logic, and other steps. In this article, we will cover the process to successfully modify the source code.
- Download and set up Apktool
Step 1: Convert the code into Smali format
Set up Apktool and use the following command to disassemble the APK. We used the test application Sieve.
apktool d <your apk path here> -o <output path>
The disassembled APK folder contains the Smali files. These files can be modified using any text editor, as shown in the following screen:
You can also use JD-GUI (by converting classes.dex file into .jar format) to identify the class or methods you want to modify, and then to patch the corresponding Smali files.
Step 2: Repack the APK
After modifying the Smali code, you must repack the APK. Use the following command:
apktool b <deassembled apk path> -o <output apk path>
Android requires every APK to be signed. Any unsigned binary results in a passing error. Thus the next step is to create a key pair, and sign the APK with that.
Step 3: Create and sign the key
Keytool and Jarsigner come packaged in the Java Development Kit bundle and are required to complete this step. Use this command to generate the key:
keytool -genkey -v -keystore mykey.keystore -alias <Any alias name> -keyalg RSA -keysize 2048 -validity 10000
After you answer the series of questions that follow, a keyfile (mykey.keystore) is created in the C:\Users\<username> directory.
Once the key pair is created, the APK can be signed using the following command:
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore mykey.keystore <apk path> alias_name
After completing all the steps, the repacked APK can be successfully installed on the device.
In our next post we will focus on obtaining and analyzing the Android memory dump for sensitive information.