IEEE Day 2013 - Reverse Engineering an Android Application
1. IEEE Day 2013
Rufat BABAKISHIYEV
Software Engineer
Komtec LTD
mr.rufatet@yahoo.com
01 October 2013, Qafqaz University
Reverse Engineering an
Android Application
2. Plan
October 2, 20132
Reverse Engineering & Forensic research
Review of Android OS Architecture
Yahoo Email Client Application
Research questions
Decompiling the Application
File System
Database and files of Yahoo Email Android Client
Attachment files of Email Application
Compare App Info
Uninstall Yahoo Email Android Client
Security Warnings
Acronyms
Bibliography (references)
3. Reverse Engineering & Forensic research
October 2, 20133
Reverse engineering, in computer programming,
is a technique used to analyze software in order to
identify and understand the parts it is composed
of. The usual reasons for reverse engineering a
piece of software are to recreate the program, to
build something similar to it, to exploit its
weaknesses or strengthen its defenses.
Forensic Science - The word forensic comes
from the Latin word forensis: public; to the forum
or public discussion; argumentative, rhetorical,
belonging to debate or discussion.
4. Review of Android OS Architecture
October 2, 20134
Android relies on Linux Kernel version 2.6 for core system services such as security,
memory management, process management, network stack, and driver model. It does
not include full set of standard Linux utilities.
Android provides a number of system libraries in C/C++ which are made accessible
through the Application Framework. It must be noted that . Android does not provide the
complete functionality required of the standard GNU C libraries in Linux. Followings are
libraries provided by
Android; Surface Manager, Mefia Framework, SQLite , WebKit, OpenGL and etc.
The Dalvik Virtual Machine (VM) is the core runtime component of Android. It is a
process-based virtual machine which uses the register architecture and is optimized for
low memory footprint and better performance efficiency. The VM runs classes compiled
by a Java language compiler that have been transformed into the Dalvik Executable
(.dex) format by the included “dx” tool
An Android application can be composed of 4 types of components namely: Activity,
Service, Content Provider and Broadcast Receiver.
In Applications layer we have applications that developers create and users use.
6. Yahoo Email Client Application
October 2, 20136
Why Yahoo ?
Yahoo Email is most widely used email application and
number of app download is between 50,000,000 –
100,000,000 which is way much big number. The
application is compatible with all Android devices as it
can be installed on any device having Android 2.2 or
above version.
7. Research questions
October 2, 20137
What files are created after installation?
What files are deleted after uninstallation?
What data are synchronized in the app?
What data are available for offline use?
How SQLite database is used?
How cache and memory is managed?
8. Decompiling the Application
October 2, 20138
Firstly the app (Yahoo) is downloaded from the market and install it. For our research we
need .apk file of the app therefore we download and use ES File Explorer.
After launching the app, we choose “Tools” from Sliding Menu and then select
“Manager”. We see all the applications of the user in a grid view. Then we long press
Yahoo Email and select it and a tab bar appears below where we click “Backup” menu
and then in the SD Card .apk file is created in backups folder.
9. Decompiling the Application
October 2, 20139
Apktool - reverses .apk file to an android project (unfortunately not
.class files, these are .smali files).
Dex2jar - reverses .apk file to .jar file.
JD-Compiler – with this tool can decompile .jar file and get java
source codes.
Reverse .apk file to Android Project
10. Decompiling the Application
October 2, 201310
With JD-Gui we can look source codes of Yahoo Email Android
Client.
After decompilation we get obfuscated source codes therefore we
won’t understand anything from source codes.
11. File System
October 2, 201311
With Eclipse’s Android tools we can look at device’s data which when
installed every application system creates data under data/data folder
(as Windows Program Files).
install Yahoo Email Android Client on AVD
12. File System
October 2, 201312
With Eclipse’s Android tools we can look at device’s data which when installed every
application system creates data under data/data folder (as Windows Program Files).
13. Database and file of Yahoo Email Client
October 2, 201313
In order to make a forensic research about DB and artifacts we need to create some
email accounts for testing in yahoo. We have created 2 different Yahoo Email
accounts because with Yahoo Email Android Client user can manage more than one
Yahoo email account.
Email 1 : rufatf123.
Email 2 : rufatf124.
Then we sign in with first email and add second email.
14. Database and file of Yahoo Email Client
October 2, 201314
Sent some test email from both email accounts, some text and
media emails (attached doc, mp3 files). Then we start to look at DB.
From Eclipse File Explorer we look at datadatabases files and try
to pull them with this tool. (For pulling, we select file then click right
top disket icon, and then select folder for save)
15. Database and file of Yahoo Email Client
October 2, 201315
Every table were created for both account
16. Attachment files of Yahoo Email Client
October 2, 201316
When we want to look at attachment file the system offers us two
options. One of them is View another is Save. So we choose Save
for to explorer artifacts. When we try to save it the system shows
us to which directory it will save the application.
18. Uninstall Yahoo Email Android Client
October 2, 201318
At the end we uninstall Yahoo Email Android Client (from
Application Manager) and explore datadata and folders. Let’s
find out which folders and files removed by system, and which
ones remained.
After the uninstallation we see that system removed Yahoo Email
Andorid Application package under datadata directory. So it
removed cache and database files. Now look at files, see that it
removed Yahoo directory from sdcard. So the system removes all
artifacts when the application is uninstalled.
19. Security Warnings
October 2, 201319
Do not “root” your device !
Do not install applications from unknown sources !
Read permissions when install application !
20. Acronyms
October 2, 201320
APK Android Application Package
JVM Java Virtual Machine
Java SE Java Standard Edition
Java ME Java Mobile Edition
SD Card Secure Digital Card
OS Operating System
AVD Android Virtual Device
DEX Dalvik Executable
SDK Software Development Kit
21. Bibliography
October 2, 201321
References
[1] Android OS - is a Linux-based operating system designed primarily for touchscreen
mobile devices such as smartphones and tablet computers.
http://en.wikipedia.org/wiki/Android_(operating_system)
Official web site : http://www.android.com/ and most used sub site
http://developer.android.com/index.html
[2] Android Architecture – The Key Concepts
http://www.android-app-market.com/android-architecture.html
[3] Reverse Engineering
http://searchcio-midmarket.techtarget.com/definition/reverse-engineering
[4] android apk tool
https://code.google.com/p/android-apktool/
[5] dex2jar
https://code.google.com/p/dex2jar/
[6] DJ-GUI
https://code.google.com/p/innlab/downloads/detail?name=jd-gui-
0.3.3.windows.zip&can=2&q=
[7] Google Play
For downloads applications. Yahoo and ES File Explorer
https://play.google.com/store
22. Bibliography
October 2, 201322
References
[8] Techopedia.com
http://www.techopedia.com/definition/3868/reverse-engineering
[9] ES File Explorer
https://play.google.com/store/apps/details?id=com.estrongs.android.pop