- Jaimin Gohel
- InfoSec Enthusiast
- Null Ahmedabad
- Mozilla Gujarat
Static analysis, also called static code analysis, is a method of computer program debugging that is done by examining the code without executing the program. The process provides an understanding of the code structure, and can help to ensure that the code adheres to industry standards.
Static analysis is performed in a non-runtime environment. Typically a static analysis tool will inspect program code for all possible run-time behaviors and seek out coding flaws, back doors, and potentially malicious code.
Activities, content providers, broadcast receivers, services
process hook, sandbox memory
can pull sandbox data
4. Hard coded secrets
5. Weak ciphers or algorhithms
6. Bypass SSL pinning
- Android manifest file
- Content providers
- Broadcast Receiver
Android manifest file
- Basically a XML document which contains lot of information about the application.
- It names the Java package for the application. The package name serves as a unique identifier for the application.
- It describes the components of the application — the activities, services, broadcast receivers, and content providers that the application is composed of.
Android manifest file(cont.)
- It declares which permissions the application must have in order to access protected parts of the API and interact with other applications.
- It declares the minimum level of the Android API that the application requires.
- It lists the libraries that the application must be linked against
- Android is a privilege-separated operating system, in which each application runs with a distinct system identity (Linux user ID and group ID).
- Parts of the system are also separated into distinct identities. Linux thereby isolates applications from each other and from the system.
- Android sandboxes applications from each other.
- By default no application has permission to perform any operations that would adversely impact other applications, the operating system, or the user.
- All types of applications — Java, native, and hybrid — are sandboxed in the same way and have the same degree of security from each other.
- An Activity is an application component that provides a screen with which users can interact in order to do something, such as dial the phone, take a photo, send an email, or view a map.
- You must declare your activity in the manifest file in order for it to be accessible to the system. To declare your activity, open your manifest file and add an <activity> element as a child of the <application> element.
<manifest ... > <application ... > <activity android:name=".ExampleActivity" /> ... </application ... > ... </manifest >
- Example of activity declaration:
- A Service is an application component that can perform long-running operations in the background and does not provide a user interface.
- Another application component can start a service and it will continue to run in the background even if the user switches to another application.
- For example, a service might handle network transactions, play music, perform file I/O, or interact with a content provider, all from the background.
A service can essentially take two forms:
A service is "started" when an application component (such as an activity) starts it by calling startService().
A service is "bound" when an application component binds to it by calling bindService().
- A content provider manages access to a central repository of data.
A content provider presents data to external applications as one or more tables that are similar to the tables found in a relational database.
Through the content provider, other applications can query or even modify data.
- A broadcast receiver is a component that respond to the system-wide broadcast announcements.
For example, applications can register for the ACTION_BOOT_COMPLETED system event which is fired once the Android system has completed the boot process.
Phases of android reversing
Application .apk file
(image, layout, asset files)
(Readable XML file)
Extract using apktool
dex to class
(use dex2jar tool)
class to java
- Using MobSF- https://github.com/MobSF/Mobile-Security-Framework-MobSF
- MobSF is an open source and intelligent tool.
- Its and automated pentesting framework.
- It can be used to perform both static and dynamic analyses on Android and iOS platform.
- Written in python.
- Static Analyzer
- Dynamic Analyzer
- Web API Fuzzer
Resources and credits
- Thanks to: @ajinabraham
Android - Static Analysis
By Jaimin Gohel