Reverse Engineering Android - Cybersecurity Academy

What is Reverse Engineering in Android?

Reverse engineering Android applications is the process of analyzing APK files to understand their internal logic, behavior, and security mechanisms. This skill is crucial for ethical hackers, bug bounty hunters, and security analysts working with mobile applications.

🎯 Goals of Reverse Engineering

Understand app functionality without source code
Find hardcoded credentials or API keys
Analyze third-party libraries and permissions
Detect insecure storage or communication
Bypass root detection or certificate pinning

🛠 Essential Tools

APKTool – Decompile and rebuild APKs
Jadx / JADX-GUI – Convert DEX to readable Java
MobSF – Static & dynamic analysis automation
Frida – Dynamic instrumentation toolkit
Objection – Runtime mobile exploration tool
Ghidra – Advanced disassembler (when needed)

🧠 Step-by-Step: Reverse Engineering an Android App

1. Extract the APK

You can obtain APKs from the device, third-party APK repositories, or through adb:

adb shell pm list packages
adb shell pm path com.example.app
adb pull /data/app/com.example.app-1/base.apk

2. Decompile with APKTool

Extract resources, manifest, and smali code:

apktool d base.apk -o app_decoded

3. Analyze Code with JADX

Use JADX GUI to read the decompiled Java code:

jadx-gui base.apk

Look for suspicious methods like:

SharedPreferences storing credentials
WebView.loadUrl() calls
API keys in BuildConfig or strings.xml

4. Check for Obfuscation

If variable/class names are unreadable (like a.b.a()), the app might be using ProGuard or R8. Use tools like Procyon or Ghidra for deeper analysis.

5. Dynamic Analysis (Optional)

To monitor real-time behavior:

Use Frida to hook functions at runtime
Use Objection to bypass root detection
Capture traffic with Burp Suite + root cert on device

🔐 Real-World Case Study

A financial Android app was found to store user credentials in plaintext under:

/data/data/com.bankapp/shared_prefs/user_prefs.xml

Using jadx, the following line was discovered:

prefs.edit().putString("user_pass", password).apply();

This data was accessible on rooted devices, violating OWASP MASVS storage guidelines.

💡 Tips & Best Practices

Always analyze in a sandbox or virtual Android device (AVD or Genymotion)
Use MobSF for a quick overview and risk assessment
Focus on AndroidManifest.xml for permissions and exported components
Check for third-party SDKs and ad trackers
Respect legal boundaries – only reverse engineer apps you are authorized to test

📱 Reverse Engineering: Android Testing