The Hack Lair
pnxauh22krzb5xso.onion

Case study: Depackaging with Apktool

For this case study we are going to use apktool, a tool for reverse engineering Android apk files, developed by iBotPeaches. If you want to get the tool running on your system read the installation doc.

We’re analasing Aptoide 6.5.2.

Run apktool decode cm.aptoide.pt.apk and let’s get started.

The first file we want to check is AndroidManifest.xml. The Android Manifest official doc help us understanding what info we can get.

This file contain a list of permissions the app equire to run. So READ_PHONE_STATE huh? Reading my EMEI and my phone number. Why would it need to know that? Good thing we use a dedicated hacking device. Another interesting permission is READ_EXTERNAL_STORAGE which mean the app can read files on our device.

Next we can check the smali folder. In the Android language smali and baksmali mean compiling and decompiling. We recommend you read this excellent post on understanding Android decompiling.

The folder structure contain libraries included in the app. Well Aptoide certainly love tracking it’s users. It contain at least tree analytic library; com.amazon.insights, com.flurry.android and com.localytics.android. Also, we can see it got the Paypal Android SK, which fit payment permission in the manifest.

That’s interesting. Let’s search for paypal in cm.aptoide.pt. 348 hits. All right. The payment management library is called OpenIAB. Let’s Google that… and bingo!

If you’ve read the first case study our goal was to find malicious behaviour within the app, but turn out Aptoide is a decentralized app market place that run on Open Source Software. So it’s very unlinkely to contain malicious code.

While looking at the OpenIAB library I searched Wikipedia for Aptoide and found the Aptoide source code and dev docs.

So we have our answer. It’s very unlikely to be a malicious software. The binary provided on the website might include changes that are not in the code base. In order to verify this we can compile the app from the source and compare both packages signature but it’s out of the scope for this post.

And that pretty much conclude our reverse engineering tutorial and case study series. Hope you liked it!

Other posts from the Android forensics and security analysis series: