Penetration testing

Android penetration tools walkthrough series: Apktool

Suresh Khutale
April 11, 2018 by
Suresh Khutale

In this article, we will look at the step by step procedure to setup utility called "Apktool" and its usage in android application penetration testing.

Apktool is a utility that can be used for reverse engineering Android applications resources (APK). With the help of Apktool, we can decode APK resources to almost original form; we can modify the source code on the fly and rebuild the decoded resources back to APK. Its project-like structure makes it easy to work with. Apktool has following primary features

  • Decode APK resources (resources.arsc, classes.dex and XMLs)
  • Rebuilding decoded resources back to binary APK
  • Organizing and handling APKs that depend on framework resources
  • Automating with repetitive tasks

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Requirements

  • Java 7 (JRE 1.7) or above
  • Basic knowledge of Android SDK, AAPT (Android Asset Packaging Tool) and smali

Installing and setting up Apktool

Kali-Linux penetration tools:

If you are working with Kali Linux, you can find the Apktool pre-installed under penetration testing applications as illustrated in the below screenshot.

Click on the Apktool in Kali-Linux applications or open a terminal and hit the below command to check the version of the Apktool installed.

Apktool -version

You can upgrade to the latest version of apktool by the apt-get command in Linux.

Apktool for windows

Step 1: Open a command prompt and check the java version installed on your system with below command

Java -version

Java version must be at least 1.7.

Step 2: Download Windows wrapper script (Apktool.bat) and the latest version of Apktool jar file from here. Rename the jar file as Apktool.jar

Step 3: Keep both the files (Apktool.bat and Apktool.jar) into same windows directory of your choice, you may set the Environment Variables System "PATH" variable to access Apktool from anywhere. Illustrated below

Let's check if we can access the Apktool from anywhere, Yes!! It is accessible.

Apktool usage

The primary usage of the Apktool is for reengineering android APK files

  • Decode APK resources
  • Rebuilding decoded resources back to binary APK
  • Organizing and handling APKs that depend on framework resources

With the below command we can see the options and switches are available in Apktool

There are various options available for primary usage; those are self-explanatory. Below listed are some of the important switches in Apktool

Apktool d[ecode]: This switch is used to invoke decode APK option

Apktool b[uild]: This switch is used to invoke build APK option

Apktool if | install-framework: This option can be used to install and store frameworks

Decode APK resources

APKs are nothing but a zip file containing resources and compiled java code. If you unzip an APK, you will find files such as classes.dex, META-INF, AndroidManifest.xml and resources.arsc etc. If you tried to view these compiled files, you would be left junk data. In the illustration below, I am using vulnerable APK file (diva-beta.apk) for this exercise that can be downloaded from here

Editing or viewing a compiled file is next to impossible. That is where Apktool comes into the picture; Apktool coverts compiled files to source form. I have kept the APK file to the same windows directory where I had installed/setup the Apktool

The decode option on Apktool can be invoked either from d or decode switch as shown below. Open a command prompt and hit the below command, you may specify the other switches/options as per your requirement.

apktool d diva-beta.apk

You will see a lot of activity on your command screen; the output should be like this. As you can see that the decompiling process takes default resource table from the framework, you may define resource frameworks for system applications. You would find the folder created in same windows directory with default name; you may specify the output directory with respective switch explained earlier.

Here, the res folder contains all the media files including images, ringtones and many more. It also contains the front-end XML files which can be used to alter the look and feel of the app you have decompiled.

Original folder contains META-INF and original AndroidManifest.xml, META-INF has APK signatures. After modifying the APK, it is no longer signed. You can use -c / --copy-original to retain these signatures. However, using -c uses the original AndroidManifest.xml file, so changes to it will be lost.

The AndroidManifest.xml file describes essential information about your app to the Android build tools, the Android operating system, and Google Play (Read more here).

The Smali folder is the important part, Apktool decodes compiled java files in the form of .smali files (Read more on smali here). This folder appears only if the APK is deodexed (Read more here) else, these files are compressed in a single file with an extension .odex. These Smali files are responsible for the functionality of the app and handling them would create direct impacts to the app. You can view and edit the .smali code with any simple editor, illustrated below

Start your tinkering and make the necessary modifications to the APK you want, once finished we can recompile the APK.

Rebuilding decoded resources back to binary APK

Once you are done with the modification to the APK source, you can re-build the APK file from the source files. Open the command prompt, go to the windows directory where the decoded source code you had kept and enter the below command

apktool b diva-beta

Now you can find the recompiled APK in the dist folder in the decompiled APK directory that is diva-betadist illustrated in below screenshots

Now the APK is built, but may due to the modifications made; the APK might not be compact to avoid this further you may align the package using the Zipalign tool and sign APK file with sign.jar (Read more here).

Organizing and handling APKs that depend on framework resources

As you may know that Android apps utilize code and resources of Android OS. These resources are known as framework resources, and Apktool relies on these to properly decode and build system APK files.

Every Apktool release has the most up to date AOSP (Android Open Source Project) framework binding at the time of the release. This allows to decode and build most APKs without a problem. However, some device manufacturers add their own framework files in addition to default AOSP. While using Apktool against these device manufacturer APKs, we must install the manufacturer framework files first to make sure proper decoding and building of system APK files. You could pull manufacturer resource framework APK from device via adb pull /path/to/file or use a file manager application. To demonstrate this, I am using sample framework-res.apk (you can get it from here), that I have copied to same windows directory where my Apktool is installed.

Now, prior to decode or build any system APK you must install resource framework, enter one of the below commands to install framework APK

apktool if framework-res.apk -p Framework

apktool install-framework framework-res.apk -p Framework

-p, --frame-path <dir> - Store framework files into <dir>. By default, Apktool stores frameworks to below directories

Unix - $HOME/.local/share/apktool

Windows - %UserProfile%AppDataLocalapktool

Mac - $HOME/Library/apktool

-t, --tag <tag> - Tag frameworks using <tag>, you can specify a name for the framework which you want to install.

Now, we can see that the framework we have installed in the specified windows directory.

We can specify this framework path with -p switch while decoding and building the APK resources.

That's it, we have now decompiled an APK, modified it, recompiled the APK, and finally, we have optimized APK to ease Android penetration testing hitches.

The main advantage of Apktool over other tools is that it is bidirectional and very easy to use. You decompile an application and modify it, and then recompile it back using Apktool, it will recompile perfectly and will generate a new APK file.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

Sources

Suresh Khutale
Suresh Khutale

Suresh Khutale is an information Security professional with over 6 years of experience in the field, currently working as Senior Consultant with Aujas Networks. He is a Certified Ethical Hacker and Certified Computer Hacking Forensic Investigator at EC-Council, specializing in application penetration testing (web/mobile), secure architecture review, network security and risk assessment. Interests include threat hunting/malware analysis and technical writing. Reach him at suresh.khutale@gmail.com and LinkedIn at https://www.linkedin.com/in/sureshkhutale/