Android penetration tools walkthrough series: Apktool
In this article, we will look at the step by step procedure to setup utility called "Apktool" and its usage in android application penetration testing.
Apktool is a utility that can be used for reverse engineering Android applications resources (APK). With the help of Apktool, we can decode APK resources to almost original form; we can modify the source code on the fly and rebuild the decoded resources back to APK. Its project-like structure makes it easy to work with. Apktool has following primary features
- Decode APK resources (resources.arsc, classes.dex and XMLs)
- Rebuilding decoded resources back to binary APK
- Organizing and handling APKs that depend on framework resources
- Automating with repetitive tasks
What should you learn next?
Requirements
- Java 7 (JRE 1.7) or above
- Basic knowledge of Android SDK, AAPT (Android Asset Packaging Tool) and smali
Installing and setting up Apktool
Kali-Linux penetration tools:
If you are working with Kali Linux, you can find the Apktool pre-installed under penetration testing applications as illustrated in the below screenshot.
Click on the Apktool in Kali-Linux applications or open a terminal and hit the below command to check the version of the Apktool installed.
Apktool -version
You can upgrade to the latest version of apktool by the apt-get command in Linux.
Apktool for windows
Step 1: Open a command prompt and check the java version installed on your system with below command
Java -version
Java version must be at least 1.7.
Step 2: Download Windows wrapper script (Apktool.bat) and the latest version of Apktool jar file from here. Rename the jar file as Apktool.jar
Step 3: Keep both the files (Apktool.bat and Apktool.jar) into same windows directory of your choice, you may set the Environment Variables System "PATH" variable to access Apktool from anywhere. Illustrated below
Let's check if we can access the Apktool from anywhere, Yes!! It is accessible.
Apktool usage
The primary usage of the Apktool is for reengineering android APK files
- Decode APK resources
- Rebuilding decoded resources back to binary APK
- Organizing and handling APKs that depend on framework resources
With the below command we can see the options and switches are available in Apktool
There are various options available for primary usage; those are self-explanatory. Below listed are some of the important switches in Apktool
Apktool d[ecode]: This switch is used to invoke decode APK option
Apktool b[uild]: This switch is used to invoke build APK option
Apktool if | install-framework: This option can be used to install and store frameworks
Decode APK resources
APKs are nothing but a zip file containing resources and compiled java code. If you unzip an APK, you will find files such as classes.dex, META-INF, AndroidManifest.xml and resources.arsc etc. If you tried to view these compiled files, you would be left junk data. In the illustration below, I am using vulnerable APK file (diva-beta.apk) for this exercise that can be downloaded from here
Editing or viewing a compiled file is next to impossible. That is where Apktool comes into the picture; Apktool coverts compiled files to source form. I have kept the APK file to the same windows directory where I had installed/setup the Apktool
The decode option on Apktool can be invoked either from d or decode switch as shown below. Open a command prompt and hit the below command, you may specify the other switches/options as per your requirement.
apktool d diva-beta.apk
You will see a lot of activity on your command screen; the output should be like this. As you can see that the decompiling process takes default resource table from the framework, you may define resource frameworks for system applications. You would find the folder created in same windows directory with default name; you may specify the output directory with respective switch explained earlier.
Here, the res folder contains all the media files including images, ringtones and many more. It also contains the front-end XML files which can be used to alter the look and feel of the app you have decompiled.
Original folder contains META-INF and original AndroidManifest.xml, META-INF has APK signatures. After modifying the APK, it is no longer signed. You can use -c / --copy-original to retain these signatures. However, using -c uses the original AndroidManifest.xml file, so changes to it will be lost.
The AndroidManifest.xml file describes essential information about your app to the Android build tools, the Android operating system, and Google Play (Read more here).
The Smali folder is the important part, Apktool decodes compiled java files in the form of .smali files (Read more on smali here). This folder appears only if the APK is deodexed (Read more here) else, these files are compressed in a single file with an extension .odex. These Smali files are responsible for the functionality of the app and handling them would create direct impacts to the app. You can view and edit the .smali code with any simple editor, illustrated below
Start your tinkering and make the necessary modifications to the APK you want, once finished we can recompile the APK.
Rebuilding decoded resources back to binary APK
Once you are done with the modification to the APK source, you can re-build the APK file from the source files. Open the command prompt, go to the windows directory where the decoded source code you had kept and enter the below command
apktool b diva-beta
Now you can find the recompiled APK in the dist folder in the decompiled APK directory that is diva-betadist illustrated in below screenshots
Now the APK is built, but may due to the modifications made; the APK might not be compact to avoid this further you may align the package using the Zipalign tool and sign APK file with sign.jar (Read more here).
Organizing and handling APKs that depend on framework resources
As you may know that Android apps utilize code and resources of Android OS. These resources are known as framework resources, and Apktool relies on these to properly decode and build system APK files.
Every Apktool release has the most up to date AOSP (Android Open Source Project) framework binding at the time of the release. This allows to decode and build most APKs without a problem. However, some device manufacturers add their own framework files in addition to default AOSP. While using Apktool against these device manufacturer APKs, we must install the manufacturer framework files first to make sure proper decoding and building of system APK files. You could pull manufacturer resource framework APK from device via adb pull /path/to/file or use a file manager application. To demonstrate this, I am using sample framework-res.apk (you can get it from here), that I have copied to same windows directory where my Apktool is installed.
Now, prior to decode or build any system APK you must install resource framework, enter one of the below commands to install framework APK
apktool if framework-res.apk -p Framework
apktool install-framework framework-res.apk -p Framework
-p, --frame-path <dir> - Store framework files into <dir>. By default, Apktool stores frameworks to below directories
Unix - $HOME/.local/share/apktool
Windows - %UserProfile%AppDataLocalapktool
Mac - $HOME/Library/apktool
-t, --tag <tag> - Tag frameworks using <tag>, you can specify a name for the framework which you want to install.
Now, we can see that the framework we have installed in the specified windows directory.
We can specify this framework path with -p switch while decoding and building the APK resources.
That's it, we have now decompiled an APK, modified it, recompiled the APK, and finally, we have optimized APK to ease Android penetration testing hitches.
The main advantage of Apktool over other tools is that it is bidirectional and very easy to use. You decompile an application and modify it, and then recompile it back using Apktool, it will recompile perfectly and will generate a new APK file.
Become a Certified Ethical Hacker, guaranteed!
Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.