How to Setup a Lab Environment for Android Reverse Engineering

In today’s interconnected world, mobile devices play a pivotal role in our daily lives, with Android being the dominant operating system for smartphones and tablets. As the use of Android devices increase, so does the importance of ensuring their security. To be able to safeguard against evolving threats and vulnerabilities, security professionals and researchers are increasingly turning to Android security assessment lab environments. The lab setup provides a controlled and simulated environment for evaluating the security of Android applications, devices, and systems through reverse engineering. In this blog post, we will explore how to install and configure necessary tools.

Android Studio

Android Studio is a powerful and indispensable tool in the field of reverse engineering for Android applications. Its significance lies in its comprehensive set of features and functionality such as emulators, Sdk, adb (Android Debug Bridge) tool and other necessary libraries and tools, which can be leveraged by security researchers and reverse engineers to dissect, analyze, and understand the inner workings of Android apps.

ADB (Android Debug Bridge)

ADB serves as a bridge between a host computer and an Android device, facilitating communication and control over the device’s internals. Its importance comes from that it allows reverse engineers to gain direct access to the Android operating system, providing a means to extract data, install and uninstall apps, and debug applications, making it an essential component for reverse engineers to uncover vulnerabilities, understand app behavior, and enhance the security of Android applications.

It comes with Android Studio and to be able to use it anywhere in the command prompt, add the following directories to the path.

On Windows, C:\Users<username>\AppData\Local\Android\Sdk\platform-tools add this path to the system variables.

On Linux, You need to add /home/<username>/Android/Sdk/platform-tools to your ~/.profile or ~/.bashrc file and make it permanent through source ~/.profile command.

Apktool

Apktool is a valuable tool for reverse engineers and security researchers who try to delve into Android applications. It can decode and disassemble Android APK files, effectively converting them into a human-readable smali format. This feature is pivotal in reverse engineering, as it grants access to the low-level source code, resources, and manifest files such as AndroidManifest.xml within an app, enabling a deep analysis of its functionality and potential security vulnerabilities.

Link: https://apktool.org/

JADX-GUI

JADX-GUI, being a static reverse engineering tool, can decompile Android DEX (Dalvik Executable) files, which contain the bytecode of Android apps, into a more readable and understandable Java and Kotlin source code. This functionality is invaluable for security researchers and reverse engineers, as it enables them to explore an app’s logic, analyze pseudo source code, and identify potential security vulnerabilities. Additionally, JADX-GUI provides a user-friendly interface, making the reverse engineering process more efficient, contributing to a better understanding of Android apps and enhancing their security.

Link: https://github.com/skylot/jadx/releases/

JD-GUI

JD-GUI can decompile compiled Java class files, allowing reverse engineers to access and analyze the original Java source code. This is valuable for understanding an application’s functionality, behavior, and security mechanisms.

Bytecodeviewer

Bytecodeviewer can decompile and display Java bytecode, providing reverse engineers with insights into an application’s inner workings. It is a static reverse engineering tool.

Genymotion

Genymotion, acting as a dynamic reverse engineering tool, provides a virtualized Android environment that can be customized to simulate a wide range of devices and Android versions. Reverse engineers use Genymotion to test, analyze, and manipulate Android apps in a controlled environment, allowing for debugging, behavioral analysis within security assessment. By offering features like easy app installation, network monitoring, and interaction with emulated devices, Genymotion eases the reverse engineering process, aiding in the discovery of vulnerabilities, behavior analysis in Android app security.

Link: https://www.genymotion.com/download/

Important troubleshooting tip: If you have a problem with creating a virtual phone, re-enable the Virtual Host-Only Ethernet Adapter.

Objection

Objection helps identify and exploit security vulnerabilities within Android apps. It simplifies the process of dynamic analysis by providing a simple and efficient way to interact with running apps on a device. It allows for runtime manipulation, API hooking, and real-time inspection of an app’s behavior, enabling the discovery of potential security weaknesses and aiding in the development of robust countermeasures.

Frida

Frida can inject JavaScript code into running Android applications, enabling real-time manipulation, hooking, and monitoring of app behavior. This dynamic analysis capability allows security professionals to identify and exploit security vulnerabilities, assess an app’s runtime defenses, and understand its inner workings. We have already installed Frida client with Objection, as Objection works on top of Frida. We need to install Frida server now.

Drozer

Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS. It provides tools to help you use, share and understand public Android exploits. It helps you to deploy a drozer Agent to a device through exploitation or social engineering. Using weasel (MWR’s advanced exploitation payload) drozer is able to maximise the permissions available to it by installing a full agent, injecting a limited agent into a running process, or connecting a reverse shell to act as a Remote Access Tool (RAT). (The paragraph is copied from its original Github repo)

Link: https://github.com/WithSecureLabs/drozer

You also have to instsall drozer-agent to the mobile device.

Burp Suite

Burp Suite intercepts, analyzes, and manipulates network traffic between Android apps and remote servers. It facilitates the identification of security vulnerabilities such as insecure data transmission, API weaknesses, and improper handling of sensitive information. With features like intercepting proxy, spidering, and scanning, it plays a pivotal role in the dynamic analysis of Android applications, aiding in the discovery of potential threats and the enhancement of app security.

In conclusion, we’ve explored the essential components and tools used in Android reverse engineering. From the decompilation process through Apktool and JADX-GUI to the runtime analysis capabilities of Objection and Drozer, these tools empower reverse engineers, security experts, developers, and researchers to dissect, understand, and secure Android apps comprehensively. Additionally, the role of network analysis tools like Burp Suite cannot be underestimated, as they uncover vulnerabilities related to data transmission and network communication.

This work has been supported in part by the Energy Transition Fund of the FPS Economy of Belgium through the CYPRESS project, and in part by the VLAIO COOCK program through the IIoT-SBOM project.

Thanks for reading.

Can Özkan