Android Reverse Engineering with VS Code APK Lab Workbench
Reverse engineering a mobile app is the process of analyzing the compiled app to collect information about its source code to find out how it works. You can perform two types of analysis on a mobile app:
Static Analysis : Examining the compiled app.
Dynamic analysis: Observing the app during runtime.
For mobile security testing, we need to know basic reverse engineering concepts to understand the operating system, architecture and potential vulnerabilities in a mobile app.
There are lots of tools to analyze an APK file. Some of them I have used and experienced are Android Studio, Adb (Android Debug Bridge), Apktool, APK studio, MobSF, Bytecodeviewer. Each of them both has common goals and has distinct features to use for different purposes.
But apart from these, in this blog post, I would like to introduce you to another very useful one I discovered recently : APK Lab extension of VScode.
Why APK Lab?
When you want to modify an APK file during your static analysis, after modification repackaging and resigning are needed after making some changes to the Android Manifest or bytecode. To do this, you have to go through a series of the process with different tools. Unpacking an APK file with Apktool, byte-alignment with Zipalign, creating signing certificate with Keytool, and finally signing APK file with Jarsigner or Apksigner….
You can use APK Studio to make these processes easier, but you will need to install some of the tools above one by one. I must clearly say that APK Lab is the fastest, most practical and effortless of any tools for static analysis I have ever used.
The APK Lab extension is an Android reverse engineering workbench that has all these tools by default and automates the necessary steps.
Let’s see how it is used.
First Steps
There are many vulnerable mobile apps that intentionally contain vulnerabilities. Now, I’ll use InsecureBankv2 application. Before you start testing the Insecurebankv2 application, you need to set up the application and its back-end server. First, make sure that the AndroLab server is running. After cloning the repository, you need to run app.py under the AndroLabServer folder and configure the server IP on the app’s settings. You need to give the IP address of the machine where the app’s server is running.
I used Genymotion as an emulator and created an android virtual device. The aim of this blog post is to explain the resigning and repackaging process with APK Lab, so I assume that you know how to use an emulator and connect it to your host machine or Kali machine.
As you can see in the screenshot below, after logging in to the app with default credentials ( dinesh/Dinesh@123$ or jack/Jack@123$) you see the “Rooted Device” message. A Root-detection mechanism is implemented to prevent users from using an app on a rooted phone. In the source code, there are some checks to determine whether the phone is rooted or not. We’ll modify the root detection mechanism and see if we can bypass it.
Installation of APK Lab
If you don’t have VScode, you need to install it first. You also need to download APK file of the Insecurebankv2 app.
From the extension section, search for APK Lab and click on “Install”. It’s great that it’s that easy.
Repackaging and Resigning
To decompile the APK file, open the Command Palette (Ctrl+Shift+P) and select “Open an APK”.
Check “decompile_java” option to decompile APK to Java source code.
As you can see below, APK Lab extension decompiled the APK file successfully using Apktool.
Let’s first look at the methods for root detection mechanism. In PostLogin.java file, showRootStatus() method has some conditions to detect the device is rooted or not. If Superuser.apk file exists and doesSUexist() method is true, it displays the status as “Rooted Device”.
Now we need to change this method in the smali codes to see the modifications later. The following code means that when if-ne (if-not-equal) to the conditions it jumps to the “Device Not Rooted!!”.
if-ne v0, v1, :cond_2
We can comment this line to change the conditional loop and force it directly to condition 2 that displays “Device not Rooted” message. In this way, we can display the message as we wish regardless of the conditions.
We just need to add the following line:
goto :cond_2
Great, we modified the source code.
Now it’s time to see the abilities of the APK Lab.
To rebuild the APK file, right-click on the apktool.yml file and select “Rebuild the APK”.
As you can see in the output screen, APK Lab rebuilt, aligned, verified and finally signed the APK file with just one step. It’s ready to install to the android virtual device.
The rebuilt APK file is under the dist folder. Right-click on the modified APK file and select “Install the APK”. It’ll connect to the emulator and install the APK file.
In the last step, log in to the app again. As you can see, we bypassed the root detection mechanism and performed the necessary steps very easily with APK Lab.
