"It is a must-have for security architects and consultants as well as enterprise security managers who are working with mobile devices and applications."

Dr. Dena Haritos Tsamitis, Director, Information Networking Institute (INI) Director of Education, CyLab Carnegie Mellon University

"Good book for Android security enthusiasts and developers that also covers advance topic like reverse engineering of Android applications. A must have book for all security professionals."

Sanjay Katkar, Co-Founder Quick Heal Technologies

"It's an excellent book for professional businesses that are trying to move their corporate applications on mobile / Android platform. It helped me understand the threats foreseen in Android applications and how to protect against them. Thanks for putting together a structured text on Android security."

Jagmeet Malhotra, Vice President, Royal Bank of Scotland

"Smart mobile devices need smart security. If you are facing the complex challenge of securing data and applications for Android, this book provides valuable insight into the security architecture and practical guidance for safeguarding this modern platform."

Gerhard Eschelbeck, Chief Technology Officer, Sophos

"Abhishek and Anmol's book Android Security: Attacks & Defenses is a great introduction to Android security. Their chapter "Reverse Engineering Android Applications" provides the groundwork for anybody interested in mobile malware analysis and cracking the nitty-gritty of most Android apps."

Nicholas Falliere, Founder JEB Decompiler & Security Researcher

"In their book Android Security: Attacks and Defenses, Dubey and Misra have filled a critical gap in software security literature by providing a unique and holistic approach to addressing this critical and often misunderstood topic..."

James Ransome, Senior Director, Product Security McAfee . An Intel Company

The book gives security professionals and executives a practical guide to the security implications and best practices for deploying Android platforms and applications in the (corporate) environment.

Steve Martino, VP Information Security, Cisco

Appendix C

  Reverse Engineering Android Applications

In this appendix, we detail how a malicious user can reverse engineer and modify the behavior of a particular application. In Chapter 7, we showed this using the SecureApp.apk application as one of many ways in which a malicious user can achieve this. In this tutorial, we will demonstrate a few ways in which a malicious user can modify an application’s behavior to add or remove functionality. We will now demonstrate how application behavior can be modified by decompiling it into smali code and recompiling it back and then packaging it in apk file. Authors have created a simple application that requires user to enter the correct passcode before using the application. We will demonstrate how a malicious user can potentially bypass this intended functionality.

Secure App on Android Emulator

  Figure 1 - Secure App on Android Emulator


Figure 2 – Successful login on Secure App
  Figure 2 – Successful login on Secure App


First step to analyze or to reverse engineer an application is to understand its behavior. Typically this entails installing and using the application and going through different functionality provided by it. In our case, we can install the application on an emulator and try to use it. As seen from figure 1, launching application presents the user with a password screen. At this point we don’t know length of the password required or if passwords are numeric (PIN) or actual passwords. We notice (by trial and error) that application only accepts numeric digits as password. We also notice that a maximum digit applicationFirst step to analyze or to reverse engineer an application is to understand its behavior. Typically this entails installing and using the application and going through different functionality provided by it. In our case, we can install the application on an emulator and try to use it. As seen from figure 1, launching application presents the user with a password screen. At this point we don’t know length of the password required or if passwords are numeric (PIN) or actual passwords. We notice (by trial and error) that application only accepts numeric digits as password. We also notice that a maximum digit application allows us to enter is 4. Thus we can conclude that password is all numeric and is 4 digits in length.

Figure 3 – Analyzing application behavior

Figure 3 – Analyzing application behavior




Figure 4 – Decompiling SecureApp.apk using apktool
Figure 4 – Decompiling SecureApp.apk using apktool


Figure 5 – smali and other files created by apktool
Figure 5 – smali and other files created by apktool


Figure 6 – KeyPad.smali file
Figure 6 – KeyPad.smali file

We can decompile application file (apk) by using capitol. Figure 4 shows SecureApp.apk decompiled into secure_app folder. Browsing through the folder (Figure 5), we note that there is a smali folder. Smali files are found in test directory. Note that there are smali files beginning with KeyPad & R prefixes. Once can conclude that the application had two java files – KeyPad.java and R.java.

Step 2: Make changes to application

Reading through smali code for KeyPad$1.smali file, one can conclude that SHA-256 is being used for hashing password user inputs from login screen of the application. This password is then compared against a stored password and if they are equal, a user is logged in to the application.

Figure 7 – SHA-256 string in KeyPad$1.smali

Figure 7 – SHA-256 string in KeyPad$1.smali"


Hash is loaded into v8 and compared against v10 (line 51). If these values are same, user is logged in. We can create a SHA-256 hash value and create an entry to put it in v8 and thus modifying the password to our choice and bypassing authentication. Figure 8 shows original smali file created by apktool and Figure 9 `shows modified smali file with the following entry(SHA-256 hash of “1234” with a sclass="figure" alt): const-string v8, "2DD225ED6888BA62465CF4C54DB21FC17700925D0BD0774EE60B600B0172E916"

Figure 8 – if-eqz v10 compares computed hash value against that in v8.

Figure 8 – if-eqz v10 compares computed hash value against that in v8"


Figure 9 – Entering hash value of our choice in v8
Figure 9 – Entering hash value of our choice in v8"


Note that there is usually a “sclass="figure" alt” passed onto the hash algorithm. For us to change the password successfully, we will need to either: 1. Change the “sclass="figure" alt” value that application is using to our preferred value 2. Or pass sclass="figure" alt along with our desired password to get a SHA- 256 hash value and change code within application to use this new hash value Either way we will need to identify where “sclass="figure" alt” value is stored. Let’s look at files in the ‘res’directory (see Figure 10). There is a ‘values’ folder inside /res of recently decompiled application directory folder. ‘values’ has three xml files – ids.xml, public.xml and strings.xml. Let’s look at the contents of strings.xml (see figure 11). We see that hash value as well as sclass="figure" alt value within this xml file. This example also shows why it is important not to store sensitive information in strings.xml or other files, which can be decoded and read.

Figure 10 – contents of /res folder

Figure 10 – contents of /res folder"


Figure 11 – strings.xml
Figure 11 – string.xml"



Step 3: Re-compile application

Modified smali code can be assembled back and packaged into apk file through the following command: apktool b New apk needs to be signed before it can be installed on the device or emulator. Signapk tool is freely available on the web for download. After installing the modified apk, the reader can use “1234” as password string to use the application.

Figure 12 – additional directories created by apktool b command

Figure 12 – additional directories created by apktool b command"


Figure 13 – New apk will be placed in dist directory
Figure 13 – New apk will be placed in dist directory"


Figure 14 – Signing new APK file
Figure 14 – Signing new APK file"