Android Penetration Testing: Apk Reverse Engineering


Uncrackable is a purposefully weak APK made by Bernhard Mueller which was subsequently embraced by the OWASP MSTG project. Level 1 of the 4 evened out challenge of APKs centers around the essentials of root location sidestep and snaring to track down a mysterious encryption key.


The Android decompilation measure is genuinely basic and looks like java decompilation from multiple points of view. Nuts and bolts of the decompilation interaction have effectively been shrouded in a past article here. It is enthusiastically suggested you perused para 3 of the article referenced first and afterward continue this part.

It is to be noticed that Dalvik bytecode is put away in *.dex design. This dex is the ordered variant of source code which is additionally loaded with assets, show, META-INF (authentication) into a compress record otherwise called an android application with an expansion *.apk.

Smali records and adjustment:

Smali in android is like what Assembly in Windows is. This is the comprehensible rendition of dalvik bytecode. Baksmali is the instrument which decompiles dex into smali records. Here, note that baksmali has changed over classes.dex in smali documents.

Marking APK and Rebuilding:

The mistake I, and likewise, you probably got is an authentication blunder. Android utilizes something many refer to as an authentication and a Keystore. A public-key authentication, otherwise called a computerized testament or a character endorsement, contains the public key of a public/private key pair, just as some other metadata recognizing the proprietor of the key (for instance, name and area). The proprietor of the authentication holds the comparing private key.

At the point when you sign an APK, the marking device appends the public-key authentication to the APK. The public-key authentication fills in as a “finger impression” that extraordinarily relates the APK to you and your comparing private key. This assists Android with guaranteeing that any future updates to your APK are genuine and come from the first creator. The key used to make this endorsement is known as the application marking key.

A Keystore is a double document that contains at least one private keys.

Each application should utilize similar testament all through its life expectancy with the goal for clients to have the option to put in new forms as updates to the application.

Settling Challenge :

Presently, the test is to separate the mysterious string and get it approved as a banner. Upon additional researching it went to our notification that strategy a() is returning the worth of the mysterious string. Ha! This is helpless practice however supportive for our case.