Anal-yzing android application with docker (͡ ͡° ͜ つ ͡͡°) (day 1)

DIZZ post dedicated for security enthusiast out there that have trouble setting up environment for their tools

Are you tired for setting up the right  environment for your tools ?

if(yes){

then you come to the right place

}else{

well okay! you good to go lad! (ノಠ益ಠ)ノ彡┻━┻

}

Recently i try to do some testing with Androguard tools for helping me with reverse engineering task for android application. The tool is super cool it allow user interactively touch the source code of the application with ipython shell, you could examine the dalvik bytecode or java source code. But like every good tools it really confusing when you try to setting up in your host, i try some source to how to set it up correctly but end with some confusing error. So i decide to find alternative ,After surfing the internet i found the one of the solution is to use "docker" engine.

So what is docker engine ?

To put in simple term docker is use virtualization technology like virtual machine but in the much more higher class, rather than emulated the whole system docker only emulated the application which is pretty cool. I encourage to all of you to study little about docker because many enterprise in cyber security field also use docker technology in their system and it is not really difficult to set it up.

i really recommend this youtube channel to learn about setting up and operate docker: https://www.youtube.com/watch?v=Vyp5_F42NGs&t=2212s

(you sir have my respect)

OK so lets get started

The good news is that dweinstein have create docker engine for androguard tool so we don't have to create it from scratch so fire up your docker and start pulling the engine:

$~sudo docker pull dweinstein/androguard

the following command will pull the engine and store it in your host

after done installing the image you just have to set up the docker engine. according to the full description you could set up the docker with this command:

$~ sudo docker run -it -v ~/samples/:/root/samples/ dweinstein/androguard

but of course don't forget to change the samples name

Of course some of you have find an alternative docker container along the way such as the honeynet project androguard. Well i do try it but unfortunately i encounter bug on its androlyze program you can look up the issue in here:

https://github.com/AndroBugs/AndroBugs_Framework/issues/1


well if you want to run the docker again and continue you process you can do it like this:

Lets start with do some simple analysis on the apk,using "get_files" method you could list out all of the file inside the apk file.

if you ever get lost just use TAB button to see the list of the command you could use in the package.

using "files" method will show similar result but with additional information such as type of the file

you can list all the activities inside the apk using "get_activities()" these method will show the core method use in the application. If you just want to know only the main activity just use "get_main_activity()"

know we got to the more deeper analysis, using "AnalyzeAPK" method it will decompile the application using dad compiler. Androguard by default will use dad compiler.

you can search all classes or method that contain specific string using "show_paths()" functions.

"show_paths()" functions is case sensitive:

if you want to see the source code use the "get_source()" function. in this example i dump the source code of the loginactivity class as you can see at the third picture that the username and login use for authentication is send by explicit intent to another class in order to be process.

 to show the method details you can use "get_methods()" and access the details using "show_info()"

we can see that how powerful that androguard can be with this enough information we could create our own automated decompiling script using python. How to do it?

 

first we must define the location of the class that we want to get the source code. As you can see from the previous command that i show you that in order to have the source code you need to change path of the file from "." to "_" and need to append "CLASS_L" before the filename. So with the following code we could use to edit the file and append the "get_source()" functions.

But wait a minute how the hell could we use that because is the value of variable and is not a command. Fortunately python have function "eval()" that could turn your variable value into function. So use the function inside our loop and save it to a file. Pretty easy right ?

WALLLLAAA we just get whole activities source code of the applications. the source code of the application could be use in the following github

(url: https://github.com/acaciaworld80/100dayofpentesting/blob/master/dump_source_code(day%201).txt)

references:

http://blog.k3170makan.com/2014/11/automated-dex-decompilation-using.html?utm_medium=referral&utm_campaign=ZEEF&utm_source=https%3A%2F%2Fmobile-security.zeef.com%2Foguzhan.topgul

http://blog.k3170makan.com/2014/11/automated-dex-decompilation-using_23.html?utm_medium=referral&utm_campaign=ZEEF&utm_source=https%3A%2F%2Fmobile-security.zeef.com%2Foguzhan.topgul

http://bitjudo.com/blog/2014/04/24/analyzing-an-android-app-with-docker-and-androguard/?utm_medium=referral&utm_campaign=ZEEF&utm_source=https%3A%2F%2Fmobile-security.zeef.com%2Foguzhan.topgul