Skip to content

Android Reverse Engineering

Android Reverse Engineering

Why Reverse Engineer APKs?

  1. Security Research & Vulnerability discovery

Find bugs, insecure data handling or hardcoded secrets so developers can fix them

  1. Malware Analysis/ Forensics

Investigators and Analysts open unkown APKs to see what they do , how they persist , what servers they contact and whether they steal data

  1. Compatibility & porting

Understand app behavior to port features to other platforms or to make an app work on different devices/ROMs

  1. Debugging & Crash Investigation

Inspecting shipped code/resources to trace causes of crashes in production builds

  1. Education & Learning

Students and devs study real apps to learn Android internals, architecture and best practices

  1. Recovering lost source
    Recreate code when original source is lost but APK remains

Illegal Motives

  1. Piracy/cracking
  2. Plagiarism/IP theft
  3. Tampering/spyware
  4. Bypassing payment or DRM - enabling paid features without paying

Disassembly using apktool

Workflow:

  1. Decompile APK to SMALI code using apktool d [apk-name]
  2. Examine and modify SMALI code (cannot modify Java source directly and recompile)
  3. Reassemble using apktool b [folder-name]
  4. New APK created in dist folder
  5. Must sign APK before installation

Example demonstrated: Modified calculator app to multiply instead of add

APK Signing in Android

  • Cannot install unsigned APKs: The modified APK cannot be installed without being signed first
  • Traditional Signing approach: In traditional implementations of code signing , the public certificate is chained to a root certificate. The root certificate can come only from a limited set of certificate arthritis for controlling the public certificates charged to them, so their identities can be trusted
  • Before Android, the platform owner or carriers would serve as solve CA.
  • For each app being installed, the platform would verify the app was signed by the platform’s CA, effectively controlling which apps the user was allowed to install.
  • Android's unique signing approach: Unlike iOS (which uses centralized certificate authorities), Android allows developers to create their own public-private key pairs
  • Signing certificate - Application provides a public key identifying who its source is and a private key to sign the code
  • The OS uses public key to verify that the app came from the author it claims by verifying against its signing certificate
  • Android's philosophy: Avoid giving any single platform, device, or service provider absolute control over what users install
  • Purpose of signing in Android:
  • Ensures app updates come from the same developer (same private key)
  • Enables signature permissions: allows two apps from the same developer to interact if signed with the same private key
  • Anyone can reverse engineer an APK, sign it with their own key, and publish it on third-party websites
  • Google Play Store runs extensive security checks to prevent malicious APKs, though some have occasionally gotten through

Google Play Store Publishing Details

  • Developers pay a one-time fee (approximately $25) for a Google developer license, unlike Apple's $99/year
  • Modern process: Upload AAB (Android App Bundle) files instead of APKs
  • Google offers managed publishing where they handle signing
  • Developers can recover keys from previous APKs if the original key is lost

Steps to sign an apk

You have disassembled an APK, modified SMALI code, and reassembled it. Now you need to sign it for installation.

🔍 What to Look For:

  • Reassembled APK in DIST folder
  • Zipalign tool (comes with Android Studio)
  • APK Signer tool (comes with APK Tool)

⚙️ Steps:

Step 1: Align the APK

  • Command: zipalign -v 4 dist/original.apk sc.apk
  • This realigns the APK structure after modification
  • Add zipalign path to environment variables (found in Android Studio build tools)

Step 2: Generate Keystore

  • Command: keytool -genkey -v -keystore my-keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
  • Creates RSA key pair (2048 bit) valid for 10,000 days
  • Enter password when prompted
  • Fill in organization details or skip by pressing Enter
  • When asked "Is this correct?", type 'y' and continue

Step 3: Sign the APK

  • Command: apksigner sign --ks my-keystore --out signed.apk sc.apk
  • Use the same password entered during keystore creation
  • Delete extra 'b' or 'c' characters that may appear when copying commands
  • Verification command (optional): apksigner verify signed.apk

🧠 Why This Works:

  • Zipalign optimizes the APK structure for Android system
  • Keystore provides cryptographic signature that Android verifies during installation
  • Anyone can generate keys and sign APKs; Android doesn't require Google Play Store authentication

Understanding Reverse Engineering Modus Operandi

🧩 Situation:

Understanding how attackers spread cracked APKs or malware-laden apps.

⚙️ Attacker Process:

  1. Disassemble legitimate APK to SMALI code
  2. Modify SMALI code (change Boolean variables, add malicious functionality, remove ads, unlock features)
  3. Reassemble the APK
  4. Sign it with their own keys
  5. Publish on third-party websites
  6. Broadcast through social media

Example Demonstrated:

  • Modified calculator app: changed addition operation to multiplication in SMALI code
  • When user clicked "plus", numbers were multiplied instead

🧠 Why This Works:

Android's open signing model allows anyone to sign APKs . Users installing from third-party sources don't verify the signer's authenticity, making this a common malware distribution method.