Security Analysis for Android app APK

Question

I am working on a project where I am asked to manually conduct security analysis on android app APKs, such as Misuse of Phone Identifiers, Exposure of Physical Location ...ect. The burden lies in the fact that I don't know how to go about it. I know how to decompile the apk into java classes but what after that?

My question: are there best practices, tools, universal guide to conduct such analysis?

score 0 · Accepted Answer · edited May 23 '17 at 12:31

0

While this is a very general question that requires extensive understanding the security field, here are some options...

Decompile the app from dex->jar->java and see how well the code is obfuscated. More info here: decompiling DEX into Java sourcecode
Intercept the packets that are being sent through a WiFi router using WireShark or some alternative. If the packets are sending raw locations you know something is wrong. A real life example was this: Marijuana app reveals location

edited May 23 '17 at 12:31

Community

1
1

answered Apr 27 '16 at 19:27

Quinn Turner

232
1
2
11

Thank you so much for your reply @Quinn. I realize my question maybe be considered general but as a student and beginner in the security field, I have little understanding and experience in conducting such analysis. Hence I am wondering how to do the manual analysis, is there a universal method for doing so?or its just looking for possible volunerbalities and report them! – EnTaim Apr 28 '16 at 07:41
Every security researcher has their own approach to finding vulnerabilities. The "best approach" for finding vulnerabilities depends on the software type and the activities they are doing. You expressed some of the activities that you are supposed to tackle, and the above approaches are a decent start. – Quinn Turner Apr 28 '16 at 12:57
Hello @Quinn can you advise me on other vulnerable apps, because I tried so many times to decode the "HighThere" APK but I consistently receive the "Could not decode the arcs file" error when using the APKtool, and when I try the manual decoding steps using the dex2jar and JD-GUI I have the .java files but not the manifest. – EnTaim Apr 29 '16 at 10:55
Apparently Apktool was updated to decode the arcs file: http://stackoverflow.com/a/30695269/4400318 Unless you are extremely skilled in Java and have a lot of time, chances are you won't be able to unobfuscate the java files. Either way, you have a difficult task ahead of you. – Quinn Turner Apr 29 '16 at 11:40

Security Analysis for Android app APK

1 Answers1