8

Is there a way of obtaining a list of 3rd party libraries being used by an Android APK file, without access to the source code?

I'm thinking of 2 options:

1. Using a tool such as LibRadar to detect. However, as far as I know, it uses signature based detection, and hence is not comprehensive.

2. Use jadx to decompile the APK file, and manually traverse through all source folders that aren't the app package name.

For example, if my app is com.myapp, I'll traverse through all source folders that are outside of com/myapp.

As far as I can tell, there are 2 problems with this:

a. Obfuscated libraries will have obfuscated names, so I will have a bunch of libraries detected as a.a.a , a.a.b, etc

b. I won't know where to stop. For example, a library's package name may be com.somelibrary, but may have multiple sub folders under the main folder, e.g. com/somelibrary/a, com/somelibrary/b, etc. I have no way of knowing what the root folder of the library is.

Is there a consistent, accurate way of listing 3rd party libraries without the above limitations?

user1118764
  • 9,255
  • 18
  • 61
  • 113
  • 1
    Great question. I have been working on the same problem as a part of the project. The two methods that you have mentioned are the only options that I know of. What I concluded is that no method is going to be comprehensive. But, with Libradar source code given on Github, you can create signatures of libraries that you think are missing and add them to the dataset. However, to do this, you will need a dataset of apps that contain those libraries. If your goal is to just find Libraries from one APK then that will be a lot of work, but it will be beneficial if you are working with a bigger datase – user3046442 Dec 04 '20 at 06:21

0 Answers0