Androguard: A simple step by step guide

Reversing Android applications is something I’m doing very regularly. Thus, I thought writing some small and simple step by step guides for available tools could be helpful for the community, especially for people that are just starting to work on this topic.

Today I will start with Androguard, but I hope that there will be enough time in the future to continue those guides for other tools.

In general, there are a few simple steps every Android reverser follows:

  1. Analyzing the Android-Manifest for permissions and activities
  2. Unpacking of the Android application (apk file) to get all files and especially the classes.dex
  3. Translating the Dalvik-Bytecode to Java-Bytecode (or similar)
  4. Analyzing the generated code

With the help of Androguard you can perform all those steps with one single interactive tool.

First of all you need to download the most current Androguard release and install potentially missing python dependencies/packages. Afterwards you can start the real analysis by starting the interactive Androguard shell through entering the following command:

Now we can tell Androguard which apk we like to analyze and which decompiler we like to use:

As described in the workflow above, we now want to get some information from the manifest. In this case we start with the requested permissions:

Additionally, we can get some more information like package name and the displayed name of the application in question:

For a in-depth analysis of an application we now need some entry point into the application. The easiest way for finding such a point, is searching for the main activity, as this is the normal entry point that is called as soon as a user is clicking the app icon on his home-screen:

OPTIONAL: We also can get all activities an application has, but the main activity should always be a good choice to start with:

OPTIONAL: At this point we could also display every Java class within the application in question and have a look for suspicious class-names (if available):

Within this output we see, that there are only two classes of interest – MagicSMSActivity as well as SMSReceiver – and one of these is our main activity. Now it is time to dive deeper into the application and check what it is really doing. Therefore, we can use the decompiler of Androguard and look at the source of the main activity (the output is truncated because we just want to demonstrate the power of the tools used):

Now we know that the application is trying to send out SMS messages and displaying some strange error message to the user. The next question is: Is the app also checking for incoming messages? So we need to check for registered receivers:

And again we can get the Java sources of this class:

Androguard still has a lot more power, but I think this should be enough for a first hands-on.



Leave a Reply

%d bloggers like this: