Skip to content

MASTG-TECH-0013: Reverse Engineering Android Apps

Android's openness makes it a favorable environment for reverse engineers, offering significant advantages not available on iOS. Because Android is open-source, you can study its source code at the Android Open Source Project (AOSP) and modify the OS and its standard tools any way you want. Even on standard retail devices, it is possible to do things like activating developer mode and sideloading apps without jumping through many hoops. From the powerful tools included with the SDK to the wide range of reverse engineering tools available, there are many features to make your life easier.

However, there are a few Android-specific challenges as well. For example, you'll need to deal with both Java bytecode and native code. Java Native Interface (JNI) is sometimes deliberately used to confuse reverse engineers (to be fair, there are legitimate reasons for using JNI, such as improving performance or supporting legacy code). Developers sometimes use the native layer to "hide" data and functionality, and they may structure their apps such that execution frequently jumps between the two layers.

You'll need at least a working knowledge of both the Java-based Android environment and the Linux OS and Kernel, on which Android is based. You'll also need the right toolset to work with both bytecode running on the Java virtual machine and native code.

To reverse engineer Android apps, consider the following techniques: Disassembling Code to Smali, Decompiling Java Code, Disassembling Native Code.

Tests

MASTG-TEST-0283: Incorrect Implementation of Server Hostname Verification MASTG-TEST-0295: GMS Security Provider Not Updated MASTG-TEST-0233: Hardcoded HTTP URLs MASTG-TEST-0284: Incorrect SSL Error Handling in WebViews MASTG-TEST-0286: Network Security Configuration Allowing Trust in User-Provided CAs MASTG-TEST-0282: Unsafe Custom Trust Evaluation MASTG-TEST-0243: Expired Certificate Pins in the Network Security Configuration MASTG-TEST-0217: Insecure TLS Protocols Explicitly Allowed in Code MASTG-TEST-0242: Missing Certificate Pinning in Network Security Configuration MASTG-TEST-0234: Missing Implementation of Server Hostname Verification with SSLSockets MASTG-TEST-0235: Android App Configurations Allowing Cleartext Traffic MASTG-TEST-0285: Outdated Android Version Allowing Trust in User-Provided CAs MASTG-TEST-0205: Non-random Sources Usage MASTG-TEST-0212: Use of Hardcoded Cryptographic Keys in Code MASTG-TEST-0208: Insufficient Key Sizes MASTG-TEST-0221: Broken Symmetric Encryption Algorithms MASTG-TEST-0204: Insecure Random API Usage MASTG-TEST-0307: References to Asymmetric Key Pairs Used For Multiple Purposes MASTG-TEST-0312: References to Explicit Security Provider in Cryptographic APIs MASTG-TEST-0232: Broken Symmetric Encryption Modes MASTG-TEST-0338: Integrity and Authenticity Validation of Local Storage Data MASTG-TEST-0337: References to Object Deserialization of Untrusted Data MASTG-TEST-0245: References to Platform Version APIs MASTG-TEST-0339: SQL Injection in Content Providers MASTG-TEST-0352: References to Debugging Detection APIs MASTG-TEST-0324: References to Root Detection Mechanisms MASTG-TEST-0265: References to StrictMode APIs MASTG-TEST-0247: References to APIs for Detecting Secure Screen Lock MASTG-TEST-0227: Debugging Enabled for WebViews MASTG-TEST-0330: References to APIs for Keys used in Biometric Authentication with Extended Validity Duration MASTG-TEST-0329: References to APIs Enforcing Authentication without Explicit User Action MASTG-TEST-0326: References to APIs Allowing Fallback to Non-Biometric Authentication MASTG-TEST-0328: References to APIs Detecting Biometric Enrollment Changes MASTG-TEST-0327: References to APIs for Event-Bound Biometric Authentication MASTG-TEST-0318: References to SDK APIs Known to Handle Sensitive User Data MASTG-TEST-0250: References to Content Provider Access in WebViews MASTG-TEST-0291: References to Screen Capturing Prevention APIs MASTG-TEST-0315: Sensitive Data Exposed via Notifications MASTG-TEST-0334: Native Code Exposed Through WebViews MASTG-TEST-0340: References to Overlay Attack Protections MASTG-TEST-0258: References to Keyboard Caching Attributes in UI Elements MASTG-TEST-0316: App Exposing User Authentication Data in Text Input Fields MASTG-TEST-0252: References to Local File Access in WebViews MASTG-TEST-0231: References to Logging APIs MASTG-TEST-0202: References to APIs and Permissions for Accessing External Storage