Skip to content

MASTG-TECH-0013: Reverse Engineering Android Apps

Android's openness makes it a favorable environment for reverse engineers, offering significant advantages not available on iOS. Because Android is open-source, you can study its source code at the Android Open Source Project (AOSP) and modify the OS and its standard tools any way you want. Even on standard retail devices, it is possible to do things like activating developer mode and sideloading apps without jumping through many hoops. From the powerful tools included with the SDK to the wide range of reverse engineering tools available, there are many features to make your life easier.

However, there are a few Android-specific challenges as well. For example, you'll need to deal with both Java bytecode and native code. Java Native Interface (JNI) is sometimes deliberately used to confuse reverse engineers (to be fair, there are legitimate reasons for using JNI, such as improving performance or supporting legacy code). Developers sometimes use the native layer to "hide" data and functionality, and they may structure their apps such that execution frequently jumps between the two layers.

You'll need at least a working knowledge of both the Java-based Android environment and the Linux OS and Kernel, on which Android is based. You'll also need the right toolset to work with both bytecode running on the Java virtual machine and native code.

To reverse engineer Android apps, consider the following techniques: Disassembling Code to Smali, Decompiling Java Code, Disassembling Native Code.

Tests

MASTG-TEST-0327: References to APIs for Event-Bound Biometric Authentication MASTG-TEST-0330: References to APIs for Keys used in Biometric Authentication with Extended Validity Duration MASTG-TEST-0326: References to APIs Allowing Fallback to Non-Biometric Authentication MASTG-TEST-0328: References to APIs Detecting Biometric Enrollment Changes MASTG-TEST-0329: References to APIs Enforcing Authentication without Explicit User Action MASTG-TEST-0368: Insufficient Obfuscation of Security-Relevant Java/Kotlin Code MASTG-TEST-0352: References to Debugging Detection APIs MASTG-TEST-0227: Debugging Enabled for WebViews MASTG-TEST-0247: References to APIs for Detecting Secure Screen Lock MASTG-TEST-0265: References to StrictMode APIs MASTG-TEST-0324: References to Root Detection Mechanisms MASTG-TEST-0318: References to SDK APIs Known to Handle Sensitive User Data MASTG-TEST-0221: Broken Symmetric Encryption Algorithms MASTG-TEST-0232: Broken Symmetric Encryption Modes MASTG-TEST-0204: Insecure Random API Usage MASTG-TEST-0307: References to Asymmetric Key Pairs Used For Multiple Purposes MASTG-TEST-0212: Use of Hardcoded Cryptographic Keys in Code MASTG-TEST-0312: References to Explicit Security Provider in Cryptographic APIs MASTG-TEST-0205: Non-random Sources Usage MASTG-TEST-0208: Insufficient Key Sizes MASTG-TEST-0202: References to APIs and Permissions for Accessing External Storage MASTG-TEST-0231: References to Logging APIs MASTG-TEST-0337: References to Object Deserialization of Untrusted Data MASTG-TEST-0373: Internal Component Unintentionally Exported MASTG-TEST-0245: References to Platform Version APIs MASTG-TEST-0374: References to Implicit Intents Carrying Sensitive Extras MASTG-TEST-0372: Implicit Intents Used for Internal App Communication MASTG-TEST-0338: Integrity and Authenticity Validation of Local Storage Data MASTG-TEST-0339: SQL Injection in Content Providers MASTG-TEST-0315: Sensitive Data Exposed via Notifications MASTG-TEST-0291: References to Screen Capturing Prevention APIs MASTG-TEST-0316: App Exposing User Authentication Data in Text Input Fields MASTG-TEST-0334: Native Code Exposed Through WebViews MASTG-TEST-0355: References to Unauthorized Database Access through Content Providers MASTG-TEST-0250: References to Content Provider Access in WebViews MASTG-TEST-0258: References to Keyboard Caching Attributes in UI Elements MASTG-TEST-0357: References to Oversharing of File-Based Content Providers MASTG-TEST-0252: References to Local File Access in WebViews MASTG-TEST-0366: Exported And Unprotected Broadcast Receivers That Expose Sensitive Functionality MASTG-TEST-0365: Exported And Unprotected Services That Expose Sensitive Functionality MASTG-TEST-0340: References to Overlay Attack Protections MASTG-TEST-0364: Exported And Unprotected Activities That Expose Sensitive Functionality MASTG-TEST-0295: GMS Security Provider Not Updated MASTG-TEST-0243: Expired Certificate Pins in the Network Security Configuration MASTG-TEST-0284: Incorrect SSL Error Handling in WebViews MASTG-TEST-0217: Insecure TLS Protocols Explicitly Allowed in Code MASTG-TEST-0235: Android App Configurations Allowing Cleartext Traffic MASTG-TEST-0282: Unsafe Custom Trust Evaluation MASTG-TEST-0285: Outdated Android Version Allowing Trust in User-Provided CAs MASTG-TEST-0283: Incorrect Implementation of Server Hostname Verification MASTG-TEST-0242: Missing Certificate Pinning in Network Security Configuration MASTG-TEST-0234: Missing Implementation of Server Hostname Verification with SSLSockets MASTG-TEST-0286: Network Security Configuration Allowing Trust in User-Provided CAs MASTG-TEST-0233: Hardcoded HTTP URLs