Skip to content

MASTG-TECH-0157: Extracting Bundled Native Libraries

This technique describes how to identify native libraries (.so files) that are packaged inside an Android app's APK using static analysis (without running the app). Native libraries are stored in the lib/ directory of the APK, organized by CPU architecture (ABI).

If you already used Decompiling Java Code to decompile the app, you may have already extracted the native libraries. Just look for the lib/ directory in the decompiled output.

Using unzip

An APK is a ZIP archive. You can extract it with standard tools and list the native libraries in the lib/ directory.

unzip -o YourApp.apk "lib/*" -d YourApp
find YourApp/lib -name "*.so"
YourApp/lib/arm64-v8a/libnative-lib.so
YourApp/lib/armeabi-v7a/libnative-lib.so
...

Using Apktool

Apktool unpacks the APK and preserves the directory structure, making it easy to inspect the lib/ folder.

apktool d YourApp.apk -o YourApp
ls -1 YourApp/lib/arm64-v8a/
libnative-lib.so
libsqlcipher.so
...

Tests

MASTG-TEST-0352: References to Debugging Detection APIs MASTG-TEST-0369: Insufficient Obfuscation of Security-Relevant Native Code MASTG-TEST-0223: Stack Canaries Not Enabled MASTG-TEST-0222: Position Independent Code (PIC) Not Enabled