Android Forensic

Parsing APK file

Our example will be on DIVA (Damn insecure and vulnerable App) APK file. You can download the file from here.
Note: Some methods may not return the expected output because the missing information in the apk, e.g. the suggested apk doesn't have icon and signs but you can download some known apk like twitter apk or so and test it, it works.
We'll use ruby_apk gem to do that
  • Install ruby_apk gem
    1
    gem install ruby_apk
    Copied!
Now, lets start parsing
1
require 'ruby_apk'
2
3
apk = Android::Apk.new('diva-beta.apk')
4
5
# listing files in apk
6
apk.each_file do |name, data|
7
puts "#{name}: #{data.size}bytes" # puts file name and data size
8
end
9
10
# Extract icon data in Apk
11
icons = apk.icon
12
icons.each do |name, data|
13
File.open(File.basename(name), 'wb') {|f| f.write data } # save to file.
14
end
15
16
# Extract signature and certificate information from Apk
17
signs = apk.signs # retrun Hash(key: signature file path, value: OpenSSL::PKCS7)
18
signs.each do |path, sign|
19
puts path
20
puts sign
21
end
22
23
# Manifest
24
## Get readable xml
25
manifest = apk.manifest
26
puts manifest.to_xml
27
28
## Listing components and permissions
29
manifest.components.each do |c| # 'c' is Android::Manifest::Component object
30
puts "#{c.type}: #{c.name}"
31
c.intent_filters.each do |filter|
32
puts "\t#{filter.type}"
33
end
34
end
35
36
## Extract application label string
37
puts apk.manifest.label
38
39
# Resource
40
## Extract resource strings from apk
41
rsc = apk.resource
42
rsc.strings.each do |str|
43
puts str
44
end
45
46
## Parse resource file directly
47
rsc_data = File.open('resources.arsc', 'rb').read{|f| f.read }
48
rsc = Android::Resource.new(rsc_data)
49
50
# Resolve resource id
51
rsc = apk.resource
52
53
## assigns readable resource id
54
puts rsc.find('@string/app_name') # => 'application name'
55
56
## assigns hex resource id
57
puts rsc.find('@0x7f040000') # => 'application name'
58
59
## you can set lang attribute.
60
puts rsc.find('@0x7f040000', :lang => 'ja')
61
62
# Dex
63
## Extract dex information
64
dex = apk.dex
65
### listing string table in dex
66
dex.strings.each do |str|
67
puts str
68
end
69
70
### listing all class names
71
dex.classes.each do |cls| # cls is Android::Dex::ClassInfo
72
puts "class: #{cls.name}"
73
cls.virtual_methods.each do |m| # Android::Dex::MethodInfo
74
puts "\t#{m.definition}" # puts method definition
75
end
76
end
77
78
## Parse dex file directly
79
dex_data = File.open('classes.dex','rb').read{|f| f.read }
80
dex = Android::Dex.new(dex_data)
Copied!
Last modified 3yr ago
Copy link