ANALYSIS WITH ANDROGUARD
- Androguard is an open source framework for iPython designed to analyze and perform reverse engineering with Android applications.
- Some of Androguard's functionalities include automated and scripting analysis of dex, odex, apk and xml binaries files, disassemble, decompiler, malware dissection, ...
- It can be found here:
https://github.com/androguard/androguard
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTiYLery-lyPdDJmPpHUi6zK9VPEz-BmipkHaaJieCfcxKswTdw6Aqv2tBcPxRQKEqvR0ddJZ9VDJH_wsqhB3gHSoSOt2lz_Nog6Wjj1g2xplw67w9PdVnsjXVntWFlYiW63ta0mfHn_uz/s640/screenshot.30.jpg)
- Once downloaded, let's unzip the file:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitQTShG4ECFgbptPqATUAkyM23rAZR7POqU7zbqxJWS1ikwy9SE5kR9mJU0j1SRm79La_HNlawn8ybq2b363VMNb-Q-Ga5IP3gwTJnEZgj-_I2DdhtlwmM4MVwdHn8fb6rcqWgM_ETrTyp/s1600/screenshot.31.jpg)
- The tool androlyze is part of the Androguard platform and allows static analysis of .apk applications:
https://androlyze.readthedocs.io/en/latest/
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZkW9uvpoOUJwyOP-Uq9ofVnQ2tSv34mGa_iv0xJEQGf79X15vdlXJv1tvSPAQQlhIbfpSz4ysysJ7xpREEf-Duxgh_gpFS6cbFvJccHI1KBWR7BTIl7LUxKMTaX4FxASkwM8-s2kdnCi1/s1600/screenshot.32.jpg)
- Let's take the application box.apk as example. The whole path:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHWZYCgxHteTA3XidDhLa9oXc-sRL83ffsqN6GCtNXw6ApyDxBEN0lMR9ErMkYKgJ5Z6VDMC8RPvrWOukP8Xk6DUWQC772LDJTDxL2OJRRtw9dBWvWEqu42FyaiQiLI3aB4gOnqHQMaMyD/s1600/screenshot.33.jpg)
- Getting permissions of the application:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMtw6T7CY8ek9RMRb6Z3YjqFMs9NGoKOqclon47WWajaX1OegyCfEF63yOz54NzlcchbA6MiQbyg-ZYZmesk3Mn6UmDzad7tFl05V4iq9p13e0j2UlqG1R1oVwCOM0Fhq25OWE2hBSuAfR/s1600/screenshot.35.jpg)
- Detailing the permissions, for example .INTERNET is considered "dangerous" because allows full access to the network, for instance creating sockets:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7uw7pnNlTzXi79o0M2c8CUj88VcExNvkhbwMfAo8nsiGqZnIdMSEHEwcYvZp9d5XGq0gHp-QoG81F7cDa3vVofJ0Qc6BZRF8W32lUtV0vOCj-doarj0pUtekYItksOK1zloHJR3iM9uTv/s1600/screenshot.49.jpg)
- Identifying the activities of the application:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8dQLWKYV0tlVdTywzEWvCvcoMVU3h5UjmxAlcJjr1x-iSxWSQK32hs6WG8fNn3uVQXoMjH4H8Jv0G84TnCeDSJzYyUBn-brCNopW6Lmo7zrBYz7OUqHkqtcOwHHY7tGpJyCbyG8-3yqcd/s1600/screenshot.41.jpg)
- Services:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJCP0PRm02rqvLMQoMWAOutllLL411Kyee1D2Y66TGwyn0SVQOfBFWZGXNkoy-O1MCOAql9KXztLyEDBMc7LJTBdHivKOmCe0sxdYC3Mybw4fcwLLvb0H4FQCzgRH130ZpbLzHpu74aHzg/s1600/screenshot.42.jpg)
- Broadcast receivers:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQgSrlzM2KWJepIAkEt4sOdTgDfJhZuqybaUcfEp8JW0pnQIi_sj1aM5Nhx-1VoRL3Oe4Dbu9fuoHuPHfeZH7aryFamnap3bI1ccBXyzaHrHXKXXPbjq2BfeNTmuPvlDhKbGyfZnrj4g6y/s1600/screenshot.44.jpg)
- Signature in hexadecimal:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOJ1xBiw1JURB1msiQYKrTpxvXomF-RvJgj_hXNbh1Ku3xukCNb6l2HszSjPppBw26Ky4f4oL78h1mgM5P9kiklt-U6QxZjJLdRtGrKJxzkU7UwqspLVioSMM4tF-b8CtI7JqgwjA3yy2B/s1600/screenshot.45.jpg)
- The package name:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyTj3NLInyvr1RiTD0Qd6dm2IeULYtDqJx-w3DyLeodd8r9EB8mvEPqCBd7KYVVqaFL8iusuSYUuXFL_DouDBovf9cTaSOu3Btq72sNeGQCy4YIM1AnA6ALh4EdgFphwmMXpw-ydim3kwF/s400/screenshot.46.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHJ30zTjdQPVYV3MtNVdSRKD21eZM7Y4CHldLM53ZGuidrAYPMqR45CKeeyjbUNwxR0Z9qLxemcia5_twiM5aaRThsDoCOxly4wN5TdqqXQK4dwcNlRX-lqfDqUn_MEAYGMvkcf7z6oSOR/s400/screenshot.47.jpg)
- Determining whether the application is valid or not:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic2-hCoveSC-EmkGu_OLy19Thuu24_N3hHYPTc5tNsXjsKBiMvwMave1vLup3rimQoojb3o4m-MARhbB-n5-FYfZHHwsfPNlUN-vp2VgxfB6zejerUiuq169fq1KUsZQfTAQYdY2MCTbjw/s400/screenshot.48.jpg)
- Files:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlTwbwEV24-NlMnHMj6d5Hc5NuMUoul_n2Gn1oAyvpkTpQaYupvrkb3irMD1wuy5mGbcdeMk5Np-Y4ugx9XmoBvv9V5s7kQGcVp2nGo3tFLBsq0evvLt9-LGECbHlT0LGm2BUR6L8UFBsh/s400/screenshot.50.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifrRYxto4n16Zuxp6kLtiPsQtClXGlXUAuc-v4MMM4nFKgPxcglStuV8TYwEOuK2xrYk69e114Mes789tSqA4B24D5fm7lvDLphmoUkuMXDkLTuaAy9VJau4QVNChU5eQ95hURIrJHYLXQ/s1600/screenshot.51.jpg)
- Now, let's retrieve classes and methods from the application:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAvNQbR3T5LFS2hsvChskJKaQlfH6svuj0ey815W1hct3rV9aqJPb2fyqVH9VoOZQQsAAgKvq8crjoXfPRvR7qi45kUBanOaMTzgqmeBoev2nVySG55Lp9N1viRBBhKGC9Oufr4ACrc8VK/s1600/screenshot.36.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4JMwfuyhpMPxnSjCbWJLLA6NFN0Vqj4eV1DFYhEDHrENOB7gAj_1lwaAnCXcRn6xrGynkedk9cdNrPlUNJux3PgNWUOLDOpWJz7WiTus1gEAqsH1PAuralITSoBkv1nLEjiyaUCoU6p7G/s400/screenshot.37.jpg)
- Writing a small script for getting the classes:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEga-nEA8O4ibqTv_hMylbZ160FFf8bZxfo2lO3d3hQETl9vj_8ksGAoj74cEmIzSsWsOqt_DHi8tlEMy4LasgmgeZrRfp3Fpw6DjgBZ2X_tdhzYy83YpmuwM0XE2sSkzBTSHrQTuvlpdavy/s1600/screenshot.53.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr0Ma7vjtiRTcN6CPeMJ-WTxupOfqVvkyAVzwDCBj0wb32eQiBi4_0X_LczcBMR8PzpyhLEFrzPGo6EMuJWAjjXo466n7FMDy7JBvImxKKN3QEsxzv6fU27bw_Ul8iv9669ZaaF1FHnag4/s1600/screenshot.52.jpg)
- Same thing for the methods:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisUqDxwYIZX9MXZrU7x6IoiGwF6yfMW1ZkKtG62ZDCxcORZ6DQRtivk7O96ubaDT9oOSffZwSNSprwP4_aVMtLsMcxP9pBB_fDgK87qiH9dNqHmAx9kRDhoIMCP2Z2lA8lr4HxNEUxPpPo/s1600/screenshot.55.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKrRdE_4vYvnstU1VQXlBo6y0KzeXbr2YEY3xzQvhkDtzzMdxPgDG1jKrL7h6J7iOY1ReIa95Kf_9xhGIMdjBXIGXpb0EhOPyQrz5obVousFmt6Hlu7X5ILJO7m5BujEgNSAG-YpK3Y8q9/s1600/screenshot.56.jpg)
- The options and the scope of Androguard is immense. So far just a small approach to all the possibilities of this very handy framework for Android analysis.