Android Forensic

Parsing APK file

Our example will be on DIVA (Damn insecure and vulnerable App) APK file. You can download the file from here.

Note: Some methods may not return the expected output because the missing information in the apk, e.g. the suggested apk doesn’t have icon and signs but you can download some known apk like twitter apk or so and test it, it works.

We’ll use ruby_apk gem to do that

  • Install ruby_apk gem
    1. gem install ruby_apk

Now, lets start parsing

  1. require 'ruby_apk'
  2. apk = Android::Apk.new('diva-beta.apk')
  3. # listing files in apk
  4. apk.each_file do |name, data|
  5. puts "#{name}: #{data.size}bytes" # puts file name and data size
  6. end
  7. # Extract icon data in Apk
  8. icons = apk.icon
  9. icons.each do |name, data|
  10. File.open(File.basename(name), 'wb') {|f| f.write data } # save to file.
  11. end
  12. # Extract signature and certificate information from Apk
  13. signs = apk.signs # retrun Hash(key: signature file path, value: OpenSSL::PKCS7)
  14. signs.each do |path, sign|
  15. puts path
  16. puts sign
  17. end
  18. # Manifest
  19. ## Get readable xml
  20. manifest = apk.manifest
  21. puts manifest.to_xml
  22. ## Listing components and permissions
  23. manifest.components.each do |c| # 'c' is Android::Manifest::Component object
  24. puts "#{c.type}: #{c.name}"
  25. c.intent_filters.each do |filter|
  26. puts "\t#{filter.type}"
  27. end
  28. end
  29. ## Extract application label string
  30. puts apk.manifest.label
  31. # Resource
  32. ## Extract resource strings from apk
  33. rsc = apk.resource
  34. rsc.strings.each do |str|
  35. puts str
  36. end
  37. ## Parse resource file directly
  38. rsc_data = File.open('resources.arsc', 'rb').read{|f| f.read }
  39. rsc = Android::Resource.new(rsc_data)
  40. # Resolve resource id
  41. rsc = apk.resource
  42. ## assigns readable resource id
  43. puts rsc.find('@string/app_name') # => 'application name'
  44. ## assigns hex resource id
  45. puts rsc.find('@0x7f040000') # => 'application name'
  46. ## you can set lang attribute.
  47. puts rsc.find('@0x7f040000', :lang => 'ja')
  48. # Dex
  49. ## Extract dex information
  50. dex = apk.dex
  51. ### listing string table in dex
  52. dex.strings.each do |str|
  53. puts str
  54. end
  55. ### listing all class names
  56. dex.classes.each do |cls| # cls is Android::Dex::ClassInfo
  57. puts "class: #{cls.name}"
  58. cls.virtual_methods.each do |m| # Android::Dex::MethodInfo
  59. puts "\t#{m.definition}" # puts method definition
  60. end
  61. end
  62. ## Parse dex file directly
  63. dex_data = File.open('classes.dex','rb').read{|f| f.read }
  64. dex = Android::Dex.new(dex_data)