Thursday, 16 January 2014

Reverse engineering an apk

In my previous post I had described setting up an access point and getting clients to automatically connect. I then used beef to hook the browsers and run auto modules. I wanted to explore getting a shell on a mobile device and play around with that. One thing I managed was to set up a hidden iframe that downloads a given file. With android and other platforms this still involves a level of user interaction, an acknowledgement to downloading the file. Perhaps with some social engineering this could be made more plausible.
Metasploit have introduced a reverse tcp module for android. Its quite straight forward to set up just like any other windows/linux reverse tcp. The result is an apk file which will open up a meterpreter session on your server. On inspection it has a button called reverse tcp and the icon of the metasploit emblem. I wanted to explore changing things around in the App and customizing it for my own needs. I may use it for an upcoming project in college.

There are some tools on Kali and Backtrack pre-installed for this purpose. I had some issues recompiling with these tools and failed to get them to work. Decompilling the apk worked fine, but after making changes and recompilling, it would throw up errors.
I ended up installing the same tools on a windows machine and they worked straight away.

Tools

apktool (to decompile + recompile apk)
dex2jar (useful for having a look at the underlying java)
Also resigning the apk in kali you can generate your own keys.

Its quite straightforward. Via command line:
DECOMPILE: apktool d (nameOfApp.apk) (name of folder you want to put it in)

From here you can look into the files and do some editing. Change some of the permissions, add some more? Edit the xml files.

RECOMPILE: apktool b [directory in which you have decoded the files]

To look at the java code and figure out how it works you can use dex2jar.




Upon recompiling the app, you still have to resign it in order for it to work on your device. This can be achieved by using openssl in kali.

The metasploit android reverse apk is quite a small file as regards what code is already in it. It should be quite simple to customize your own version of the app and play around with it.

I was looking into ways of autostarting an apk on boot from an android device. Adding this addition to the android reverse tcp apk would mean a consistent connection. I have found some ideas on how to achieve this and would like to see if I can get it working.