1 Overview
APP general security can be considered from the following aspects:
And some other miscellaneous (or universal security is not limited to items of APP):
This article discusses the decompilation issue.
2, APK decompile
Andrews developed APP, if no treatment is easily decompiled. That is, one can easily APP source code was leaked.
For commercial software, this of course is unacceptable. As a test team, should ensure that their products can properly against decompilation.
Testing can decompile can try it yourself to verify that this is a permeability test thinking.
2.1 decompiler
- Apktॊl
Role: for extraction of resources in the APK file, such as image files and layout files.
Download: https://bitbucket.org/iBotPeaches/apktool/downloads/
- dex2jar
Role: decompile the apk file to jar
Download: https://sourceforge.net/projects/dex2jar/files/
- jd-gui
Role: jar package to view dex2jar decompile obtained source
Download: http://java-decompiler.github.io/
The above toolkit download and place into the same folder, which extract the ZIP package. APK will be decompiled also be placed into the same folder (for convenience).
If the official website to download difficulties, the following is a network disk address tools:
Links: https://pan.baidu.com/s/18YGxwVX9KNnRU3rm3qvOUg
extraction code: zskt
2.2 apktool extracted resource file
Open the windows command line, CD previous step into the directory.
The first step in using apktool resource file extraction, command syntax:
-jar Java [apktool_2. 3.4 .jar] D -f [APK Address] -o [output directory]
Implementation of the results:
C:\Users\Administrator\Desktop\APKrecompile>java -jar apktool_2.3.4.jar d -f 检测包09111134.apk -o 09111134 I: Using Apktool 2.3.4 on 检测包09111134.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... I: Loading resource table from file: C:\Users\ADMINI~1\AppData\Local\Temp\1.apk I: Regular manifest package... I: Decoding file-resources... I: Decoding values */* XMLs... I: Baksmaling classes.dex... I: Copying assets and libs... I: Copying unknown files... I: Copying original files...
After machining, the availability of resources APK file decompile extract:
2.3 dex2jar decompile Jar package obtained
APK extension will rewrite ZIP, open the ZIP file, extract the class.dex them:
This file is actually a java source file using the dx tool comes packaged, and dex2jar (dex to jar) as the name suggests is to convert the file back to jar dex
The first step will be placed into classes.dex ready dex2jar folder.
Command line, enter the folder, enter the command:
d2j-dex2jar classes.dex
Implementation of the results:
d2j-dex2jar classes.dex
dex2jar classes.dex -> .\classes-dex2jar.jar
After machining, get classes-dex2jar.jar file decompile come:
2.4 jd-gui jar file View
The first step in preparing to open the jd-gui.exe (without installation).
The third step obtained in the drag into classes-dex2jar.jar open interface to view the source code package jar.
3, the detection and prevention
Today there are several coping mechanisms for APK decompiled:
- Code obfuscation technology
- Signature matching technology
- Dynamic library technology
- Dynamic loading technology
As the audit and test side, we should combine penetration testing and code audits to determine the tested products have been added to proper defense.