Android Forensic

Parsing APK file

Our example will be on DIVA (Damn insecure and vulnerable App) APK file. You can download the file from here.

Note: Some methods may not return the expected output because the missing information in the apk, e.g. the suggested apk doesn’t have icon and signs but you can download some known apk like twitter apk or so and test it, it works.

We’ll use ruby_apk gem to do that

  • Install ruby_apk gem
    1. gem install ruby_apk

Now, lets start parsing

  1. require 'ruby_apk'
  3. apk = Android::Apk.new('diva-beta.apk')
  5. # listing files in apk
  6. apk.each_file do |name, data|
  7.   puts "#{name}: #{data.size}bytes" # puts file name and data size
  8. end
  10. # Extract icon data in Apk
  11. icons = apk.icon
  12. icons.each do |name, data|
  13.   File.open(File.basename(name), 'wb') {|f| f.write data } # save to file.
  14. end
  16. # Extract signature and certificate information from Apk
  17. signs = apk.signs                   # retrun Hash(key: signature file path, value: OpenSSL::PKCS7)
  18. signs.each do |path, sign|
  19.   puts path
  20.   puts sign
  21. end
  23. # Manifest
  24. ## Get readable xml
  25. manifest = apk.manifest
  26. puts manifest.to_xml
  28. ## Listing components and permissions
  29. manifest.components.each do |c|     # 'c' is Android::Manifest::Component object
  30.   puts "#{c.type}: #{c.name}"
  31.   c.intent_filters.each do |filter|
  32.     puts "\t#{filter.type}"
  33.   end
  34. end
  36. ## Extract application label string
  37. puts apk.manifest.label
  39. # Resource
  40. ## Extract resource strings from apk
  41. rsc = apk.resource
  42. rsc.strings.each do |str|
  43.   puts str
  44. end
  46. ## Parse resource file directly
  47. rsc_data = File.open('resources.arsc', 'rb').read{|f| f.read }
  48. rsc = Android::Resource.new(rsc_data)
  50. # Resolve resource id
  51. rsc = apk.resource
  53. ## assigns readable resource id
  54. puts rsc.find('@string/app_name')   # => 'application name'
  56. ## assigns hex resource id
  57. puts rsc.find('@0x7f040000')        # => 'application name'
  59. ## you can set lang attribute.
  60. puts rsc.find('@0x7f040000', :lang => 'ja')
  62. # Dex
  63. ## Extract dex information
  64. dex = apk.dex
  65. ### listing string table in dex
  66. dex.strings.each do |str|
  67.   puts str
  68. end
  70. ### listing all class names
  71. dex.classes.each do |cls|           # cls is Android::Dex::ClassInfo
  72.   puts "class: #{cls.name}"
  73.   cls.virtual_methods.each do |m|   # Android::Dex::MethodInfo
  74.     puts "\t#{m.definition}"        # puts method definition
  75.   end
  76. end
  78. ## Parse dex file directly
  79. dex_data = File.open('classes.dex','rb').read{|f| f.read }
  80. dex = Android::Dex.new(dex_data)