To begin the static analysis phase, we will need a copy of our APK file to serve as our specimen. There are a number of ways to obtain this:
Extract a sample from the device directly (see guide here)
Work with the acquired device data.
Note the version from your acquired content and download a website (like APKPure)
Let's fire up jadx gui. This is a free reverse engineering tool for Android APKs. It requires the Java Runtime Environment (JRE) 8 installed, but is also available prepackaged in a version that includes it. The releases page for jadx can be found here. Look for the download ending with "-with-jre-windows.zip".
Once launched, it will give you the following Open File dialog. If you downloaded the lab kit, look in the folder called 'APKs'. Double click to open the APK.
Once loaded, you can begin browsing through the list of classes on the lefthand side. You will see lots of entries beginning with 'android', 'com.facebook' etc. A lot of these are from libraries used by the app. Rather than sifting through this list manually, we will use the clues we established in Lab 1 in order to point us in the right direction.
To open up the text search window, press CTRL+SHIFT+F or select it from the Navigation menu.
The first time you open the text search, it will take some time as the app has to perform APK-wide decompilation. When finished, we are ready to start searching for our suspects.
Let's search for some values from lab 1.2, starting with
So we do hits, but... 3k is a lot to go through and as you can see, there is significant false positives. So, what do we do? Well, in our case the key for pin is a string. In Java, strings are enclosed in double quotes. Let's modify our search to include double quotes and see how we do on results:
Much better. Now, instead of "android.support" (and many others) we are seeing only classes from within the "com.github.browep.privatephotovault" namespace and, if we look at the Code side of the view, we can see some super interesting stuff.
At this point, we have developed some leads to investigate using static analysis.
Looking at the list, in the class
CryptoUtils, we see two calls to a function called
pinsMatch, so let's check that out by double clicking on the result and then right clicking and choosing "go to declaration".
Alright, so there's a couple of things happening here. However, rather than working to develop an understanding first, then testing later, let's dive in to some DBI to give us a bit of a roadmap to follow.