Androguard

is an open-source tool used for analyzing and reverse engineering Android applications. It allows users to perform various tasks such as decoding APK files, extracting information about the application's components and permissions, analyzing network traffic, and detecting vulnerabilities and malware.

Androguard

is written in Python and provides a command-line interface as well as a graphical user interface. It can be used by security researchers, Android app developers, and anyone interested in understanding how Android applications work and identifying potential security issues.

Some of the features of

Androguard

include:

Analyzing the bytecode of Android applications

Displaying the application's manifest file

Extracting resources, such as images and strings, from the application

Identifying and analyzing embedded files, such as libraries and configuration files

Detecting potential security issues, such as insecure storage of sensitive data or the use of deprecated APIs

Overall,

Androguard

is a powerful tool for analyzing and reverse-engineering Android applications, and it is widely used in the Android security community.

It have lots of modules which usually we not use all of theme.

How to install it?

Install

Python >= 3.6

pip install -U androguard

If you are in Linux the binary is located on

~/.local/bin

which you should add it to you path.

Sometimes you get error relate to

IPython

library and use Linux. Use this code:

pip install IPython==5.0

In Windows

First we need WSL. Please first enabled it and download ubuntu.

To install Python 3.7 on a Linux system using apt, you can follow these steps:

Update the package index and upgrade any existing packages:

sudo apt update

Install the software-properties-common package, which is required to add the deadsnakes PPA:

sudo apt install software-properties-common

Add the deadsnakes PPA, which contains Python 3.7:

sudo add-apt-repository ppa:deadsnakes/ppa

Update the package index again:

sudo apt update

Install Python 3.6:

sudo apt install python3.7

Verify that Python 3.6 was installed successfully:

python3.7 --version

Then we need to create virtualenv:

sudo apt install python3.7-venv

python3.7 -m venv androguardenv
source androguardvenv/bin/activate

The next step is to install

Androguard

pip install -U androguard

pip install networkx==1.11

General Use Case

Call Graph

A call graph is like a map that shows which parts of a computer program call other parts. It helps programmers understand how the program works and find problems. It's kind of like a family tree that shows the relationships between different functions or methods in the program.

To capturing Call Graph we can use this command with

Androguard

androguard cg -o callgraph.gml reverseme_androidVersion12.apk

But you face error when using this command. The problem is related to

networkx

library.

To fixing this issue downgrade

networkx

library to

1.11

version:

pip3 install networkx=1.11

After this it worked.

Androguard

can create files that can be read using graph visualization software, for example gephi.

Gephi - The Open Graph Viz Platform

https://gephi.org/

Gephi works on Java Development Kit version 8. In order to install it in Linux:

apt install openjdk-8-jdk

To switch Java version in Linux:

sudo update-alternatives --config java

We also need to change Java Compiler Version:

sudo update-alternatives --config javac

After installing

Gephi

open the

callgraph.gml

on it. The problem is we can’t analyze the data, because this function calls include all unnecessary calls which is related to Android. To filtering information we navigate to

Data Labratory

tab and

The select a data entry and press

CTR + a

to select all nodes. Then Right-Click the select

Now we want to make it readable:

Now let’s go to filtering data. We want the call graph related to class

One

and

flag

function.

The final approach:

We can delete other section which is not related to our goal. Final:

Control Flow Graph

A control flow graph is a diagram that shows the flow of control in a method or function . It is a visual representation of the method/function logic, showing how the method/function instructions are executed in order.

We use

Androguard

to generate Control Flow Graph.

androguard decompile - Decompile APKs and create CFG — Androguard 3.4.0 documentation

https://androguard.readthedocs.io/en/latest/tools/androdd.html?highlight=Examples#Examples

First to use this feature make sure you installed:

sudo apt-get install graphviz
pip install -U pydot

Download

Graph Visualization Software

https://graphviz.org/download/

The use this command:

androguard decompile -o outputfolder -f png -i someapp.apk --limit "^Lcom/elite/.*"

--limit

work like a regular expression to just create CFG for specified functions. This will decompile the app

someapp.apk

into the folder outputfolder and limit the processing to all methods, where the classname starts with

com.elite.

. Creating a CFG for all function take multiple hours.

Example of output:

Tasks

Installing

InsecureBank

APK.

Find vulnerabilities in Activity

Open Important activities without login.

Find vulnerabilities in Content Provider

Change the password without knowing the username.

Delete logins tracks.

Find Vulnerabilities in Broadcast Receivers

Fetch clear-text password of user.

Password Decryption

Find the cryptography cipher

Try to decrypt the encrypted data

Hint

Find the vulnerability in login functionality