A curated list of awesome Android reverse engineering tools.
smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM implementation. The syntax is loosely based on Jasmin’s/dedexer’s syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.)
AndBug is a debugger targeting the Android platform’s Dalvik virtual machine intended for reverse engineers and developers. It uses the same interfaces as Android’s Eclipse debugging plugin, the Java Debug Wire Protocol (JDWP) and Dalvik Debug Monitor (DDM) to permit users to hook Dalvik methods, examine process state, and even perform changes.
Unlike Google’s own Android Software Development Kit debugging tools, AndBug does not require or expect source code. It does, however, require that you have some level of comfort with Python, as it uses a concept of scripted breakpoints, called “hooks”, for most nontrivial tasks.
Androguard is a full python tool to play with Android files.
- DEX, ODEX
- Android’s binary xml
- Android resources
- Disassemble DEX/ODEX bytecodes
- Decompiler for DEX/ODEX files
A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with an app easier because of project-like file structure and automation of some repetitive tasks like building apk, etc.
- Disassembling resources to nearly original form (including resources.arsc, classes.dex, 9.png. and XMLs)
- Rebuilding decoded resources back to binary APK/JAR
- Organizing and handling APKs that depend on framework resources
- Smali Debugging (Removed in 2.1.0 in favor of IdeaSmali)
- Helping with repetitive tasks
Android Framework for Exploitation is a framework for exploiting android based devices and applications.
This tool leverages Cydia Substrate to bypass signature and permission checks for IPCs.
This tool leverages Cydia Substrate to make all applications running on the device debuggable; once installed any application will let a debugger attach to them.
Dare is a project which aims at enabling Android application analysis. The Dare tool retargets Android applications in .dex or .apk format to traditional .class files. These .class files can then be processed by existing Java tools, including decompilers. Thus, Android applications can be analyzed using a vast range of techniques developed for traditional Java applications.
Tools to work with android .dex and java .class files.
Enjarify is a tool for translating Dalvik bytecode to equivalent Java bytecode. This allows Java analysis tools to analyze Android applications.
Dedexer is a disassembler tool for DEX files. DEX is a format introduced by the creators of the Android platform. The format and the associated opcode set is in distant relationship with the Java class file format and Java bytecodes. Dedexer is able to read the DEX format and turn into an “assembly-like format”. This format was largely influenced by the Jasmin syntax but contains Dalvik opcodes. For this reason, Jasmin is not able to compile the generated files.
An Android Dynamic Analysis Tool.
The aim of the project is to demonstrate that a simple debugging functionality on *nix systems a.k.a ptrace() can be abused by malware to inject malicious code in remote processes. Indroid provides CreateRemoteThread() equivalent for ARM based *nix devices.
If you want to get a more deeper insight into the working of the framework you may:
- Watch the Defcon 19 video on Jugaad – http://www.youtube.com/watch?v=vju6tq1lp0k
- Read the paper – http://www.slideshare.net/null0x00/project-jugaad
Intent Sniffer is a tool that can be used on any device using the Google Android operating system (OS). On the Android OS, an Intent is description of an action to be performed, such as startService to start a service. The Intent Sniffer tool performs monitoring of runtime routed broadcasts Intents. It does not see explicit broadcast Intents, but defaults to (mostly) unprivileged broadcasts. There is an option to see recent tasks Intents (GET_TASKS), as Activity’s intents are visible when started. The tool can also dynamically update Actions & Categories.
Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues.
Jad is a Java decompiler.
JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields.
CFR will decompile modern Java features – Java 8 lambdas (pre and post Java beta 103 changes), Java 7 String switches etc, but is written entirely in Java 6.
Krakatau currently contains three tools – a decompiler and disassembler for Java classfiles and an assembler to create classfiles.
While still incomplete, tests seem to indicate that the Procyon decompiler can generally hold its own against the other leading Java decompilers out there.
Fernflower is the first actually working analytical decompiler for Java.
Redexer is a reengineering tool that manipulates Android app binaries. This tool is able to parse a DEX file into an in-memory data structure; to infer with which parameters the app uses certain permissions (we name this feature RefineDroid); to modify and unparse that data structure to produce an output DEX file (we name these features Dr. Android, which stands for Dalvik Rewriting for Android).
Simplify virtually executes an app to understand its behavior and then tries to optimize the code so that it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn’t matter what the specific type of obfuscation is used.
24. Bytecode viewer
Bytecode Viewer is an Advanced Lightweight Java Bytecode Viewer, GUI Java Decompiler, GUI Bytecode Editor, GUI Smali, GUI Baksmali, GUI APK Editor, GUI Dex Editor, GUI APK Decompiler, GUI DEX Decompiler, GUI Procyon Java Decompiler, GUI Krakatau, GUI CFR Java Decompiler, GUI FernFlower Java Decompiler, GUI DEX2Jar, GUI Jar2DEX, GUI Jar-Jar, Hex Viewer, Code Searcher, Debugger and more.
It’s written completely in Java, and it’s open sourced. It’s currently being maintained and developed by Konloch.
There is also a plugin system that will allow you to interact with the loaded classfiles, for example you can write a String deobfuscator, a malicious code searcher, or something else you can think of.
You can either use one of the pre-written plugins, or write your own. It supports groovy scripting. Once a plugin is activated, it will execute the plugin with a ClassNode ArrayList of every single class loaded in BCV, this allows the user to handle it completely using ASM.
r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files.
Radare project started as a forensics tool, a scriptable command-line hexadecimal editor able to open disk files, but later added support for reversing apks, analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers, etc…
26. JEB for Android
JEB is a modular reverse engineering platform for professionals. Its extensible nature allows reverse engineers to perform disassembly, decompilation, debugging, and analysis of code and document files, manually or as part of an analysis pipeline.
JEB for Android ships with specialized modules to statically and dynamically analyze Android applications, goodware or badware, small or large.