Intrepidus Group
Insight

Pulling and finding APKs without root on Android

Posted: April 14, 2011 – 9:22 am | Author: benn | Filed under: android, Conferences, Mobile Security

A number of us attended the NY/NJ OWASP meeting last night in New York. It featured great talks from Brad Antoniewicz on proximity card cloning and Jason Rouse on mobile pen-testing. Hats off to Jason who got crazy and donned one of our luchadora masks for his section on Android app testing. Nacho was proud.

The talked reminded me of a simple Android trick that I find people often aren’t aware of. From time to time (although increasingly more rare) we have an non-rooted Android device that we need to pull an APK file from. Since we’re not root, we can’t list the /data/app directory to locate the name of the APK file we want to pull. There’s a few ways you can tackle finding the name of the APK file, but what I find is the quickest way for me is to pull the packages.xml file.

adb pull /data/system/packages.xml

As the name indicates, this is an XML file of all the packages installed on the device (both system apps and user installed apps). A quick grep of a key word you think is in the package name should pull back the information you’re looking for with a “codePath” attribute that will point to the APK.
package name="com.nxp.nfc.tagwriter"
codePath="/data/app/com.nxp.nfc.tagwriter-1.apk"
nativeLibraryPath="/data/data/com.nxp.nfc.tagwriter/lib" flags="0"
ft="12f0c2af6e8" it="12f0c2afba2" ut="12f0c2afba2" version="8"
userId="10062" installer="com.google.android.feedback"
At this point, if the application is in the /data/app directory, you can pull the APK file off the device even if you are not rooted. However, if the application is forward locked in the /data/app-private directory, then you’re out of luck until you root the device.

Another trick if you ARE rooted, notice the items in the “perms” tags in the packages.xml file. Is there an app that has a permission you don’t want it to have? Go blackberry permission style on it and drop permissions you don’t want it to have from the packages.xml file. Push back the packages.xml file (and check the file permissions and owner) then restart the device. Your mileage will vary here with how well this will work with an application, since in many cases developers haven’t written exception handling to fail gracefully if the application loses a permission, but I think it’s an interesting thing to try out.

I’d also recommend checking out Tim Strazzere’s blog, which as a nice breakdown on the “installer” attribute in the packages.xml file and ways to set this, even on those days you don’t feel like being root.

Update: Quine reminded me of his way to return package names. He uses the “pm list packages -f” command in adb shell. Take a look at our next blog post.

Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never shared. Required fields are marked *

*
*

image

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 11844 items have been purified.