In our next blog post, we talk about the tools we’re using for decompiling Android applications during assessments. This is just a quick visual break down of how they each handle some code. Let’s take a look at the Open Source WordPress application for Android. Here is the actual source code for the signup class (click to enlarge the pics):
First, we compiled the WordPress application, then ran undx against the APK file. This screen shot is from loading the jar that undx produces into into JD-GUI and locating the signup class. Notice the lack of variable names and the URL string among other issues:
Next, is the output from Dex2Jar also loaded into JD-GUI. This is much closer to the orginal source code:
Smali / Baksmali:
Unfortunately, the smali/baksmali output doesn’t screenshot nicely, but just for reference, here’s how most of that looks (this is with the debug flag and pulling out newlines):
We mentioned we’ve been using smali quite a bit and feel it’s the most reliable out of the three. Sometimes the undx and dex2jar decompilation will fail to return useful code. Here’s one case of what that can look like:
Overall, we find a number of these tools useful in our assessments. The next blog post will go into a few pitfalls we’ve had. Please stay tuned.
Both comments and trackbacks are currently closed.