Resources to Get Started with Android App Security

Around 2015 I found myself training a number of junior researchers in how to analyze Android Apps. I developed this guide with pointers to books and resources. This guide, and/or the books that it points to, may be well out of date at this point. I share it here in case someone finds it useful.

I recommend using the following sources as references. First, lightly skim the recommended topics to get a sense of what is going on. The idea is not to become an expert — it’s to figure out what questions to ask, and where to find answers. You can refer back to these resources as you work and fill in gaps in your knowledge.

Books:

Click the link for full bib info.

Beginning Android 4
- Read Ch. 1, 2, 8, 9, 18, 20, 21, 22, 28 skim 11-14, 17, 18, 23, 32, 34, 35
Pro Android 4
- Read Ch 1, 2 (especially lifecycle — super important), 3, 4, 5, 17, 18, 19, Skim: 6-9, 13, 14
Android Security
- Read Chapters 2, 4, 5, pgs 493-5
Android apps security

Dalvik References:

Dalvik is the Java VM that all Android apps compile to. This assembly language is also called “smali.” You will find the following references helpful.

http://source.android.com/devices/tech/dalvik/dalvik-bytecode.html
http://davidehringer.com/software/android/The_Dalvik_Virtual_Machine.pdf
Reference: http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
https://code.google.com/p/smali/wiki/Registers
https://code.google.com/p/smali/wiki/TypesMethodsAndFields

Helpful Papers:

Enck et al., “A Study of Android Application Security,” USENIX Security 2011. PDF
Reaves et al. “Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World,” USENIX Security 2015. PDF
Wei et al., “Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps.” ACM TOPS 2018. PDF

Useful Tools:

APKtool: Swiss army knife for manipulating an application package (.apk file)
smalidea: Smali plugin for IntelliJ IDEA/Android Studio. Haven’t used, but looks neat.
dex2jar: Converts a DEX file (which contains Smali bytecode) into a JAR file (Compiled in the Java bytecode Jasmin). Among other things, it lets you use tools for Java programs on Android apps.
JEB: Commercial tool for reverse engineering Android Apps. Worth the cost for any involved or sophisticated analysis.