Around 2015 I found myself training a number of junior researchers in how to analyze Android Apps. I developed this guide with pointers to books and resources. This guide, and/or the books that it points to, may be well out of date at this point. I share it here in case someone finds it useful.
I recommend using the following sources as references. First, lightly skim the recommended topics to get a sense of what is going on. The idea is not to become an expert — it’s to figure out what questions to ask, and where to find answers. You can refer back to these resources as you work and fill in gaps in your knowledge.
Books:
Click the link for full bib info.
- Beginning Android 4
- Read Ch. 1, 2, 8, 9, 18, 20, 21, 22, 28 skim 11-14, 17, 18, 23, 32, 34, 35
- Pro Android 4
- Read Ch 1, 2 (especially lifecycle — super important), 3, 4, 5, 17, 18, 19, Skim: 6-9, 13, 14
- Android Security
- Read Chapters 2, 4, 5, pgs 493-5
- Android apps security
Dalvik References:
Dalvik is the Java VM that all Android apps compile to. This assembly language is also called “smali.” You will find the following references helpful.
- http://source.android.com/devices/tech/dalvik/dalvik-bytecode.html
- http://davidehringer.com/software/android/The_Dalvik_Virtual_Machine.pdf
- Reference: http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
- https://code.google.com/p/smali/wiki/Registers
- https://code.google.com/p/smali/wiki/TypesMethodsAndFields
Helpful Papers:
- Enck et al., “A Study of Android Application Security,” USENIX Security 2011. PDF
- Reaves et al. “Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World,” USENIX Security 2015. PDF
- Wei et al., “Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps.” ACM TOPS 2018. PDF
Useful Tools:
- APKtool: Swiss army knife for manipulating an application package (.apk file)
- smalidea: Smali plugin for IntelliJ IDEA/Android Studio. Haven’t used, but looks neat.
- dex2jar: Converts a DEX file (which contains Smali bytecode) into a JAR file (Compiled in the Java bytecode Jasmin). Among other things, it lets you use tools for Java programs on Android apps.
- JEB: Commercial tool for reverse engineering Android Apps. Worth the cost for any involved or sophisticated analysis.