Compare commits
2 commits
c83a81c35a
...
c272d62903
| Author | SHA1 | Date | |
|---|---|---|---|
c272d62903
|
|||
|
9e074cf483
|
3 changed files with 56 additions and 7 deletions
|
|
@ -1,4 +1,5 @@
|
|||
#let ADB = link(<acr-adb>)[ADB]
|
||||
#let API = link(<acr-api>)[API]
|
||||
#let APK = link(<acr-apk>)[APK]
|
||||
#let ART = link(<acr-art>)[ART]
|
||||
#let AXML = link(<acr-axml>)[AXML]
|
||||
|
|
@ -18,6 +19,7 @@
|
|||
[Acronyms], [Meanings],
|
||||
),
|
||||
ADB, [Android Debug Bridge, a tool to connect to an Android emulator of smartphone to run commands, start applications, send events and perform other operations for testing and debuging purpose <acr-adb>],
|
||||
API, [Application Programming Interface, in the Android echosystem, it is a set of classes with known method signatures that can be called by an application to interact with the Android framework <acr-api>],
|
||||
APK, [Android Package, the file format used to install application on Android. The APK format is an extention of the #JAR format <acr-apk>],
|
||||
ART, [Android RunTime, the runtime environement that execute an Android application. The ART is the successor of the older Dalvik Virtual Machine <acr-art>],
|
||||
AXML, [Android #XML. The specific flavor of #XML used by Android. The main specificity of AXML is that it can be compile in a binary version inside an APK <acr-axml>],
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#import "../lib.typ": todo, APK, JAR, AXML, ART, SDK, JNI, NDK, DEX, XML
|
||||
#import "../lib.typ": todo, APK, JAR, AXML, ART, SDK, JNI, NDK, DEX, XML, API
|
||||
|
||||
== Android <sec:bg-android>
|
||||
|
||||
|
|
@ -76,7 +76,7 @@ The `R.java` file allows the developer to refere to ressources with readable nam
|
|||
The source code is then compile.
|
||||
The most common programming langages used for Android application are Java and Kotlin.
|
||||
Both are first compiled to java bytecode in `.class` files using the langage compiler.
|
||||
To allow access to the Android API, the `.class` are linked during the compilation to an `android.jar` file that contains classes with the same signatures as the one in the Android API for the targeted SDK.
|
||||
To allow access to the Android #API, the `.class` are linked during the compilation to an `android.jar` file that contains classes with the same signatures as the one in the Android #API for the targeted SDK.
|
||||
The `.class` files are the converted to #DEX files using `d8`.
|
||||
During those steeps, both the original langage compiler and `d8` can perform optimizations on the classes.
|
||||
|
||||
|
|
@ -95,8 +95,48 @@ Since 2021, Google require that new applications in the Google Play app store to
|
|||
The main difference is that Google will perform the last packaging steps and generate (and sign) the application itself.
|
||||
This allow Google to generate different applications for different target, and avoid including unnecessary files in the application like native code targetting the wrong architecture.
|
||||
|
||||
|
||||
|
||||
=== Android Runtime <sec:bg-art>
|
||||
|
||||
#todo[NDK / JDK, java runtime, intent]
|
||||
Android runtime environement has many specificities that sets it appart from other platforms.
|
||||
An heavy heavy empasis is put on isolating the applications from one another as well from the systems critical capabilities.
|
||||
The code execution itself can be confusing at first.
|
||||
Instead of the usual linear model with a single entry point, applications have many entrypoints that are called by the Android framework in accordance to external events.
|
||||
|
||||
==== Application Architecture
|
||||
|
||||
#todo[Subsection name?]
|
||||
|
||||
Android application expose their componants to the Android Runtime (#ART) via classes inheriting specific classes from the Android SDK.
|
||||
They are four type of application commponents, that serves as entry points for application.
|
||||
Each has a class associated to it, and serves a different role.
|
||||
|
||||
/ Activities: An activity represent a single screen with a user interface. This is the componant used to interact with a user.
|
||||
/ Services: A service serves as en entrypoint to run the application in the background.
|
||||
/ Broadcast receivers: A broadcast receiver is an entry point used when a matching event is broadcasted by the system. They allow to application responce to event event when not started.
|
||||
/ Content providers: A content provider is a componant that manage data accessible by other app through the content provider.
|
||||
|
||||
Componant must be listed in the `AndroidManifest.xml` of the application so that the system nows of them.
|
||||
In the course of a componant live cicle, the system will call specifics methods defined by the classes associated to each componant type.
|
||||
Those methods are to be overrident by the classes defined in the application if they are specific action to be perfomed.
|
||||
For instance, an activitymight compute some values in `onCreate()`, called when the activity is created, save the value of those variable to the file system in `onStop()`, called when the acitivity stop being visible to the user, and recover the saved values in `onRestart()`, called when the user navigate back to the activity.
|
||||
|
||||
In addition to the componants declared in the manifest that act as entry points, the Android #API heavily relies on callbacks.
|
||||
The most obvious cases are for the user interface, for example a button will call a callback method defined by the application when clicked.
|
||||
Other part of the #API also rely on non-linear execution, for example when an application send an itent (see @sec:bg-sandbox), the intent sent in responce is transmitted to back to the application by calling another method.
|
||||
|
||||
==== Application Isolation and Interprocess Communication <sec:bg-sandbox>
|
||||
|
||||
On Android, each application has its own storage folders and the application process are isolated from other applications and the hardware interfaces.
|
||||
This sandboxing is done using Linux security features like group and user permissions, SELinux, and seccomp.
|
||||
The sandboxing is adjusted according to the permissions requested in the `AndroidManifest.xml` file of the applications.
|
||||
In addition, most feature of the Android system can only be accessed through Binder, Android main interprocess communication channel.
|
||||
|
||||
Binder is a componant of tha Android framework, external to the application, that all applications can communicate with.
|
||||
Applicatians can send messages to Binder, called *intent*, that will check if the application is allowed to send it then foward it to the appropriate componant that can then responce with another intent.
|
||||
Applications can also receive intent must declare intent filters to indicate which intent can be send to the application, and which classes receive the intents.
|
||||
Intent are central to Android applications and are not used just to access Android capabilities.
|
||||
For instance, the activities and services are started by receiving intent, and it is not uncommon for application to send intents to itself to switch activities.
|
||||
Intent can also be sent directly from Android to the application: when a user starts an application by tapping the app icons, Android will send an intent to the class of the application that defined the intent filter for the `android.intent.action.MAIN` intent.
|
||||
One interesting feature of the Binder is that intent do not need to explicitly name the targetted application and class: intent can be implicit and request an action without knowing the exact application that will performed it.
|
||||
An example of this behavior is when an application whant open a file: an `android.intent.action.VIEW` intent is sent with the file location, and Binder will find an application capable of viewing the file.
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
#import "../lib.typ": todo, APK, IDE, SDK, DEX, ADB, ART, eg, XML, AXML
|
||||
#import "../lib.typ": todo, APK, IDE, SDK, DEX, ADB, ART, eg, XML, AXML, API
|
||||
|
||||
== Android Reverse Engineering Tools <sec:bg-tools>
|
||||
|
||||
|
|
@ -69,6 +69,13 @@ Compared to Soot, it has a modernize interface and architecture, but it is not y
|
|||
|
||||
=== Frida <sec:bg-frida>
|
||||
|
||||
Fidra#footnote[https://frida.re/] is a dynamic intrumentation toolki.
|
||||
Fidra#footnote[https://frida.re/] is a dynamic intrumentation toolkit.
|
||||
It allows the reverse engineer to inject and run javascript code inside a running application.
|
||||
|
||||
To instrument an application, the frida server must be running as root on the phone, or the frida librairy must be injected inside the #APK file before installing it.
|
||||
Frida defines a javascript wrapper arround the Java Native Interface (JNI) used by native code to interact with Java classes and the Android i#API.
|
||||
In addition to allowing interaction with Java objects from the application and the Android API, this wrapper provide the option to replace a method implementation by a javascript function (that itself can call the original method implementation if needed).
|
||||
This make Frida a powerfull tool capable of collecting runtime informations or modifying the behavior of an application as needed.
|
||||
|
||||
The main drawback of using Frida is that it is a known tools easily detected by applications.
|
||||
Malware might implement countermeasures that avoid running malicious payload in presence of Frida.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue