The first step in every android security assessment is to have the .APK file which is the actual application. In the majority of the cases the client is responsible to provide this file especially in a situation where the actual application is not publicly available. However if for whatever reason this is not possible (i.e. client has requested a black box assessment) then it is up to the consultant to obtain this file.
The are three different scenarios of how to retrieve an APK file:
- Client provides the APK file directly
- Application is available on Google Play Store
- Application is already installed on the phone
If the client provides the APK file then everything is ready and the consultant he can start with the assessment. So lets explore the other two scenarios.
Google Play Store
For applications that are already installed on the Android phone the consultant can start the testing immediately by using Burp. However this can cover only the dynamic analysis testing. In order to fully perform the assessment the APK file is essential as well for static analysis of the files that are included in the APK like the manifest file and for reverse engineering the application to investigate further vulnerabilities.
Tools such as Drozer and adb can reveal the location of the APK file on the phone.
The first step is to obtain the list of applications that are installed on the phone with the following command:
The location of where the .APK file is stored on the device can be discovered with the following:
Drozer can also be used to identify APK files on the phones. From the drozer console the following command can be executed to obtain the APK path:
This article explained various scenarios on how to identify and retrieve APK files on the phone or from the Google Play Store. This is an important step in the process of reverse engineering any mobile application.