Android App Recon

Get certificate information of an app :

unzip -p app.apk META-INF/CERT.RSA | openssl pkcs7 -inform DER -noout -print_certs -text

Android Shell Commands

  • Get all packages : pm list packages
  • Get all packages along with apk file path : pm list packages -f
  • Get only the package names : pm list packages -f | sed -e 's/.*=//' | sed 's/\r//g' | sort
  • Get all activities of a package (Source) : dumpsys package | grep -i "" | grep Activity

Viewing .so file content

  • List function names: nm -D --defined-only
  • List function names from dynamic symbol table using objdump -T | grep text
  • Get full info: objdump -Dslx | more
  • Get only source code: objdump -S | more

If you are on Mac, the default objdump program may not be very handy. Install objdump using brew install binutils.

SSL Pinning

SSL Pinning with BKS file:

Other Thoughts

It’s a common security practice to recommend SSL Pinning to Android apps. But the real pain is when the SSL certificate expires. The devs will have a really hard time when they have a lot of customers who are reluctant to update the app on their device. If the SSL certificate expires, the app will stop working.

Never think of pinning the whole Let’s Encrypt SSL cert to the app because it expires every 3 months. A developer could have a pinning logic which says the certificate should be signed by Let’s Encrypt. Its not a bad idea, but remember if Let’s Encrypt could be abused to create a SSL certificate, then the app could be compromised by using the cert.