{"id":17362,"date":"2021-10-07T13:13:48","date_gmt":"2021-10-07T07:43:48","guid":{"rendered":"https:\/\/www.varutra.com\/?p=17362"},"modified":"2022-12-02T11:58:20","modified_gmt":"2022-12-02T06:28:20","slug":"static-analysis-of-android-application","status":"publish","type":"post","link":"https:\/\/www.varutra.com\/varutravrt3\/static-analysis-of-android-application\/","title":{"rendered":"STATIC ANALYSIS OF ANDROID APPLICATION"},"content":{"rendered":"
\nAndroid applications are now an integral part of our lives, thanks to the excessive use of mobile phones. However, many users are unaware of their device\u2019s protection. If we do not know the design of our applications and how they are penetration tested, which makes you believe that you are safe and secure. You can try to mitigate this risk by performing an android penetration testing static analysis approach to ensure that mobile applications are checked thoroughly for security flaws.<\/p>\n
Before we get to dive into the main topic, let\u2019s discuss some of the basic concepts.<\/p>\n
\n
Native Applications:<\/strong> They are designed exclusively for mobile devices and can be downloaded and installed directly from the app store. Development tools and languages such as Android Studio and Java are used to create these applications. These apps will make good use of all the device’s features, such as the camera, GPS, contacts, and so on.<\/li>\n
Mobile Web Applications:<\/strong> These apps are non-native, which means we can access them via mobile browsers. Most of them are HTML5, JavaScript, and CSS applications with a web interface that mimics the look and feel of a native application.<\/li>\n
Hybrid Applications:<\/strong> These apps are available in both native and mobile web versions. These are web apps developed into a native mobile platform and have taken advantage of web technologies like HTML5, CSS, and JavaScript’s cross-compatibility. For Example, Facebook can be accessed as a mobile app or opened in a browser like \u201cm.facebook.com\u201d.<\/li>\n
Application SANDBOX Theory:<\/strong> According to the SANDBOX principle, no two programs running on the same computer can access each other’s data without permission. They should not interfere with the functionality of other apps, either. It uses Linux user-based security to separate resources for each application and assign a unique user identifier (UID). It means that each program can run under its user and virtual machine (VM), Dalvik or ART, so that each process can run independently of the others.<\/li>\n<\/ul>\n
<\/strong><\/p>\n
Fig: Sandbox Theory<\/strong><\/p>\n
Now we can get into our main topic.<\/p>\n
Static Analysis of Android Application:<\/strong><\/h3>\n
The static analysis of the android application is the process of source code review of the apk (android application) file. Several reverse engineering tools complete this procedure.<\/p>\n
![](\"https:\/\/varutra-1a3b6.kxcdn.com\/wp-content\/uploads\/2021\/10\/STATIC-ANALYSIS-OF-ANDROID-APPLICATION-1024x535.png\" "\\"STATIC")
![\"Sandbox](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/Sandbox-Theory.png\")
<\/strong><\/p>\n![\"Output](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/Output-of-apktool.png\")
<\/p>\n![\"Output](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/Output-of-apktool-2.png\")
<\/p>\n![\"Android](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/Android-Manifest-File.png\")
<\/p>\n![\"Declaration](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/Declaration-of-activities-in-the-manifest-file.png\")
<\/p>\n![\"Declaration](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/Declaration-of-services-in-the-manifest-file.png\")
<\/p>\n![\"Declaration](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/Declaration-of-broadcast-receivers-in-the-manifest-file.png\")
<\/p>\n![\"exported=true](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/exportedtrue-content-provider.png\")
<\/p>\n![\"exported=true](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/exportedtrue-service.png\")
<\/p>\n![\"exported=true](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/exportedtrue-receiver.png\")
\u00a0<\/strong><\/p>\n![\"Invoke](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/Invoke-the-activity.png\")
<\/p>\n![\"Invoke](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/Invoke-the-activity-2.png\")
<\/p>\n![\"Declaration](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/Declaration-of-Permissions-in-the-manifest-file.png\")
<\/p>\n![\"Potentially](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/Potentially-Dangerous-Permissions-Enabled.png\")
<\/p>\n![\"android](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/android-allowBackup-true.png\")
<\/p>\n![\"android](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/android-debuggable-true.png\")
<\/p>\n![\"Converting](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/Converting-dex-files-to-jar-files-using-dex2jar-tool.png\")
<\/p>\n![\"Classes.dex](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/Classes.dex-file-is-converted-to-classes-dex2jar.png\")
<\/p>\n![\"Output](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/Output-of-JD-GUI.png\")
<\/p>\n![\"User](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/User-Credentials-and-API-Key-in-Source-Code.png\")
<\/p>\n![\"User](\"https:\/\/www.varutra.com\/wp-content\/uploads\/2021\/10\/User-credentials-are-storing-in-the-database.png\")
<\/strong><\/p>\n