Mobile App Reverse Engineering: Get started with discovering, analyzing, and exploring the internals of Android and iOS apps
()
About this ebook
Mobile App Reverse Engineering is a practical guide focused on helping cybersecurity professionals scale up their mobile security skills. With the IT world’s evolution in mobile operating systems, cybercriminals are increasingly focusing their efforts on mobile devices. This book enables you to keep up by discovering security issues through reverse engineering of mobile apps.
This book starts with the basics of reverse engineering and teaches you how to set up an isolated virtual machine environment to perform reverse engineering. You’ll then learn about modern tools such as Ghidra and Radare2 to perform reverse engineering on mobile apps as well as understand how Android and iOS apps are developed. Next, you’ll explore different ways to reverse engineer some sample mobile apps developed for this book. As you advance, you’ll learn how reverse engineering can help in penetration testing of Android and iOS apps with the help of case studies. The concluding chapters will show you how to automate the process of reverse engineering and analyzing binaries to find low-hanging security issues.
By the end of this reverse engineering book, you’ll have developed the skills you need to be able to reverse engineer Android and iOS apps and streamline the reverse engineering process with confidence.
Related to Mobile App Reverse Engineering
Related ebooks
Learning Pentesting for Android Devices Rating: 5 out of 5 stars5/5Clean Android Architecture: Take a layered approach to writing clean, testable, and decoupled Android applications Rating: 0 out of 5 stars0 ratingsMy First Mobile App for Students: A comprehensive guide to Android app development for beginners (English Edition) Rating: 0 out of 5 stars0 ratingsLearning iOS Penetration Testing Rating: 0 out of 5 stars0 ratingsCreating iOS apps with Xcode: Learn how to develop your own app (English Edition) Rating: 0 out of 5 stars0 ratingsBuilding Mobile Apps at Scale: 39 Engineering Challenges Rating: 5 out of 5 stars5/5Defending APIs: Uncover advanced defense techniques to craft secure application programming interfaces Rating: 0 out of 5 stars0 ratingsApp Innovator's Guide: Mobile App Development for Android and iOS: Building Cross-Platform Solutions Rating: 0 out of 5 stars0 ratingsBuilding Micro Frontends with React 18: Develop and deploy scalable applications using micro frontend strategies Rating: 0 out of 5 stars0 ratingsPhoneGap and AngularJS for Cross-platform Development Rating: 0 out of 5 stars0 ratingsFundamentals of Android App Development: Android Development for Beginners to Learn Android Technology, SQLite, Firebase and Unity Rating: 0 out of 5 stars0 ratingsMastering iOS 14 Programming: Build professional-grade iOS 14 applications with Swift 5.3 and Xcode 12.4 Rating: 0 out of 5 stars0 ratingsPractical Android: 14 Complete Projects on Advanced Techniques and Approaches Rating: 0 out of 5 stars0 ratingsSecure Edge Computing for IoT Rating: 0 out of 5 stars0 ratingsMastering Android Development Advanced Techniques and Best Practices: programming, #1 Rating: 0 out of 5 stars0 ratingsLearn iOS Application Development: Take Your Mobile App Development Skills to the Next Level with Swift and Xcode (English Edition) Rating: 0 out of 5 stars0 ratingsUltimate SwiftUI Handbook for iOS Developers: A complete guide to native app development for iOS, macOS, watchOS, tvOS, and visionOS Rating: 0 out of 5 stars0 ratingsMobile App Development for Beginners: A Beginner's Guide to Creating Your First App Rating: 0 out of 5 stars0 ratingsFundamentals of IoT: Get familiar with the building blocks of IoT (English Edition) Rating: 0 out of 5 stars0 ratingsBuilding Modern SaaS Applications with C# and .NET: Build, deploy, and maintain professional SaaS applications Rating: 0 out of 5 stars0 ratingsLearning Ionic, Second Edition: Hybrid mobile apps with HTML5, CSS3, and Angular Rating: 0 out of 5 stars0 ratingsGetting Started with UDOO Rating: 0 out of 5 stars0 ratingsMastering OpenCV Android Application Programming Rating: 0 out of 5 stars0 ratings
Networking For You
Cybersecurity: The Beginner's Guide: A comprehensive guide to getting started in cybersecurity Rating: 5 out of 5 stars5/5Programming Arduino: Getting Started with Sketches Rating: 4 out of 5 stars4/5CCNA Certification Study Guide, Volume 2: Exam 200-301 Rating: 0 out of 5 stars0 ratingsNetworking All-in-One For Dummies Rating: 5 out of 5 stars5/5Linux Bible Rating: 0 out of 5 stars0 ratingsCompTIA Network+ Practice Tests: Exam N10-008 Rating: 0 out of 5 stars0 ratingsHome Networking Do-It-Yourself For Dummies Rating: 4 out of 5 stars4/5The Compete Ccna 200-301 Study Guide: Network Engineering Edition Rating: 5 out of 5 stars5/5AWS Certified Cloud Practitioner Study Guide: CLF-C01 Exam Rating: 5 out of 5 stars5/5Networking For Dummies Rating: 5 out of 5 stars5/5Emergency Preparedness and Off-Grid Communication Rating: 3 out of 5 stars3/5Cisco Packet Tracer for Beginners Rating: 5 out of 5 stars5/5A Beginner's Guide to Ham Radio Rating: 0 out of 5 stars0 ratingsThe Windows Command Line Beginner's Guide: Second Edition Rating: 4 out of 5 stars4/5Concise and Simple Guide to IP Subnets Rating: 5 out of 5 stars5/5Raspberry Pi Electronics Projects for the Evil Genius Rating: 3 out of 5 stars3/5Amazon Web Services (AWS) Interview Questions and Answers Rating: 5 out of 5 stars5/5Unlock Any Roku Device: Watch Shows, TV, & Download Apps Rating: 0 out of 5 stars0 ratingsNmap: Network Exploration and Security Auditing Cookbook - Second Edition Rating: 0 out of 5 stars0 ratingsCisco Networking All-in-One For Dummies Rating: 4 out of 5 stars4/5Telecosm: How Infinite Bandwidth Will Revolutionize Our World Rating: 4 out of 5 stars4/5Build Your Own VPN Server: A Step by Step Guide: Build Your Own VPN Rating: 0 out of 5 stars0 ratingsPractical Ethical Hacking from Scratch Rating: 5 out of 5 stars5/5CompTIA Network+ Certification Guide (Exam N10-008): Unleash your full potential as a Network Administrator (English Edition) Rating: 0 out of 5 stars0 ratingsQuantum Computing For Dummies Rating: 0 out of 5 stars0 ratingsSharePoint For Dummies Rating: 0 out of 5 stars0 ratingsTCP / IP For Dummies Rating: 5 out of 5 stars5/5Group Policy: Fundamentals, Security, and the Managed Desktop Rating: 0 out of 5 stars0 ratings
Reviews for Mobile App Reverse Engineering
0 ratings0 reviews
Book preview
Mobile App Reverse Engineering - Abhinav Mishra
BIRMINGHAM—MUMBAI
Mobile App Reverse Engineering
Copyright © 2022 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Vijin Boricha
Associate Publishing Product Manager: Prachi Sawant
Senior Editor: Athikho Sapuni Rishana
Content Development Editor: Sayali Pingale
Technical Editor: Nithik Cheruvakodan
Copy Editor: Safis Editing
Associate Project Manager: Neil Dmello
Proofreader: Safis Editing
Indexer: Pratik Shirodkar
Production Designer: Prashant Ghare
Marketing Co-ordinator: Hemangi Lotlikar
First published: April 2022
Production reference: 1200422
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
978-1-80107-339-4
www.packt.com
Dedicated to the late Rajendra Singh, a passionate teacher, accomplished author, and learner who inspired many, like me, to seek knowledge above everything else. To my wife, Kanika Singh, for being the support I have always needed. And to my mother and father, for being role models to me and for motivating me.
Contributors
About the author
Abhinav Mishra is the founder and director of Enciphers, a cybersecurity consulting and training company. Abhinav has over a decade of extensive experience in finding and fixing security issues in web, mobile, and infrastructure applications. He has performed penetration tests on more than 500 mobile applications and has discovered thousands of critical vulnerabilities.
Abhinav completed his engineering degree in 2011 and since then has been involved in penetration testing and securing applications and infrastructure. Prior to founding Enciphers, Abhinav worked with Fortune 500 and giant tech companies as part of their security teams. In his spare time, he is a traveler, adventure seeker, and drone hobbyist.
I would like to thank Manoj Jain, a skilled Android developer with almost a decade of experience, and Mohammad Haroon, who is a passionate iOS developer with 12+ years of experience in developing Swift/Objective and C/C++/C apps. Both of them assisted in developing the SecureStorage app, used in the book. Their contribution to this book is highly appreciated.
About the reviewer
Anant Shrivastava is the founder of a research firm named Cyfinoid Research. His last job was as a technical director for NotSoSecure Global Services. He has been active in the Android security field since the early days of Android development (2011). He has been a trainer and speaker at various international conferences (Black Hat – USA, Asia, EU, Nullcon, c0c0n, and many more). Anant also leads the open source projects Android Tamer and Code Vigilant. He also maintains the archive portal named Hacking Archives of India. In his spare time, he likes to take part in open communities geared to spreading information security knowledge, including the null community, Garage4hackers, Hasgeek, and OWASP.
I truly believe all of us in the technical world are standing on the shoulders of giants. The giants for me are the open communities, such as null, Garage4hackers, Hasgeek, and OWASP, where access to information is unrestricted and people are interested in helping one another. I am deeply indebted to all the communities and the people running these communities. I am also thankful to my whole family for providing all the support and tolerating my busy schedule and still standing by my side. I would also like to do a special shout-out to my son, Aarush, whose smile gives me a reason to keep going.
Table of Contents
Preface
Section 1: Basics of Mobile App Reverse Engineering, Common Tools and Techniques, and Setting up the Environment
Chapter 1: Basics of Reverse Engineering – Understanding the Structure of Mobile Apps
Technical requirements
Reverse engineering fundamentals
Android application fundamentals
iOS application fundamentals
Summary
Chapter 2: Setting Up a Mobile App Reverse Engineering Environment Using Modern Tools
Technical requirements
Tools for the reverse engineering of mobile applications
apktool
JADX – Dex-to-Java decompiler
smali/baksmali
strings
Ghidra
Radare
Mobexler virtual machine
Summary
Section 2: Mobile Application Reverse Engineering Methodology and Approach
Chapter 3: Reverse Engineering an Android Application
Technical requirements
Android application development
The reverse engineering of Android applications
Extracting the Java source code
Converting DEX files to smali
Reverse engineering and penetration testing
Modifying and recompiling the application
Code obfuscation in Android apps
Summary
Chapter 4: Reverse Engineering an iOS Application
Technical requirements
iOS app development
Understanding the binary format
Reverse engineering an iOS app
Extracting strings from the binary
Disassembling the application binary
Manually reviewing the disassembled binary for security issues
Using Mac-only tools for iOS app reverse engineering
Summary
Chapter 5: Reverse Engineering an iOS Application (Developed Using Swift)
Technical requirements
Understanding the difference between Objective C and Swift applications
The difference between Objective C and Swift from a reverse engineering perspective
Reverse engineering a Swift application
Installing the Radare2 framework
Using the Radare2 framework to reverse engineer a Swift application
Summary
Section 3: Automating Some Parts of the Reverse Engineering Process
Chapter 6: Open Source and Commercial Reverse Engineering Tools
Technical requirements
Tools for mobile application reverse engineering
Open source mobile application reverse engineering tools
Commercial mobile application reverse engineering tools
Case study – reverse engineering during a penetration test
Case study – reverse engineering during malware analysis
Summary
Chapter 7: Automating the Reverse Engineering Process
Technical requirements
Automated static analysis of mobile applications
MobSF
Performing a static scan on SecureStorage
Case study one – automating reverse engineering tasks
Case study two – automating test cases to find security issues
Summary
Chapter 8: Conclusion
Excelling in Android application reverse engineering – the way forward
Excelling in iOS application reverse engineering – the way forward
Utilizing reverse engineering skills
Exposing unreleased features in an application through reverse engineering
Summary
Other Books You May Enjoy
Preface
Mobile application reverse engineering is an important skill for penetration testers, malware analysts, and application security professionals in general. This book talks about how Android and iOS applications are developed, how to reverse engineer them, different case studies of security issues discovered through reverse engineering, and how to automate the reverse engineering and analysis part.
The book helps in understanding the internals of modern Android and iOS apps and how you can reverse engineer application packages (APK and IPA). Here, you can start your journey of creating a reverse engineering mobile application.
Who this book is for
This book is for cybersecurity professionals, security analysts, mobile application security enthusiasts, and penetration testers interested in understanding the internals of iOS and Android apps through reverse engineering. Basic knowledge of reverse engineering as well as an understanding of mobile operating systems such as iOS and Android and how mobile applications work on them are required.
What this book covers
Chapter 1, Basics of Reverse Engineering – Understanding the Structure of Mobile Apps, talks about the reverse engineering fundamentals, common terminologies, and Android and iOS application fundamentals.
Chapter 2, Setting Up a Mobile App Reverse Engineering Environment Using Modern Tools, gets you familiar with the tools used in the reverse engineering of mobile (Android