English

Stowaway - static analysis tool for identifying permission use in Android apps

"Parts of the Android API are protected with permissions. In order to access protected API calls, developers must request the appropriate permissions in their applications' manifests. If a developer asks for more permissions than an application needs, then the application is overprivileged. Preventing overprivilege is important. Extra permissions may (1) unnecessarily deter users from installing applications, (2) unnecessarily accustom users to accepting lots of permissions, and (3) needlessly increase the potential damage of application vulnerabilities. Stowaway -a static analysis tool- detects overprivilege in compiled Android applications. Stowaway determines the set of API calls that an application uses and then maps those API calls to permissions. Automated testing tools were used on the Android API to build the permission map."

The tool itself seems to be not yet publicly available, but the website lets you upload an APK for analysis and review the results.

Androguard - reverse engineering of Android applications

"Androguard is mainly a tool written in python to play with:
  • Dex (Dalvik virtual machine) (.dex), and ODex (disassemble, decompilation)
  • APK (Android application) (.apk)
  • Android's binary xml (.xml)
Androguard is available for Linux/OSX/Windows (python powered)."


Ubuntu CDs are no more, apparently DVD is the way to go

"There is no longer a traditional CD-sized image, DVD or alternate image, but rather a single 800MB Ubuntu image that can be used from USB or DVD. Users who previously installed using LVM or full-disk encryption via the alternate CD will find that these installation targets are supported by the consolidated image in 12.10."

Well, that's almost true. Apart from the small difference that the new universal desktop image is only 790 MB. I don't really see any reason why the image could not fit on a 700 MB CD anymore. For those lousy 90 MB we've to use a DVD now. Did you already burn it? Is it not ridiculous how little of the 4.7 GB the image uses? Is it not a huge waste of space and resources? Ahhh. Sad

How to unpack (decode+disassemble) a number of APK packages

I recently wrote about how to deodex an odex file. Part of the instructions were a series of commands to unpack (decode+disassemble) an APK into some sort of a "source package". I've attached a short shell script (for linux/unix systems) that will use apktool, aapt and baksmali to extract and disassemble the contents of all APKs in the current working directory. It can be useful eg. to disassemble all system apps copied over to your PC from the /system/app directory on your phone. And having the sources you can start looking around and track down bugs, etc. Of course you could just download the original (Java) sources from android.googlesource.com, but that would take quite a long time and several gigabytes on your drive.

Using app encryption in Jelly Bean

Paid apps in Google Play are now encrypted with a device-specific key before they are delivered and stored on the device. This article discusses Android app encryption details, a new feature introduced in Jelly Bean (Android 4.1). The article shows how this encryption works and how you can encrypt and install apps "manually".

How to deodex an odex file

In the latest version (v1.4.0) of baksmali the process has been greatly simplified:
baksmali -a <api_level> -x <odex_file> -d <framework_dir> -o <output_dir>

smali - assembler/disassembler for the dex format used by Dalvik

"smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android's Java VM implementation. The syntax is loosely based on Jasmin's/dedexer's syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.)"

How to get around the dreaded "This app is incompatible with your ..." message in Google Play Store

Let me warn you in advance: this is not going to be easy. If you're afraid you might brick your phone/tablet, don't even start. That said, it's really not too hard either. Smile You just have to be the tinkering type and it doesn't hurt if you already know your way around flashing a custom recovery ROM, using ADB, etc.

How to view the HTML source of a page in Chrome for Android

Save the following JavaScript as a bookmark (ie. bookmarklet):
javascript:window.open('view-source:' + location.href)

To use it, load the website of your choice, then start typing the name of the bookmarklet in the address bar and click it once the full name appears (via autocomplete).

The problem with Android and MTP

It's no news that USB mass storage support got stripped from Android (I'm not quite sure ... either in 3.* or in 4.* versions). This change introduced a number of advantages over the old way, but at the same time a quite serious and longstanding bug surfaced with it: sometimes (or whenever ...) you change something in the filesystem on your phone, the change will not be reflected on your computer when you connect the phone via USB. The problem is obvious, the solution is apparently not. This bug has been annoying users for years and is still not fixed. Since Google focuses on developing the "next big thing" Smile, many serious bugs take a very long time to get fixed. Obviously these bugs affect only a minority of the Android userbase ... but it's usually the more advanced (or geeky) smartphone owners who "pay the price".

Syndicate content