Struktura dhe Analiza e APK-së

Mesatar 15 min Siguria Mobile

Hyrje

An APK is a ZIP archive containing the resources, compiled code and manifest of an Android application.

Teoria

Unzipping an APK reveals several key files. AndroidManifest.xml declares the app's activities, services, content providers, permissions and intent filters. classes.dex contains the compiled Dalvik bytecode; resources.arsc contains resources (strings, layouts, drawables); the lib/ folder holds native libraries for each supported CPU architecture; META-INF/ contains the signing manifest and certificates. Together they describe what the app does, what permissions it requests and how it is packaged. Tools like jadx, apktool and Ghidra can decompile the DEX back to readable Java-like source. A quick first-pass analysis with jadx-gui reveals class names, string literals, API calls and intent handlers. Look at the manifest first — requested permissions and exported components are the attack surface. Look next at the network code (OkHttp, Retrofit, HttpsURLConnection) to see which backend the app talks to and whether certificate pinning is in place. Dynamic analysis complements static with a rooted emulator or device: Frida scripts hook methods at runtime to log calls, bypass checks and intercept traffic. Burp Suite with Frida universal SSL unpinning scripts lets you inspect HTTPS traffic even when the app pins certificates. Together, static and dynamic analysis let you build a complete picture of the app's behavior and security posture in a few hours for most commodity apps.

Mjetet

Mjete:

  • apktool, jadx, ghidra.
  • MobSF — Mobile Security Framework (auto-scan).
  • Frida, objection — dynamic instrumentation.

Praktika

Decompile + static scan:

apktool d app.apk -o out/
jadx-gui app.apk
# ose
mobsf-cli -i app.apk -o report.json

Inspekto AndroidManifest.xml për permissions suspekte:

grep -E 'INTERNET|READ_CONTACTS|ACCESS_FINE_LOCATION|SYSTEM_ALERT_WINDOW' out/AndroidManifest.xml

Ushtrime

  1. Analizo një APK open-source me MobSF dhe krahaso output-in me jadx manual.
  2. Gjej API key të hardkoduar në strings.xml ose kod.

Burime

  • OWASP MAS (Mobile Application Security).
  • Android Security Tips (developer.android.com).

Vlerësimet dhe komentet

Kyçu për të lënë një vlerësim.

Ende pa komente. Bëhu i pari!

Diskutime

Ende pa diskutime. Hap një temë të re