0
1
00:00:08,100 --> 00:00:14,970
OK so we saw how to develop an app, if you follow the part of how to develop an app but whether or not
1

2
00:00:14,970 --> 00:00:16,370
you follow the previous part.
2

3
00:00:16,500 --> 00:00:19,400
We're going to start off with the following scenario.
3

4
00:00:19,650 --> 00:00:24,840
We have a suspicious app installed on our device which is the one we developed in the previous section.
4

5
00:00:26,710 --> 00:00:31,900
So you suspects this application is malicious and you want to start reverse engineering it and understand
5

6
00:00:31,900 --> 00:00:35,650
what it's doing by having a look at the underlying code.
6

7
00:00:35,650 --> 00:00:43,720
How can we do this firstly we're going to use an important tool that we introduced previously ADB
7

8
00:00:43,930 --> 00:00:54,250
or Android debug bridge so Android debug bridge as it is named is a bridge between the host machine
8

9
00:00:54,250 --> 00:01:01,420
we're going to be doing analysis on and the Android device or emulator. ADB is the tool that you will use
9

10
00:01:01,420 --> 00:01:08,520
to connect your Windows or Linux machine over to the Android device. The location of your SDK folder
10

11
00:01:08,520 --> 00:01:20,820
is usually user folder slash app data slash local slash Android slash SDK on windows and home folder
11

12
00:01:20,940 --> 00:01:28,130
slash Android slash SDK on Linux. Now in the SDK directory,
12

13
00:01:28,160 --> 00:01:34,310
you will find a directory called Platform dash tools and within the platform tools directory is where
13

14
00:01:34,310 --> 00:01:36,970
you will find your ADB tool.
14

15
00:01:36,980 --> 00:01:39,540
This is a very important tool.
15

16
00:01:39,560 --> 00:01:43,150
There are quite a few commands you can run with ADB.
16

17
00:01:43,700 --> 00:01:46,910
Here we'll just show you some of the main ones.
17

18
00:01:46,960 --> 00:01:52,360
So for example one command is ADB devices.
18

19
00:01:52,390 --> 00:02:00,000
In this case you will see one device and that is the emulator so at this point in time there's one emulator
19

20
00:02:00,000 --> 00:02:07,040
that we can connect to, if you had more devices you would be able to specify which device you want to
20

21
00:02:07,040 --> 00:02:13,210
work with by using the dash -s parameter followed by the device name.
21

22
00:02:13,250 --> 00:02:17,780
Another thing we can do with ADB is pull and push files.
22

23
00:02:17,780 --> 00:02:18,740
What does this mean.
23

24
00:02:20,560 --> 00:02:26,680
Push means that we can send a file to the device and pull means we can retrieve a file from the device.
24

25
00:02:27,680 --> 00:02:38,700
So in the case of push try something like this: push local path dest path so let's create a local file
25

26
00:02:38,700 --> 00:02:51,180
here called my file dot txt, let's push this file to the device by typing adb push the path to my file
26

27
00:02:51,240 --> 00:03:01,640
.txt and the destination path say slash SD card slash and that will push the file from your host
27

28
00:03:01,640 --> 00:03:03,680
machine onto the android device.
28

29
00:03:06,240 --> 00:03:12,390
Similarly if you pull you can run pull and the path of the file you want to download and this will pull
29

30
00:03:12,390 --> 00:03:14,640
the file onto your analysis machine.
30

31
00:03:15,810 --> 00:03:18,570
We will actually be using this to download the target app.
31

32
00:03:21,500 --> 00:03:22,030
OK.
32

33
00:03:22,040 --> 00:03:25,990
Another important command is adb install.
33

34
00:03:26,030 --> 00:03:32,060
So if you have an APK file on your host machine and you want to push it and install it on your device
34

35
00:03:32,090 --> 00:03:37,670
or emulator you can either push it onto the device and then go onto the device and install it.
35

36
00:03:39,730 --> 00:03:48,010
Or you can just run ADB. install and it will be installed directly onto the android device. Similarly
36

37
00:03:48,010 --> 00:03:55,950
you can do uninstall by running adb uninstall and the package name you can easily uninstall the app
37

38
00:03:58,180 --> 00:04:03,500
but you might be asking how do we get the package name of an application.
38

39
00:04:03,570 --> 00:04:08,690
We will see how we can obtain the package name in the next step before we do that.
39

40
00:04:08,730 --> 00:04:13,880
Let's look at a very important command ADB shell.
40

41
00:04:13,920 --> 00:04:17,920
So this is used to enter the shell of your Android device.
41

42
00:04:17,940 --> 00:04:24,290
Here you can see the standard Linux environment where we are in the shell of our Android device.
42

43
00:04:24,290 --> 00:04:28,670
Now here we can run several commands using System utilities.
43

44
00:04:28,740 --> 00:04:36,980
So for example pm list package and this will give us the package names of the applications that are
44

45
00:04:36,980 --> 00:04:45,050
on the device and so these packages are currently installed. Now given that we're running in a Linux
45

46
00:04:45,050 --> 00:04:45,850
environment,
46

47
00:04:45,950 --> 00:04:53,350
we can even run utilities like grep in order to help us filter through the results so say we know that
47

48
00:04:53,350 --> 00:04:55,790
the app has flip cortex and its name.
48

49
00:04:55,930 --> 00:05:07,060
We can run Pm list package | grep flipcortex and here we can see the filtered results.
49

50
00:05:10,370 --> 00:05:17,630
So in the case that we want to remove flip cortex we would just exit the shell run ADB uninstall and
50

51
00:05:17,630 --> 00:05:21,740
our package name press enter and it will uninstall.
51

52
00:05:22,460 --> 00:05:24,500
But right now we don't want to do that.
52

53
00:05:25,700 --> 00:05:33,630
Let's go back to ADB shell so the location of the APK files we would want to look at are in the data slash
53

54
00:05:33,690 --> 00:05:39,610
app folder but we don't have permission because the device is not rooted.
54

55
00:05:39,840 --> 00:05:44,790
Here you will see a few different approaches on how to obtain an APK from the device.
55

56
00:05:44,790 --> 00:05:51,830
But we're going to opt for the lazy way we're going to use an app called APK extractor.
56

57
00:05:51,860 --> 00:05:53,270
There are different tools.
57

58
00:05:53,270 --> 00:05:59,150
Just search in the play store for the text APK extractor and you will see many results.
58

59
00:05:59,240 --> 00:06:07,100
Find your favorite one and install it just search in the play store or an online store.
59

60
00:06:07,100 --> 00:06:17,860
Here we are just googling APK extractor apk and it redirects us to apk pure downloads from
60

61
00:06:17,860 --> 00:06:24,530
here we just download the file and drag and drop the APK onto our emulator.
61

62
00:06:24,550 --> 00:06:26,550
This is a quick way of installing it.
62

63
00:06:28,300 --> 00:06:36,200
This is a tool that just goes through your apps and allows you to extract and save their APK you can
63

64
00:06:36,200 --> 00:06:38,450
see it's been installed click open
64

65
00:06:44,770 --> 00:06:47,310
so you have a list of all your applications.
65

66
00:06:51,310 --> 00:06:56,350
Let's search for our app.
66

67
00:06:56,500 --> 00:06:59,230
It will ask you for permission to access the files and media
67

68
00:07:03,570 --> 00:07:04,790
grant the permission.
68

69
00:07:07,650 --> 00:07:11,750
So let's have a look at the shell again using ADB.
69

70
00:07:11,970 --> 00:07:21,510
We're going to go to the path where the APK was extracted so storage slash emulated slash 0 slash
70

71
00:07:21,570 --> 00:07:32,130
extracted APKs. List the files, we see that there is hello world flip cortex Hello World dot
71

72
00:07:32,160 --> 00:07:34,890
Apk. okay.
72

73
00:07:36,790 --> 00:07:43,540
So what we're going to do now is we're going to exit the shell and I'm going to use ADP pull so if we
73

74
00:07:43,540 --> 00:07:56,860
exit the shell and run ADB pull storage slash emulated slash 0 slash extractedAPKS slash hello world
74

75
00:07:56,980 --> 00:08:03,550
underscore com dot flip cortex dot Hello World dot APK
75

76
00:08:06,720 --> 00:08:13,250
you can see over here one file is pulled and we're given the size of the file so now we have our APK
76

77
00:08:13,270 --> 00:08:21,740
in our local directory. So to recap we have a suspicion that there is a potentially malicious app on
77

78
00:08:21,740 --> 00:08:30,590
our device we use the ADB together with the help of an APK extractor to obtain the APK file and in the
78

79
00:08:30,590 --> 00:08:34,070
next lesson we want to analyze this potentially malicious file.