Mobile Applications¶
Table of Contents¶
Overview¶
Techniques for reverse engineering and analyzing Android applications encountered in CTF challenges.
Topics Covered¶
APK unpacking — Extracting and decompiling Android APK files to recover source code, resources, and configuration.
AAB analysis — Inspecting Android App Bundle (.aab) files, which require conversion before decompilation.
Hardcoded secrets — Locating API keys, credentials, encryption keys, and flags embedded in app resources or source code.
SQLite database analysis — Inspecting local app databases for stored data, credentials, or flags.
Encryption key extraction — Recovering keys from app resources (strings.xml, compiled classes) and using them to decrypt data.
Quick Reference¶
APK Decompilation¶
# Unpack APK resources (AndroidManifest, resources, etc.)
apktool d app.apk -o output/
# Decompile to Java source
jadx -d output/ app.apk
# Or use jadx-gui for interactive browsing
jadx-gui app.apk
AAB to APK Conversion¶
# Use bundletool to generate an APK set
bundletool build-apks --bundle=app.aab --output=app.apks --mode=universal
# Extract the universal APK
unzip app.apks -d apks/
# universal.apk is now in apks/
Finding Secrets¶
# Search strings.xml for keys
grep -i "key\|secret\|password\|token" res/values/strings.xml
# Search decompiled source
grep -r "key\|secret\|AES\|encrypt" src/
# Strings in compiled binary
strings app.apk | grep -i flag
SQLite Database Inspection¶
References¶
Challenges¶
| Source | Name |
|---|---|
| Holiday Hack Challenge 2024, Act II | Mobile Analysis |