0
1
00:00:08,370 --> 00:00:16,450
OK so we're now in a situation where we have the suspicious APK available first let's rename the file
1

2
00:00:18,970 --> 00:00:24,490
let's call this flipcortex.APK. OK.
2

3
00:00:24,540 --> 00:00:26,970
Now we just have this file named
3

4
00:00:26,970 --> 00:00:33,020
flipcortex.apk, actually let's also move this file.
4

5
00:00:33,120 --> 00:00:41,990
Let's go to home and let's create a folder called Flipcortex let's move our APK to the newly created
5

6
00:00:41,990 --> 00:00:42,500
folder
6

7
00:00:48,950 --> 00:00:52,880
so all we did so far was just rename files and move them around.
7

8
00:00:52,940 --> 00:00:55,040
We've not started the analysis yet.
8

9
00:00:56,840 --> 00:01:00,770
So now we're in a folder called Flipcortex.
9

10
00:01:00,780 --> 00:01:08,240
Now if you remember before we installed APKtool. Apktool is an extremely popular tool that is
10

11
00:01:08,240 --> 00:01:14,850
used as a basis for many analysis tools let's run the command apktool d
11

12
00:01:14,950 --> 00:01:19,170
Flipcortex.apk.
12

13
00:01:19,190 --> 00:01:22,130
So basically this just starts decoding our apk
13

14
00:01:25,020 --> 00:01:28,590
and you'll see that this creates a new folder called Flip cortex.
14

15
00:01:28,590 --> 00:01:37,110
And so by running apktool d on the APK, apktool creates a folder with the Apps Smali code
15

16
00:01:37,110 --> 00:01:39,020
inside.
16

17
00:01:39,250 --> 00:01:43,170
Let's go to flipcortex and see what we find.
17

18
00:01:43,200 --> 00:01:50,170
Here we see the android manifest which we had seen when we were developing the basic Android application.
18

19
00:01:50,250 --> 00:02:01,230
Let's have a look nano Android manifest xml. We can already see a lot of information about this application.
19

20
00:02:01,510 --> 00:02:09,790
We know that there's a service in the app with a receiver, a content provider and two activities.
20

21
00:02:09,800 --> 00:02:16,480
Now remember in this case we saw the development of the app but this is not usually the case.
21

22
00:02:16,550 --> 00:02:21,320
Usually we obtain apk and we have no idea about the code behind it.
22

23
00:02:21,890 --> 00:02:24,040
So this is already a lot of information.
23

24
00:02:24,050 --> 00:02:30,520
The normal user would not have knowledge of. So here there's a suspicious APK.
24

25
00:02:30,590 --> 00:02:36,560
We don't have its source code but we're able to start obtaining information like the Android manifest
25

26
00:02:36,560 --> 00:02:43,990
file which is an extremely useful file to understand what the application is doing. From here we can
26

27
00:02:43,990 --> 00:02:54,130
also see that the application uses permissions: internet, read contacts and receive SMS so technically
27

28
00:02:54,130 --> 00:03:00,980
here we can already start confirming some of our suspicions this app is a shopping list app but it seems
28

29
00:03:00,980 --> 00:03:03,150
to be requesting SMS permission.
29

30
00:03:03,260 --> 00:03:05,760
That doesn't really add up.
30

31
00:03:05,800 --> 00:03:07,880
This isn't enough evidence though.
31

32
00:03:08,230 --> 00:03:13,450
Who knows maybe the app uses SMS for some sort of two factor authentication.
32

33
00:03:13,900 --> 00:03:17,710
So let's put that suspicion on hold for now.
33

34
00:03:17,800 --> 00:03:24,340
So what else do we have in our decoded folder if you go to resources folder over here.
34

35
00:03:25,330 --> 00:03:34,670
So say for example layouts folder here see these layouts you have the layouts which are the user interface
35

36
00:03:34,700 --> 00:03:43,250
of the app we can see activity main XML which is the main layout associated with the main activity.
36

37
00:03:45,390 --> 00:03:48,670
You can see the layout information inside.
37

38
00:03:48,800 --> 00:03:53,620
So again always keep in mind that this is from an APK not from the source code.
38

39
00:03:55,590 --> 00:03:59,850
So the fact that we can just get this from an app installed on your device is quite impressive.
39

40
00:04:01,140 --> 00:04:09,930
Now let's go back to the manifest so let's have a look at the default activity here, we see the default
40

41
00:04:09,930 --> 00:04:18,540
activity here is in the default main activity which is com dot flip cortex dot Hello World dot main
41

42
00:04:18,540 --> 00:04:26,830
activity. So usually the manifest is a good location to get the starting point of an app.
42

43
00:04:26,900 --> 00:04:33,480
Now let's go back to the folder and we can go to the smali directory and from here we follow the path
43

44
00:04:33,510 --> 00:04:43,570
that we just saw in our manifest. CD com slash flip cortex slash hello world.
44

45
00:04:43,680 --> 00:04:51,040
Here you should find main activity dot Smali which is the default activity of the suspicious application.
45

46
00:04:52,680 --> 00:04:53,040
OK.
46

47
00:04:53,070 --> 00:04:57,030
So here we're going to be presented with the smali code.
47

48
00:04:57,030 --> 00:05:03,590
Now Smali it's not Java, Smali is human readable byte code.
48

49
00:05:03,790 --> 00:05:09,010
You don't need to fully understand Smali but it will help to understand more or less what the app
49

50
00:05:09,040 --> 00:05:16,700
does. In the following lessons will see how you can still understand the code without needing to fully
50

51
00:05:16,700 --> 00:05:25,490
understand Smali but again by using only apk tool we already got a lot of information including
51

52
00:05:25,490 --> 00:05:28,710
smali which would be able to tell us what the app does.
52

53
00:05:28,730 --> 00:05:32,050
Step by step. OK.
53

54
00:05:32,070 --> 00:05:37,830
So let's work out a small challenge, say our network security team tells us that they're noticing a lot
54

55
00:05:37,830 --> 00:05:46,520
of data being sent to this URL: postman dash Echo Dot Com and you're tasked with investigating this
55

56
00:05:46,520 --> 00:05:49,100
app to know if it's the source.
56

57
00:05:49,100 --> 00:05:55,700
Now how can we try to determine if there's any code that we can identify related to this postman dash
57

58
00:05:55,760 --> 00:06:03,770
Echo Dot Com. So if you are on a Linux machine you can run the grep command.
58

59
00:06:04,140 --> 00:06:10,870
So running grep Dash r postman dash echo.
59

60
00:06:10,920 --> 00:06:11,580
There you go.
60

61
00:06:12,090 --> 00:06:15,200
So we already found something here.
61

62
00:06:15,210 --> 00:06:23,010
So for example we can go into this code search for postman and here you see that in fact there is a
62

63
00:06:23,010 --> 00:06:26,800
string with the U.R.L. we were warned about.
63

64
00:06:26,820 --> 00:06:27,770
So there you go.
64

65
00:06:27,780 --> 00:06:33,510
Here you would be able to almost confirm that yes this app is responsible for the data being sent to
65

66
00:06:33,510 --> 00:06:35,850
postman dash Echo Dot Com.