Skip to content

Home

Jump to bottom
erev0s edited this page Dec 16, 2023 · 19 revisions

Welcome to the Androguard wiki!

Installation

Androguard is intended to be launch directly without any particular installation, only the packages that we are using:

git clone https://github.com/androguard/androguard.git
cd androguard
pip install .

You can now directly start to play with some APK !!

python3 cli.py apkid download-eded3bc3451011237ec5cfba1f723c41e6d46cfed5124ffd4659c8895b88e62f.apk

2022-07-20 15:51:31.132 | INFO     | androguard.core.axml:__init__:371 - AXMLParser
{
  "download-eded3bc3451011237ec5cfba1f723c41e6d46cfed5124ffd4659c8895b88e62f.apk": [
    "it.toscana.regione.smartsst",
    "36010",
    "3.0.6"
  ]

All events are saved in the file 'androguard.db' which is basically a sqlite db (easily readable with https://sqlitebrowser.org/). There is 3 tables:

  • information (related to all APK/DEX/... analyzed during a session)
  • session (unique key to identify a particular session done)
  • pentest (events from frida saved)

Pypi (TBD)

CLI Commands

The cli.py is the main and quickest entry points to play with Androguard. This tool is divided in different components.

python cli.py OPTIONS COMMAND OPTIONS

analyze

The 'analyze' command will directly bring you into the IPython session and provide some analyzed objects.

python cli.py  analyze test.apk

apkid

arsc

axml

decompile

disassemble

strace

The 'strace' command will directly analyze the provided APK, install it on the default connected phone and run it and start to trace all syscalls.

python3 cli.py strace test.apk

trace

The 'trace' command will directly analyze the provided APK, install it on the default connected phone and run it and start to trace all events specified in the modules list.

python3 cli.py trace test.apk -m "androguard/pentest/modules/**"

The list of modules via the -m option is using glob module so you can use any recursive directory. You can also specify multiples location like:

-m "androguard/pentest/modules/**" -m "MY_DIRECTORY/**" -m "ANOTHER_DIRECTORY/test.js"

Developpers

APK

DEX

ODEX

AXML

ARSC

Pentest

This module is able to talk to a frida-server and get packets (JSON) from it:

  • timestamp of the event
  • stacktrace of the event :
  1. function called (the Android API basically)
  2. callee function (from where the API is called in the APK)
  • payload field which can handle a variable number of arguments, but where some are used like:
  1. ret value if there is something interesting from the function

All JS scripts loaded by frida is in the modules directory, but any other could be added easily. To send a packet from Frida -> Androguard, you need to use the function agPacket with a dict as argument (timestamp, stacktrace will be added automatically):

    agPacket({url: url}).send();
Clone this wiki locally