Android internals and reverse engineering
Published by O'Reilly Media, Inc.
Securing your Android applications
If you’ve ever written an Android app, you may have wondered what happens on your phone when it runs. Have you ever wondered how much of your carefully written code will be visible to anyone who wants to attack it?
Learning how to reverse-engineer code is an invaluable skill for any Android developer. It will help you understand what practices can lead to bloated code. You’ll find out what third-party libraries are doing when you include them in your app. And you’ll get an unnerving look at how much of your code and data can be read by anyone with a phone and a laptop.
Join expert David Griffiths to learn how to recover Java, Kotlin, C, and C++ source code from an installed Android application, using techniques that are readily available to anyone who may be interested in breaking into your app. You’ll follow an app from compilation to execution and discover how to extract the app from a device and convert it back to its source code and resources. After understanding what’s possible, you’ll dive into strategies that will help protect your application’s code and data.
What you’ll learn and how you can apply it
By the end of this live online course, you’ll understand:
- The low-level details of how Android apps are built and deployed
- The Android security model for when apps are run
- Available tools for exploring your Android device
And you’ll be able to:
- Extract a copy of an installed app on your Android device
- Examine the data stored with an app
- Unwrap the application and explore the compiled code and resources
- Use techniques to convert compiled Android code back into source code
- Apply strategies to protect and obfuscate your code
This live event is for you because...
This course is for you because…
- You’re an Android developer who wants to know how secure your code is.
- You’re an architect who’s designing applications that include an app component.
- You’re interested in how things work on your Android device at a low level.
Prerequisites
Prerequisites
- A working knowledge of Android app development with Kotlin or Java
- Familiarity with the command line
- A basic understanding of how operating system processes work
Recommended preparation:
- Download and install the course example app (optional)
Recommended follow-up:
- Read Android Security Internals (book)
- Read The Java Virtual Machine Specification (book)
Schedule
The time frames are only estimates and may vary according to how the class is progressing.
How Android apps are built and deployed (25 minutes)
- Group discussion: Which framework do you use?
- Lecture: From source code to APK file; following an app’s journey as it gets installed
- Hands-on exercise: Complete the buzzword crossword puzzle
- Q&A
How apps are run and captured (25 minutes)
- Lecture: How Android runs apps; copying an Android app from your device
- Group discussion: Why is the launching process called Zygote?
- Hands-on exercise: Install the demo app, then copy it from your device
- Q&A
Break (10 minutes)
How to reverse-engineer your app’s code (25 minutes)
- Group discussion: Which language contains the word “Smali”?
- Lecture: Exploring the APK file; converting APK to Java source with jadx
- Hands-on exercise: Extract code from the demo app and convert it to JAR files
- Q&A
How to reverse-engineer native code (25 minutes)
- Lecture: Understanding the Java Native Interface; using the NSA’s Ghidra tool to retrieve source from native code
- Hands-on exercise
- Q&A
Break (10 minutes)
Extracting data (30 minutes)
- Lecture: How to get data off your device with a backup; unpacking the data backup
- Hands-on exercise: Complete the buzzword crossword puzzle
- Q&A
Defending your app (30 minutes)
- Lecture: How to obfuscate code; other strategies to protect against reverse-engineering; further reading
- Hands-on exercise
- Q&A
Your Instructor
David Griffiths
David Griffiths founded HereScreen Ltd and is the author or coauthor of seven books, including Head First Android Development and The React Cookbook. David has also written for magazines about software development and created online training material.