O'Reilly logo
live online training icon Live Online training

Android Internals and Reverse Engineering

Securing Your Android Applications

David Griffiths

If you’ve ever written an Android app, have you ever wondered what happens on your phone when it runs? Have you ever wondered how much of your carefully written code will be visible to anyone who wants to attack it?

Learning how to reverse-engineer code is an invaluable skill for any Android developer:

  • It will help you understand what practices can lead to bloated code.
  • You will learn how to discover what third party libraries are doing when you include them in your app.
  • It will give you an unnerving look at how much of your code and data can be read by anyone with a phone and a laptop.

This course shows you how to recover Java/Kotlin/C/C++ source code from an installed Android application, using techniques that are readily available to anyone who may be interested in breaking into your app. We’ll follow the journey of an app from compilation to execution, and discover how to extract the app from a device, and convert it back to its source code and resources. By understanding what is possible, we will then focus on strategies that will help protect your application’s code and data.

What you'll learn-and how you can apply it

By the end of this live, hands-on, online course, you’ll understand:

  • The low-level details of how Android apps are built and deployed
  • The Android security model for when apps are run
  • The tools available for exploring your Android device

And you’ll be able to:

  • Extract a copy of an installed app on your Android device
  • Examine the data stored with an app
  • Unwrap the application and explore the compiled code and resources
  • Use techniques to convert compiled Android code back into source code
  • Apply strategies to protect and obfuscate your code

This training course is for you because...

  • You’re an Android developer who wants to know how secure your code is
  • You’re an architect who is designing applications which include an app component
  • You are simply interested in how things work on your Android device at a low-level

Prerequisites

  • You know how to build a simple Android app with Kotlin or Java
  • You are comfortable working on the command line
  • You have a basic understanding of how operating system processes work

Recommended preparation:

Recommended follow-up:

About your instructor

  • David Griffiths is the author of five books and is a consultant working in the UK. He is a consultant working in the UK and has written five books in the Head First series, including Head First Android Development and Head First Kotlin, and two courses in data modeling in ActiveRecord and Rails. David also developed the animated video course The Agile Sketchpad with his wife, Dawn, as a way of teaching key concepts and techniques in a way that keeps your brain active and engaged.

Schedule

The timeframes are only estimates and may vary according to how the class is progressing

Hour 1: The natural history of an Android app

How apps are built and deployed (25 mins)

  • Presentation: From source code to APK file
  • Walkthrough: Following an app’s journey as it gets installed
  • Exercise: Buzzword Crossword
  • Q&A

How apps are run and captured (25 mins)

  • Presentation: How Android runs apps
  • Walkthrough: Copying an Android app from your device
  • Exercise: Install the demo app, and then copy it from your device
  • Q&A
  • 10 minute break

Hour 2: How to reverse engineer your app

Reverse engineer the app’s code (25 mins)

  • Walkthrough: Exploring the APK file
  • Walkthrough: Convert APK to Java source with jadx
  • Exercise: Extract code from the demo app and convert it to jar files
  • Q&A

Reverse engineer native code (25 mins)

  • Presentation: Understanding the Java Native Interface
  • Walkthrough: Using the NSA’s Ghidra tool to retrieve source from native code
  • Exercise
  • Q&A
  • 10 minute break

Hour 3: Data and defense

Extracting data (30 mins)

  • Walkthrough: How to get data off your device with a backup
  • Walkthrough: Unpacking the data backup
  • Exercise: Buzzword Crossword
  • Q&A

Defending your app (30 mins)

  • Presentation: How to obfuscate code
  • Walkthrough: Other strategies to protect against reverse engineering
  • Exercise
  • Further reading
  • Q&A