1337skills.com

Appearance

AndroGuard Cheatsheet

Overview

AndroGuard is a Python tool designed for reverse engineering and malware analysis of Android applications. It provides powerful capabilities for analyzing APK files, DEX bytecode, and Android resources.

Installation

Prerequisites

bash
# Install Python 3.6+
sudo apt update
sudo apt install python3 python3-pip

# Install required dependencies
sudo apt install python3-dev libxml2-dev libxslt1-dev zlib1g-dev

Install AndroGuard

bash
# Install from PyPI
pip3 install androguard

# Install with optional dependencies
pip3 install androguard[GUI,magic]

# Install from source
git clone https://github.com/androguard/androguard.git
cd androguard
pip3 install -e .

Basic Usage

Analyze APK Files

bash
# Basic APK analysis
androguard analyze app.apk

# Interactive analysis
androguard shell app.apk

# Generate analysis report
androguard analyze app.apk --output report.txt

Command Line Tools

bash
# APK information
apkinfo app.apk

# DEX analysis
dexdump classes.dex

# Resource analysis
axml AndroidManifest.xml

Python API Usage

Basic Analysis

python
from androguard.misc import AnalyzeAPK

# Analyze APK
a, d, dx = AnalyzeAPK("app.apk")

# Get APK information
print("Package name:", a.get_package())
print("App name:", a.get_app_name())
print("Version:", a.get_androidversion_code())
print("Permissions:", a.get_permissions())

Advanced Analysis

python
from androguard.core.bytecodes import apk, dvm
from androguard.core.analysis import analysis

# Load APK
apk_obj = apk.APK("app.apk")
dex = dvm.DalvikVMFormat(apk_obj.get_dex())
dx = analysis.Analysis(dex)

# Analyze classes and methods
for cls in dx.get_classes():
    print(f"Class: {cls.name}")
    for method in cls.get_methods():
        print(f"  Method: {method.name}")

APK Analysis

Basic Information

python
# APK metadata
print("Package:", a.get_package())
print("App name:", a.get_app_name())
print("Version code:", a.get_androidversion_code())
print("Version name:", a.get_androidversion_name())
print("Min SDK:", a.get_min_sdk_version())
print("Target SDK:", a.get_target_sdk_version())

Permissions Analysis

python
# Get all permissions
permissions = a.get_permissions()
for perm in permissions:
    print(f"Permission: {perm}")

# Check for dangerous permissions
dangerous_perms = [
    "android.permission.READ_SMS",
    "android.permission.SEND_SMS",
    "android.permission.ACCESS_FINE_LOCATION",
    "android.permission.CAMERA"
]

for perm in permissions:
    if perm in dangerous_perms:
        print(f"Dangerous permission found: {perm}")

Certificate Analysis

python
# Get certificate information
certificates = a.get_certificates()
for cert in certificates:
    print(f"Certificate: {cert}")
    print(f"Subject: {cert.subject}")
    print(f"Issuer: {cert.issuer}")
    print(f"Serial: {cert.serial_number}")

Code Analysis

Method Analysis

python
# Find specific methods
for cls in dx.get_classes():
    for method in cls.get_methods():
        if "crypto" in method.name.lower():
            print(f"Crypto method: {cls.name}->{method.name}")

String Analysis

python
# Extract strings
strings = dx.get_strings()
for string in strings:
    if "http" in string.get_value():
        print(f"URL found: {string.get_value()}")

Cross-Reference Analysis

python
# Find method calls
for method in dx.get_methods():
    if method.is_external():
        continue
    
    for ref in method.get_xref_from():
        print(f"{ref.class_name}->{ref.method_name} calls {method.name}")

Security Analysis

Cryptographic Analysis

python
# Find crypto usage
crypto_methods = [
    "javax.crypto.Cipher",
    "java.security.MessageDigest",
    "javax.crypto.spec.SecretKeySpec"
]

for method in dx.get_methods():
    for crypto in crypto_methods:
        if crypto in str(method.get_method()):
            print(f"Crypto usage: {method.name}")

Network Analysis

python
# Find network operations
network_classes = [
    "java.net.URL",
    "java.net.HttpURLConnection",
    "okhttp3.OkHttpClient"
]

for cls in dx.get_classes():
    for net_class in network_classes:
        if net_class in str(cls):
            print(f"Network class: {cls.name}")

Reflection Analysis

python
# Find reflection usage
reflection_methods = [
    "java.lang.Class.forName",
    "java.lang.reflect.Method.invoke"
]

for method in dx.get_methods():
    for ref_method in reflection_methods:
        if ref_method in str(method.get_method()):
            print(f"Reflection usage: {method.name}")

Malware Detection

Suspicious Patterns

python
# Check for suspicious patterns
suspicious_strings = [
    "getDeviceId",
    "getSubscriberId", 
    "sendTextMessage",
    "android.intent.action.BOOT_COMPLETED"
]

strings = dx.get_strings()
for string in strings:
    for suspicious in suspicious_strings:
        if suspicious in string.get_value():
            print(f"Suspicious string: {string.get_value()}")

Dynamic Loading Detection

python
# Find dynamic loading
dynamic_methods = [
    "dalvik.system.DexClassLoader",
    "dalvik.system.PathClassLoader"
]

for method in dx.get_methods():
    for dyn_method in dynamic_methods:
        if dyn_method in str(method.get_method()):
            print(f"Dynamic loading: {method.name}")

Resource Analysis

Manifest Analysis

python
# Parse AndroidManifest.xml
manifest = a.get_android_manifest_xml()
print("Manifest content:")
print(manifest.toprettyxml())

# Get activities
activities = a.get_activities()
for activity in activities:
    print(f"Activity: {activity}")

# Get services
services = a.get_services()
for service in services:
    print(f"Service: {service}")

Resource Extraction

python
# Extract resources
for file_name in a.get_files():
    if file_name.endswith('.xml'):
        content = a.get_file(file_name)
        print(f"XML file: {file_name}")

Advanced Features

Control Flow Analysis

python
# Analyze control flow
for method in dx.get_methods():
    if method.is_external():
        continue
    
    # Get basic blocks
    for bb in method.get_basic_blocks():
        print(f"Basic block: {bb}")

Data Flow Analysis

python
# Trace data flow
for method in dx.get_methods():
    # Get method instructions
    instructions = method.get_instructions()
    for instruction in instructions:
        if instruction.get_name() == "const-string":
            print(f"String constant: {instruction}")

Call Graph Generation

python
# Generate call graph
import networkx as nx

G = nx.DiGraph()
for method in dx.get_methods():
    for ref in method.get_xref_from():
        G.add_edge(f"{ref.class_name}.{ref.method_name}", 
                  f"{method.class_name}.{method.name}")

# Export call graph
nx.write_gml(G, "call_graph.gml")

Automation Scripts

Batch Analysis

python
#!/usr/bin/env python3
import os
import sys
from androguard.misc import AnalyzeAPK

def analyze_apk_batch(directory):
    for filename in os.listdir(directory):
        if filename.endswith('.apk'):
            print(f"Analyzing {filename}")
            try:
                a, d, dx = AnalyzeAPK(os.path.join(directory, filename))
                print(f"Package: {a.get_package()}")
                print(f"Permissions: {len(a.get_permissions())}")
                print("-" * 50)
            except Exception as e:
                print(f"Error analyzing {filename}: {e}")

if __name__ == "__main__":
    analyze_apk_batch(sys.argv[1])

Security Scanner

python
#!/usr/bin/env python3
from androguard.misc import AnalyzeAPK

def security_scan(apk_path):
    a, d, dx = AnalyzeAPK(apk_path)
    
    # Check permissions
    dangerous_perms = [
        "android.permission.READ_SMS",
        "android.permission.SEND_SMS",
        "android.permission.ACCESS_FINE_LOCATION"
    ]
    
    found_perms = []
    for perm in a.get_permissions():
        if perm in dangerous_perms:
            found_perms.append(perm)
    
    # Check for crypto usage
    crypto_usage = False
    for method in dx.get_methods():
        if "crypto" in str(method.get_method()).lower():
            crypto_usage = True
            break
    
    print(f"Dangerous permissions: {found_perms}")
    print(f"Crypto usage detected: {crypto_usage}")

if __name__ == "__main__":
    security_scan("app.apk")

GUI Usage

AndroGuard GUI

bash
# Launch GUI
androguard gui

# Open APK in GUI
androguard gui app.apk

Features

  • Visual code analysis
  • Interactive exploration
  • Graph visualization
  • Export capabilities

Best Practices

Analysis Workflow

bash
1. Basic APK information
2. Permission analysis
3. Code structure review
4. Security pattern detection
5. Malware signature matching
6. Report generation

Performance Tips

python
# Use lazy loading for large APKs
from androguard.core.bytecodes.apk import APK
a = APK("large_app.apk", raw=False)

# Process in chunks for batch analysis
import multiprocessing
pool = multiprocessing.Pool()
results = pool.map(analyze_apk, apk_list)

Resources