Zum Inhalt

AndroGuard Cheatsheet

Überblick

AndroGuard ist ein Python-Tool für Reverse Engineering und Malware-Analyse von Android-Anwendungen. Es bietet leistungsstarke Fähigkeiten zur Analyse von APK-Dateien, DEX Bytecode und Android-Ressourcen.

Installation

Voraussetzungen

```bash

Install Python 3.6+

sudo apt update sudo apt install python3 python3-pip

Install required dependencies

sudo apt install python3-dev libxml2-dev libxslt1-dev zlib1g-dev ```_

Installieren Sie AndroGuard

```bash

Install from PyPI

pip3 install androguard

Install with optional dependencies

pip3 install androguard[GUI,magic]

Install from source

git clone https://github.com/androguard/androguard.git cd androguard pip3 install -e . ```_

Basisnutzung

Analyse APK Dateien

```bash

Basic APK analysis

androguard analyze app.apk

Interactive analysis

androguard shell app.apk

Generate analysis report

androguard analyze app.apk --output report.txt ```_

Kommandozeilentools

```bash

APK information

apkinfo app.apk

DEX analysis

dexdump classes.dex

Resource analysis

axml AndroidManifest.xml ```_

Python API Verwendung

Basisanalyse

```python from androguard.misc import AnalyzeAPK

Analyze APK

a, d, dx = AnalyzeAPK("app.apk")

Get APK information

print("Package name:", a.get_package()) print("App name:", a.get_app_name()) print("Version:", a.get_androidversion_code()) print("Permissions:", a.get_permissions()) ```_

Erweiterte Analyse

```python from androguard.core.bytecodes import apk, dvm from androguard.core.analysis import analysis

Load APK

apk_obj = apk.APK("app.apk") dex = dvm.DalvikVMFormat(apk_obj.get_dex()) dx = analysis.Analysis(dex)

Analyze classes and methods

for cls in dx.get_classes(): print(f"Class: \\{cls.name\\}") for method in cls.get_methods(): print(f" Method: \\{method.name\\}") ```_

APK-Analyse

Grundlegende Informationen

```python

APK metadata

print("Package:", a.get_package()) print("App name:", a.get_app_name()) print("Version code:", a.get_androidversion_code()) print("Version name:", a.get_androidversion_name()) print("Min SDK:", a.get_min_sdk_version()) print("Target SDK:", a.get_target_sdk_version()) ```_

Zulassungsanalyse

```python

Get all permissions

permissions = a.get_permissions() for perm in permissions: print(f"Permission: \\{perm\\}")

Check for dangerous permissions

dangerous_perms = [ "android.permission.READ_SMS", "android.permission.SEND_SMS", "android.permission.ACCESS_FINE_LOCATION", "android.permission.CAMERA" ]

for perm in permissions: if perm in dangerous_perms: print(f"Dangerous permission found: \\{perm\\}") ```_

Analyse der Zertifikate

```python

Get certificate information

certificates = a.get_certificates() for cert in certificates: print(f"Certificate: \\{cert\\}") print(f"Subject: \\{cert.subject\\}") print(f"Issuer: \\{cert.issuer\\}") print(f"Serial: \\{cert.serial_number\\}") ```_

Code-Analyse

Methodenanalyse

```python

Find specific methods

for cls in dx.get_classes(): for method in cls.get_methods(): if "crypto" in method.name.lower(): print(f"Crypto method: \\{cls.name\\}->\\{method.name\\}") ```_

String-Analyse

```python

Extract strings

strings = dx.get_strings() for string in strings: if "http" in string.get_value(): print(f"URL found: \\{string.get_value()\\}") ```_

Kreuzreferenzanalyse

```python

Find method calls

for method in dx.get_methods(): if method.is_external(): continue

for ref in method.get_xref_from():
    print(f"\\\\{ref.class_name\\\\}->\\\\{ref.method_name\\\\} calls \\\\{method.name\\\\}")

```_

Sicherheitsanalyse

Kryptographische Analyse

```python

Find crypto usage

crypto_methods = [ "javax.crypto.Cipher", "java.security.MessageDigest", "javax.crypto.spec.SecretKeySpec" ]

for method in dx.get_methods(): for crypto in crypto_methods: if crypto in str(method.get_method()): print(f"Crypto usage: \\{method.name\\}") ```_

Netzwerkanalyse

```python

Find network operations

network_classes = [ "java.net.URL", "java.net.HttpURLConnection", "okhttp3.OkHttpClient" ]

for cls in dx.get_classes(): for net_class in network_classes: if net_class in str(cls): print(f"Network class: \\{cls.name\\}") ```_

Reflexionsanalyse

```python

Find reflection usage

reflection_methods = [ "java.lang.Class.forName", "java.lang.reflect.Method.invoke" ]

for method in dx.get_methods(): for ref_method in reflection_methods: if ref_method in str(method.get_method()): print(f"Reflection usage: \\{method.name\\}") ```_

Malware-Detektion

Verdächtige Muster

```python

Check for suspicious patterns

suspicious_strings = [ "getDeviceId", "getSubscriberId", "sendTextMessage", "android.intent.action.BOOT_COMPLETED" ]

strings = dx.get_strings() for string in strings: for suspicious in suspicious_strings: if suspicious in string.get_value(): print(f"Suspicious string: \\{string.get_value()\\}") ```_

Dynamische Belastungserkennung

```python

Find dynamic loading

dynamic_methods = [ "dalvik.system.DexClassLoader", "dalvik.system.PathClassLoader" ]

for method in dx.get_methods(): for dyn_method in dynamic_methods: if dyn_method in str(method.get_method()): print(f"Dynamic loading: \\{method.name\\}") ```_

Ressourcenanalyse

Analyse der Ereignisse

```python

Parse AndroidManifest.xml

manifest = a.get_android_manifest_xml() print("Manifest content:") print(manifest.toprettyxml())

Get activities

activities = a.get_activities() for activity in activities: print(f"Activity: \\{activity\\}")

Get services

services = a.get_services() for service in services: print(f"Service: \\{service\\}") ```_

Ressourcenextraktion

```python

Extract resources

for file_name in a.get_files(): if file_name.endswith('.xml'): content = a.get_file(file_name) print(f"XML file: \\{file_name\\}") ```_

Erweiterte Funktionen

Steuerungsflussanalyse

```python

Analyze control flow

for method in dx.get_methods(): if method.is_external(): continue

# Get basic blocks
for bb in method.get_basic_blocks():
    print(f"Basic block: \\\\{bb\\\\}")

```_

Datenflussanalyse

```python

Trace data flow

for method in dx.get_methods(): # Get method instructions instructions = method.get_instructions() for instruction in instructions: if instruction.get_name() == "const-string": print(f"String constant: \\{instruction\\}") ```_

Rufen Sie Graph Generation

```python

Generate call graph

import networkx as nx

G = nx.DiGraph() for method in dx.get_methods(): for ref in method.get_xref_from(): G.add_edge(f"\\{ref.class_name\\}.\\{ref.method_name\\}", f"\\{method.class_name\\}.\\{method.name\\}")

Export call graph

nx.write_gml(G, "call_graph.gml") ```_

Automatisierungsskripte

Batch Analyse

```python

!/usr/bin/env python3

import os import sys from androguard.misc import AnalyzeAPK

def analyze_apk_batch(directory): for filename in os.listdir(directory): if filename.endswith('.apk'): print(f"Analyzing \\{filename\\}") try: a, d, dx = AnalyzeAPK(os.path.join(directory, filename)) print(f"Package: \\{a.get_package()\\}") print(f"Permissions: \\{len(a.get_permissions())\\}") print("-" * 50) except Exception as e: print(f"Error analyzing \\{filename\\}: \\{e\\}")

if name == "main": analyze_apk_batch(sys.argv[1]) ```_

Sicherheitsscanner

```python

!/usr/bin/env python3

from androguard.misc import AnalyzeAPK

def security_scan(apk_path): a, d, dx = AnalyzeAPK(apk_path)

# Check permissions
dangerous_perms = [
    "android.permission.READ_SMS",
    "android.permission.SEND_SMS",
    "android.permission.ACCESS_FINE_LOCATION"
]

found_perms = []
for perm in a.get_permissions():
    if perm in dangerous_perms:
        found_perms.append(perm)

# Check for crypto usage
crypto_usage = False
for method in dx.get_methods():
    if "crypto" in str(method.get_method()).lower():
        crypto_usage = True
        break

print(f"Dangerous permissions: \\\\{found_perms\\\\}")
print(f"Crypto usage detected: \\\\{crypto_usage\\\\}")

if name == "main": security_scan("app.apk") ```_

GUI Verwendung

AndroGuard GUI

```bash

Launch GUI

androguard gui

Open APK in GUI

androguard gui app.apk ```_

Eigenschaften

  • Visuelle Codeanalyse
  • Interaktive Exploration
  • Graphische Visualisierung
  • Exportfähigkeiten

Best Practices

Analyse-Workflow

bash 1. Basic APK information 2. Permission analysis 3. Code structure review 4. Security pattern detection 5. Malware signature matching 6. Report generation_

Leistungsspitzen

```python

Use lazy loading for large APKs

from androguard.core.bytecodes.apk import APK a = APK("large_app.apk", raw=False)

Process in chunks for batch analysis

import multiprocessing pool = multiprocessing.Pool() results = pool.map(analyze_apk, apk_list) ```_

Ressourcen

  • *offizielle Dokumentation: (AndroGuard GitHub) (LINK_3)
  • API Referenz: AndroGuard Dokumentation
  • Android Security: [OWASP Mobile Security](_LINK_3__