AndroGuard Cheatsheet
Overview
AndroGuard is a Python tool designed for reverse engineering and malware analysis of Android applications. It provides powerful capabilities for analyzing APK files, DEX bytecode, and Android resources.
Installation
Prerequisites
# Install Python 3.6+
sudo apt update
sudo apt install python3 python3-pip
# Install required dependencies
sudo apt install python3-dev libxml2-dev libxslt1-dev zlib1g-dev
Install AndroGuard
# Install from PyPI
pip3 install androguard
# Install with optional dependencies
pip3 install androguard[GUI,magic]
# Install from source
git clone https://github.com/androguard/androguard.git
cd androguard
pip3 install -e .
Basic Usage
Analyze APK Files
# Basic APK analysis
androguard analyze app.apk
# Interactive analysis
androguard shell app.apk
# Generate analysis report
androguard analyze app.apk --output report.txt
Command Line Tools
# APK information
apkinfo app.apk
# DEX analysis
dexdump classes.dex
# Resource analysis
axml AndroidManifest.xml
Python API Usage
Basic Analysis
from androguard.misc import AnalyzeAPK
# Analyze APK
a, d, dx = AnalyzeAPK("app.apk")
# Get APK information
print("Package name:", a.get_package())
print("App name:", a.get_app_name())
print("Version:", a.get_androidversion_code())
print("Permissions:", a.get_permissions())
Advanced Analysis
from androguard.core.bytecodes import apk, dvm
from androguard.core.analysis import analysis
# Load APK
apk_obj = apk.APK("app.apk")
dex = dvm.DalvikVMFormat(apk_obj.get_dex())
dx = analysis.Analysis(dex)
# Analyze classes and methods
for cls in dx.get_classes():
print(f"Class: \\\\{cls.name\\\\}")
for method in cls.get_methods():
print(f" Method: \\\\{method.name\\\\}")
APK Analysis
Basic Information
# APK metadata
print("Package:", a.get_package())
print("App name:", a.get_app_name())
print("Version code:", a.get_androidversion_code())
print("Version name:", a.get_androidversion_name())
print("Min SDK:", a.get_min_sdk_version())
print("Target SDK:", a.get_target_sdk_version())
Permissions Analysis
# Get all permissions
permissions = a.get_permissions()
for perm in permissions:
print(f"Permission: \\\\{perm\\\\}")
# Check for dangerous permissions
dangerous_perms = [
"android.permission.READ_SMS",
"android.permission.SEND_SMS",
"android.permission.ACCESS_FINE_LOCATION",
"android.permission.CAMERA"
]
for perm in permissions:
if perm in dangerous_perms:
print(f"Dangerous permission found: \\\\{perm\\\\}")
Certificate Analysis
# Get certificate information
certificates = a.get_certificates()
for cert in certificates:
print(f"Certificate: \\\\{cert\\\\}")
print(f"Subject: \\\\{cert.subject\\\\}")
print(f"Issuer: \\\\{cert.issuer\\\\}")
print(f"Serial: \\\\{cert.serial_number\\\\}")
Code Analysis
Method Analysis
# Find specific methods
for cls in dx.get_classes():
for method in cls.get_methods():
if "crypto" in method.name.lower():
print(f"Crypto method: \\\\{cls.name\\\\}->\\\\{method.name\\\\}")
String Analysis
# Extract strings
strings = dx.get_strings()
for string in strings:
if "http" in string.get_value():
print(f"URL found: \\\\{string.get_value()\\\\}")
Cross-Reference Analysis
# Find method calls
for method in dx.get_methods():
if method.is_external():
continue
for ref in method.get_xref_from():
print(f"\\\\{ref.class_name\\\\}->\\\\{ref.method_name\\\\} calls \\\\{method.name\\\\}")
Security Analysis
Cryptographic Analysis
# Find crypto usage
crypto_methods = [
"javax.crypto.Cipher",
"java.security.MessageDigest",
"javax.crypto.spec.SecretKeySpec"
]
for method in dx.get_methods():
for crypto in crypto_methods:
if crypto in str(method.get_method()):
print(f"Crypto usage: \\\\{method.name\\\\}")
Network Analysis
# Find network operations
network_classes = [
"java.net.URL",
"java.net.HttpURLConnection",
"okhttp3.OkHttpClient"
]
for cls in dx.get_classes():
for net_class in network_classes:
if net_class in str(cls):
print(f"Network class: \\\\{cls.name\\\\}")
Reflection Analysis
# Find reflection usage
reflection_methods = [
"java.lang.Class.forName",
"java.lang.reflect.Method.invoke"
]
for method in dx.get_methods():
for ref_method in reflection_methods:
if ref_method in str(method.get_method()):
print(f"Reflection usage: \\\\{method.name\\\\}")
Malware Detection
Suspicious Patterns
# Check for suspicious patterns
suspicious_strings = [
"getDeviceId",
"getSubscriberId",
"sendTextMessage",
"android.intent.action.BOOT_COMPLETED"
]
strings = dx.get_strings()
for string in strings:
for suspicious in suspicious_strings:
if suspicious in string.get_value():
print(f"Suspicious string: \\\\{string.get_value()\\\\}")
Dynamic Loading Detection
# Find dynamic loading
dynamic_methods = [
"dalvik.system.DexClassLoader",
"dalvik.system.PathClassLoader"
]
for method in dx.get_methods():
for dyn_method in dynamic_methods:
if dyn_method in str(method.get_method()):
print(f"Dynamic loading: \\\\{method.name\\\\}")
Resource Analysis
Manifest Analysis
# Parse AndroidManifest.xml
manifest = a.get_android_manifest_xml()
print("Manifest content:")
print(manifest.toprettyxml())
# Get activities
activities = a.get_activities()
for activity in activities:
print(f"Activity: \\\\{activity\\\\}")
# Get services
services = a.get_services()
for service in services:
print(f"Service: \\\\{service\\\\}")
Resource Extraction
# Extract resources
for file_name in a.get_files():
if file_name.endswith('.xml'):
content = a.get_file(file_name)
print(f"XML file: \\\\{file_name\\\\}")
Advanced Features
Control Flow Analysis
# Analyze control flow
for method in dx.get_methods():
if method.is_external():
continue
# Get basic blocks
for bb in method.get_basic_blocks():
print(f"Basic block: \\\\{bb\\\\}")
Data Flow Analysis
# Trace data flow
for method in dx.get_methods():
# Get method instructions
instructions = method.get_instructions()
for instruction in instructions:
if instruction.get_name() == "const-string":
print(f"String constant: \\\\{instruction\\\\}")
Call Graph Generation
# Generate call graph
import networkx as nx
G = nx.DiGraph()
for method in dx.get_methods():
for ref in method.get_xref_from():
G.add_edge(f"\\\\{ref.class_name\\\\}.\\\\{ref.method_name\\\\}",
f"\\\\{method.class_name\\\\}.\\\\{method.name\\\\}")
# Export call graph
nx.write_gml(G, "call_graph.gml")
Automation Scripts
Batch Analysis
#!/usr/bin/env python3
import os
import sys
from androguard.misc import AnalyzeAPK
def analyze_apk_batch(directory):
for filename in os.listdir(directory):
if filename.endswith('.apk'):
print(f"Analyzing \\\\{filename\\\\}")
try:
a, d, dx = AnalyzeAPK(os.path.join(directory, filename))
print(f"Package: \\\\{a.get_package()\\\\}")
print(f"Permissions: \\\\{len(a.get_permissions())\\\\}")
print("-" * 50)
except Exception as e:
print(f"Error analyzing \\\\{filename\\\\}: \\\\{e\\\\}")
if __name__ == "__main__":
analyze_apk_batch(sys.argv[1])
Security Scanner
#!/usr/bin/env python3
from androguard.misc import AnalyzeAPK
def security_scan(apk_path):
a, d, dx = AnalyzeAPK(apk_path)
# Check permissions
dangerous_perms = [
"android.permission.READ_SMS",
"android.permission.SEND_SMS",
"android.permission.ACCESS_FINE_LOCATION"
]
found_perms = []
for perm in a.get_permissions():
if perm in dangerous_perms:
found_perms.append(perm)
# Check for crypto usage
crypto_usage = False
for method in dx.get_methods():
if "crypto" in str(method.get_method()).lower():
crypto_usage = True
break
print(f"Dangerous permissions: \\\\{found_perms\\\\}")
print(f"Crypto usage detected: \\\\{crypto_usage\\\\}")
if __name__ == "__main__":
security_scan("app.apk")
GUI Usage
AndroGuard GUI
# Launch GUI
androguard gui
# Open APK in GUI
androguard gui app.apk
Features
- Visual code analysis
- Interactive exploration
- Graph visualization
- Export capabilities
Best Practices
Analysis Workflow
1. Basic APK information
2. Permission analysis
3. Code structure review
4. Security pattern detection
5. Malware signature matching
6. Report generation
Performance Tips
# Use lazy loading for large APKs
from androguard.core.bytecodes.apk import APK
a = APK("large_app.apk", raw=False)
# Process in chunks for batch analysis
import multiprocessing
pool = multiprocessing.Pool()
results = pool.map(analyze_apk, apk_list)
Resources
- Official Documentation: AndroGuard GitHub
- API Reference: AndroGuard Documentation
- Android Security: OWASP Mobile Security