Home > Android Pentesting

APK Structure & Components

An APK must be understood both structurally and practically. This chapter provides hands-on procedures, commands, file extraction, analysis workflows, and real pentesting tasks for every component inside the APK.

Extracting and Inspecting an APK

APK is a ZIP archive. Start by unpacking it.

Extract using unzip:

unzip app.apk -d apk_out

Extract using apktool:

apktool d app.apk -o decoded_app

Extract classes.dex for analysis:

unzip app.apk classes.dex

Listing contents:

zipinfo app.apk

This establishes the base structure for analysis.

AndroidManifest.xml (Practical Analysis)

Decode the manifest:

apktool d app.apk -o decoded_app
cat decoded_app/AndroidManifest.xml

Items to inspect:

  • Look for exported components

  • Check for android:debuggable="true"

  • Check for android:allowBackup="true"

  • Identify all permissions

  • Identify custom permissions

  • Identify intent filters

  • Identify deep links

  • Check network security configuration

Find exported activities:

grep -R "exported=\"true\"" -n decoded_app/AndroidManifest.xml

Find components without permission protection:

grep -R "permission" -n decoded_app/AndroidManifest.xml

If no permission exists on an exported component, it's a potential attack entry.

classes.dex (Practical Analysis)

Decompile dex into readable code:

jadx-gui app.apk

Convert dex to jar for optional deeper inspection:

dex2jar classes.dex
jd-gui classes-dex2jar.jar

Search for API endpoints:

grep -R "http" -n .

Search for hardcoded secrets:

grep -R "key" -n .
grep -R "token" -n .
grep -R "secret" -n .

Search for SSL pinning logic:

grep -R "pin" -n .

Search for root detection logic:

grep -R "su" -n .
grep -R "isRoot" -n .

These searches reveal authentication flows, backend URLs, keys, and bypassable logic.

resources.arsc (Practical Analysis)

Decode compiled resources:

apktool d app.apk -o decoded_app

Inspect strings:

cat decoded_app/res/values/strings.xml

Find hidden or unused features by looking for strings referencing:

  • Debug panels

  • Admin modes

  • Hidden screens

  • Feature flags

Search for them:

grep -R "debug" -n decoded_app/res
grep -R "admin" -n decoded_app/res

resources.arsc often hides clues developers forgot to remove.

res Directory (Practical Analysis)

Inspect layout files:

ls decoded_app/res/layout/

View a layout:

cat decoded_app/res/layout/activity_main.xml

Look for:

  • Hidden buttons

  • Disabled login methods

  • Deactivated features

  • Test UI screens

  • Fragments not visible in main code

Search for sensitive keywords:

grep -R "password" -n res/layout/
grep -R "api" -n res/layout/

Layouts help map app functionality before dynamic analysis.

assets Directory (Practical Use)

Inspect assets:

ls decoded_app/assets/

Common files found:

  • JSON configs

  • SQL databases

  • Encrypted blobs

  • Web files

  • ML models

  • Internal flags

Open assets:

cat decoded_app/assets/config.json
sqlite3 decoded_app/assets/data.db

Look for:

  • API keys

  • Hostnames

  • URLs

  • Debug configurations

  • Feature toggles

Assets frequently expose critical information.

lib Directory (Native Libraries Analysis)

List architectures:

ls decoded_app/lib/

Extract and inspect a library:

file decoded_app/lib/arm64-v8a/*.so

Load into Ghidra or IDA.

Search JNI references in code:

grep -R "JNI" -n .

Common pentesting tasks:

  • Identify custom crypto

  • Examine native input validation

  • Look for buffer overflow patterns

  • Extract hardcoded encryption keys

  • Analyze obsolete SSL libraries

Native libraries often hide sensitive logic.

META-INF Directory (Signature Practical Analysis)

List signature files:

ls apk_out/META-INF/

Content includes:

  • CERT.RSA

  • CERT.SF

  • MANIFEST.MF

Check certificate:

keytool -printcert -file META-INF/CERT.RSA

If the signature is weak or reused across apps, tampering and repackaging become easier.

To check if the APK is tampered:

apksigner verify app.apk

Practical Workflow to Fully Analyze an APK

  1. Extract APK

  2. Decode manifest

  3. Enumerate exposed components

  4. Decompile classes.dex

  5. Extract API URLs, keys, and flows

  6. Inspect resources and assets

  7. Analyze native libraries for unsafe code

  8. Validate signing configuration

  9. Map logic to dynamic testing

  10. Inject Frida hooks based on findings

Pentesting Tasks Associated With Every Component

Manifest:

  • Identify exported components

  • Enumerate permissions

  • Detect insecure backup and debuggable flags

classes.dex:

  • Reverse engineer login logic

  • Locate bypass opportunities

  • Identify cryptographic flaws

res:

  • Find hidden features

  • Map UI flows

assets:

  • Extract config files

  • Inspect stored secrets

  • Identify weak storage practices

lib:

  • Analyze native logic

  • Search for memory corruption issues

  • Extract hardcoded values

META-INF:

  • Validate integrity

  • Assess repackaging weaknesses

Intel Dump

  • Extract APK with unzip or apktool

  • Analyze manifest for exported components and insecure flags

  • Reverse engineer classes.dex to map logic and secrets

  • Examine resources and layouts for hidden UI flows

  • Inspect assets for config files and embedded sensitive data

  • Analyze native libraries for unsafe code and secrets

  • Validate APK signature and detect tampering potential

HOME LEARN COMMUNITY DASHBOARD