Android安全：ApkTool

一、ApkTool作用 
1.跨平台工具，可以在Windows平台与Ubuntu平台下直接使用； 
2.ApkTool反编译，生成Smail格式的反汇编代码； 
3.阅读Smail文件的代码理解程序的运行机制，找到程序突破口进行修改； 
4.使用ApkTool重新编译成apk文件并签名，最后运行测试破解程序是否成功； 
二、安装ApkTool（以Ubuntu为例演示） 
1.下载Linux包装脚本apktool.sql（https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/linux/apktool）； 
2.从官方网站（https://bitbucket.org/iBotPeaches/apktool/downloads）下载最新的安装包（apktool_2.1.1jar）； 
3.如果你是64位的Ubuntu系统，安装32位补丁包； 
4.将apktool.jar和apktool移动到/usr/local/bin目录； 

pengchengxiang@ubuntu:/usr/local/bin$ sudo mv /home/pengchengxiang/Desktop/apktool.sql /usr/local/bin/ pengchengxiang@ubuntu:/usr/local/bin$ sudo mv /home/pengchengxiang/Desktop/apktool_2.1.1.jar /usr/local/bin/ pengchengxiang@ubuntu:/usr/local/bin$ ls apktool_2.1.1.jar  apktool.sql

5.重命名apktool_2.1.1.jar为apktool.jar； 

pengchengxiang@ubuntu:/usr/local/bin$ sudo mv apktool.sql apktool pengchengxiang@ubuntu:/usr/local/bin$ sudo mv apktool_2.1.1.jar apktool.jar pengchengxiang@ubuntu:/usr/local/bin$ ls apktool  apktool.jar 

6.确定这两个文件有可执行权限； 

pengchengxiang@ubuntu:/usr/local/bin$ sudo chmod u+x apktool pengchengxiang@ubuntu:/usr/local/bin$ sudo chmod u+x apktool.jar  pengchengxiang@ubuntu:/usr/local/bin$ ls -al total 6344 drwxr-xr-x  2 root           root              4096 Jul 10 00:14 . drwxr-xr-x 11 root           root              4096 May 28 08:53 .. -rwxrw-rw-  1 pengchengxiang pengchengxiang    2297 Jul 10 00:10 apktool -rwxrw-rw-  1 pengchengxiang pengchengxiang 6481574 Jul 10 00:11 apktool.jar 

7.在控制台运行apktool验证是否安装成功； 

pengchengxiang@ubuntu:/usr/local/bin$ apktoolApktool v2.1.1 - a tool for reengineering Android apk files with smali v2.1.2 and baksmali v2.1.1 … …   -o,--output <dir>       The name of apk that gets written. Default is dist/name.apk  -p,--frame-path <dir>   Uses framework files located in <dir>. For additional info, see: http://ibotpeaches.github.io/Apktool/  For smali/baksmali info, see: https://github.com/JesusFreke/smali 

三、ApkTool使用

1.使用解压工具解压app-release.apk，查看反编译前结构； 

    assets：声音、字体、网页...资源，无编译可以直接查看；  
    lib:应用中使用到的库； 
        armeabi：.so文件，C/C++代码库文件； 
    META-INF：APK的签名文件（***.RSA、***.SF、***.MF）； 
    res：应用中使用到的资源目录，已编译无法直接阅读； 
    anim：动画资源animation； 
    color：颜色资源； 
        drawable：可绘制的图片资源； 
        layout：页面布局文件； 
        xml：应用属性配置文件； 
    AndroidManifest.xml：应用的清单文件，已压缩无法直接阅读； 
    classes.dex：Java源码编译后的代码文件； 
    resourse.arsc：编译后的资源文件，如strings.xml；  

2.反编译apk文件：
apktool d[decode] [OPTS] <file.apk> [<dir>]； 

pengchengxiang@ubuntu:~/SecurityWorkSpace/SecurityDemo/app/build/outputs/apk$apktool d app-release.apk I: Using Apktool 2.1.1 on app-release.apk I: Loading resource table... I: Decoding AndroidManifest.xml with resources... I: Loading resource table from file: /home/pengchengxiang/apktool/framework/1.apk I: Regular manifest package... I: Decoding file-resources... I: Decoding values */* XMLs... I: Baksmaling classes.dex... I: Copying assets and libs... I: Copying unknown files... I: Copying original files... 

注意：你必须使用release签名的apk才能编译出可以阅读的Smail文件（如找不到Activity相关的smial文件）； 

3.查看反编译后结构： 

    build：重新编译apk的构建产物输出目录； 
    dist：重新编译apk输出目录； 
    original：重新编译apk清单文件和签名； 
    res：应用中用到的资源； 
       anim：动画资源（可直接阅读）； 
       color：颜色资源（可直接阅读）； 
       drawable：可绘制的图片资源（可直接阅读）；  
       layout：页面布局文件（可以直接阅读）； 
    smali：代码反编译后生成的代码文件（smali语法）； 
    AndroidManifest.xml：反编译清单文件（可以直接阅读）； 
    Apktool.yml：反编译配置文件，用于重新打包；

4.查看反编译的文件如下： 

5.编译apk文件： 
apktool b[uild] [OPTS] <app_patch> [<out_file>]； 

pengchengxiang@ubuntu:~/SecurityWorkSpace/SecurityDemo/app/build/outputs/apk/app-release$apktool b  I: Using Apktool 2.1.1 I: Checking whether sources has changed... I: Checking whether resources has changed... I: Building apk file... I: Copying unknown files/dir... pengchengxiang@ubuntu:~/SecurityWorkSpace/SecurityDemo/app/build/outputs/apk/app-release$ cd dist/ pengchengxiang@ubuntu:~/SecurityWorkSpace/SecurityDemo/app/build/outputs/apk/app-release/dist$ ls app-release.apk 

6.签名Apk： 
生成签名：keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000 
签名APK：jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore my_application.apk alias_name 
验证是否已签名：jarsigner -verify -verbose -certs my_application.apk 

pengchengxiang@ubuntu:~/SecurityWorkSpace/SecurityDemo/app/build/outputs/apk/app-release/dist$ keytool -genkey -v -keystore my-release-key.keystore -alias MyAndroidKey -keyalg RSA -keysize 2048 -validity 10000 Enter keystore password:   Re-enter new password:  What is your first and last name?   [Unknown]:  ChengXiangPeng What is the name of your organizational unit?   [Unknown]:  Test What is the name of your organization?   [Unknown]:  Test What is the name of your City or Locality?   [Unknown]:  BeiJing What is the name of your State or Province?   [Unknown]:  BeiJing What is the two-letter country code for this unit?   [Unknown]:  86 Is CN=ChengXiangPeng, OU=Test, O=Test, L=BeiJing, ST=BeiJing, C=86 correct?   [no]:  yes Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 10,000 days for: CN=ChengXiangPeng, OU=Test, O=Test, L=BeiJing, ST=BeiJing, C=86 Enter key password for <MyAndroidKey> (RETURN if same as keystore password):   Re-enter new password:  [Storing my-release-key.keystore] pengchengxiang@ubuntu:~/SecurityWorkSpace/SecurityDemo/app/build/outputs/apk/app-release/dist$ ls app-release.apk  my-release-key.keystore pengchengxiang@ubuntu:~/SecurityWorkSpace/SecurityDemo/app/build/outputs/apk/app-release/dist$jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key.keystore app-release.apk MyAndroidKeyEnter Passphrase for keystore:  Enter key password for MyAndroidKey:     adding: META-INF/MANIFEST.MF    adding: META-INF/MYANDROI.SF    adding: META-INF/MYANDROI.RSA   signing: AndroidManifest.xml   signing: classes.dex   signing: res/anim/abc_fade_in.xml   ... ...   signing: res/mipmap-xxhdpi-v4/ic_launcher.png   signing: res/mipmap-xxxhdpi-v4/ic_launcher.png   signing: resources.arsc jar signed. pengchengxiang@ubuntu:~/SecurityWorkSpace/SecurityDemo/app/build/outputs/apk/app-release/dist$jarsigner -verify -verbose -certs app-release.apks      35029 Sun Jul 10 02:42:52 PDT 2016 META-INF/MANIFEST.MF ... ...  sm    195784 Sun Jul 10 02:27:56 PDT 2016 resources.arsc       X.509, CN=ChengXiangPeng, OU=Test, O=Test, L=BeiJing, ST=BeiJing, C=86       [certificate is valid from 7/10/16 2:40 AM to 11/26/43 1:40 AM]       [CertPath not validated: Path does not chain with any of the trust anchors]   s = signature was verified    m = entry is listed in manifest   k = at least one certificate was found in keystore   i = at least one certificate was found in identity scope jar verified. Warning:  This jar contains entries whose certificate chain is not validated. This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2043-11-26) or after any future revocation date. 

7.安装apk 

pengchengxiang@ubuntu:~/SecurityWorkSpace/SecurityDemo/app/build/outputs/apk/app-release/dist$ adb install app-release.apk  Success 

提示1：在反编译一些apk的时候，会提示错误如下
pengchengxiang@ubuntu:~/SecurityWorkSpace$ apktool d test.apk
I: Using Apktool 2.1.1 on test.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Loading resource table from file: /home/pengchengxiang/apktool/framework/1.apk
I: Regular manifest package...
I: Decoding file-resources...
W: Could not decode attr value, using undecoded value instead: ns=app, name=bdName, value=0x00000034
I: Decoding values */* XMLs...
Can't find framework resources for package of id: 114. You must install proper framework files, see project website for more info.
分析1：你反编译的app可能针对特定框架（如HTC，三星等定制了某些资源文件）做了适配依赖某些资源，或者采用组件化模块app依赖于平台app的一些资源；

处理1：使用apktool if framework-res.apk/main.apk安装定制的apk或者平台apk，然后使用apktool d test.apk -t 127（安装时的编号）；

提示2：在反编译一些apk的时候，会提示错误如下：
pengchengxiang@ubuntu:~/SecurityWorkSpace$ apktool d test.apk -t 127
I: Using Apktool 2.1.1 on test.apk
I: Loading resource table...
I: Decoding AndroidManifest.xml with resources...
I: Regular manifest package...
I: Decoding file-resources...
I: Loading resource table from file: /home/pengchengxiang/apktool/framework/1.apk
I: Loading resource table from file: /home/pengchengxiang/apktool/framework/127.apk
I: Decoding values */* XMLs...
I: Baksmaling classes.dex...
I: Copying assets and libs...
I: Copying unknown files...
I: Copying original files...
Exception in thread "main" java.lang.NullPointerException
    at brut.androlib.res.xml.ResXmlPatcher.pullValueFromStrings(ResXmlPatcher.java:128)
    at brut.androlib.ApkDecoder.putVersionInfo(ApkDecoder.java:360)
    at brut.androlib.ApkDecoder.writeMetaFile(ApkDecoder.java:299)
    at brut.androlib.ApkDecoder.decode(ApkDecoder.java:162)
    at brut.apktool.Main.cmdDecode(Main.java:163)
    at brut.apktool.Main.main(Main.java:81)
处理2：该错误输出由低版本ApkTool的Bug，没有处理没有versionCode或者versionName属性的异常情况。检查你的ApkTool版本，升级到2.2.1及以上即可；