This article introduces the Android file system and how to interact with connected Android devices, their installed applications, and their structure.
Mobile application Penetration testing
AOSP
Google maintains the Android open-source project. Android was created for touchscreen devices and is based on the Linux kernel.
Android has managed to remain the best-selling OS for smartphones since 2011. The Android OS can also be found on tablets, smartwatches, and TVs.
Android File system
The file structure is very similar since Android is based on the Linux operating system. The system partitions and files are protected and inaccessible unless the user roots the device.
Contrary to Windows, the physical partitions, such as the SD card, don’t have a drive letter and will appear under the /root/folder. Typically, all users have at least read permissions for /root/on Linux but not on Android.
Sdcard
The /sdcard/ partition is the primary storage location for user files and data and the application data settings. A /sdcard/ partition exists even if no external storage or SD card is installed.
When an Android smartphone is linked to a computer via USB, the default directory appears in the /sdcard/ partition. On some devices, access to /sdcard/ is done through a symlink to /storage/emulated/0/.
Browsing the folders
Using a file manager can be done by browsing the local folders of an Android device. Some devices come with pre-installed file managers; others must be installed from the Play Store.
Alternatively, for people who are more used to the use of the CLI, a terminal emulator such as Termux can be installed.
Main Partitions
The Android file system uses a few central portions besides /sdcard/, but those are not physical patriots on the device.
The actual partitions are listed within /proc/partitions and are named mmcblk0 through mmcblk8.
PARTITION | DESCRIPTION |
/boot/ | As the name suggests, this partition hosts all the files related to the phone's boot process. With the partition, the device will not be able to boot. |
/system/ | This partition contains the entire operating system of the phone except for the kernel, which is also stored in /boot/ |
/recovery/ | This alternative boot partition is typically used if there is any error while booting the system when flushing a new system image. |
/cache/ | As the name suggests, this is the cache partition used for frequently asked data. |
Introduction to ADB
ADB is a command-line utility for communicating with Android devices. The primary purpose of ADB is to help developers debug and test their applications efficiently.
ADB provides the ability to control an Android device from a computer and copy files back and forth. ADB can also run shell commands on the device, install and uninstall apps, take screenshots, and more.
Installing ADB
ADB runs as a client-server program and needs to be installed on both the desktop machine and active on the Android device.
ADB driver can be downloaded from developers.android.com. Alternatively, when installing Android Studio, it automatically installs the ADB drivers on the system.
In Windows, the installation will be in C:\Users\[user]\appData\Local\Sdk\platform-tools.
Activating ADB
The settings and About menu can do active ADB on Android devices. Tapping build number 7 times will pop up a message saying, “You are now a Developer.”
Afterward, a Developer Options menu will be added to the main settings page. In the Developer options, ADB debugging can be enabled.
Using ADB
The command `adb devices` can list all connected devices. If the ADB server is not running, the command will initiate it.
To connect to the device and start adb shell is used, and if root permission is needed, adb root can be run. File transfer is done using
adb push [file path] [android path] and adb pull [android path] [file path].
Rooting
The process of granting users of Android devices privilege authority over the Android subsystem is known as rooting.
Rooting is frequently used to circumvent limitations that carriers and hardware manufacturers impose on specific devices.
A rooted device allows you to read and change the system applications, edit some advice settings, and after the Android subsystem files. Root access can be compared to jailbreaking an IOS device.
Root advantages
Root access allows complete kernel control, such as overclocking and under-clocking the CPU or GPU.
Rooted devices also have complete application control, including backup, restore, and edit programs.
The custom automated system-level process can be added by using 3rd party applications and modules. After rotting, it is possible to install custom firmware or ROMs.
Android applications
Android applications will be saved as APK files regardless of the programming language.
Java: Due to the need for compatibility with different chipsets and devices, Java is chosen as the main programming language for Android applications. The applications themselves are then packed into an APK file.
Kotlin: Kotlin is an alternative language for Android programming applications. It addresses Java security and programming issues and is generally considered more programming-friendly.
Dalvik Android VM
Dalvik is a virtual computer developed exclusively for Android. It was designed to address battery life, memory management, and computing power issues.
A virtual machine is necessary for the application to run the same on different devices, which might have other hardware and chipsets.
Dalvik was developed so that a device may effectively run several virtual machines, and each virtual machine executes files in the DEX format, which is intended to require as little RAM as feasible when functioning.
Every application is running on a separate virtual machine instance. Dalvik is open-source software originally written by Dan Bornstein, who named it after the fishing village of Dalvik.
Dalvik Compilation
Dalvik is built on “Just in time” compilation, which implies that when an application is run, the code required for its execution is converted into machine code.
While the application is moving through activities, additional code will be compiled and cached so the system can reuse the code while the app is running.
It compiles only part of the code, has a smaller memory footprint, and uses less physical space on the device. A piece of software utilizes or refers to the amount of primary memory while executing its memory footprint.
Android Runtime
The Android Runtime is replacing the Dalvik (Virtual machine) used by Android, and it will become more popular on newer Android versions.
It translates the applications from bytecode into native instructions that are later executed by the device runtime environment.
ART introduces “Ahead-of-time” compilation by compiling the entire application into native machine code upon installation.
Application Structure
Extracting Applications
Every installed program on the device can be retrieved and decompiled.
The commands pm list packages and pm path [app name] can be run from within the shell to find the application. The source code of an application is stored inside the .dex files in the Android package.
Reverting DEX to JAR
.dex files can be decompiled to readable code using tools like ‘dex2jar’ from GitHub.
Converting the.dex file using the appropriate script d2j-dex2jar.bat -o [jar file] [dex file]. ‘Dex2jar’ supports conversion operations such as jar to dex and dex to small.
Decompile Android applications
After reverting the .dex file to JAR, it must be decompiled in the Java de-compiler.
“JD-GUI” is a de-compiler that allows you to read Java files quickly and clearly. Alternatively, some online de-compilers exist as well, such as https://jdec.app/
Android Emulators
An Android emulator allows users to run Android applications without a physical Android device.
It can be used to investigate suspicious applications and malware. Originally, Android emulators were intended to test applications on different devices.
Popular Emulators
‘Android Studio’ includes a built-in emulator that can emulate various Android devices and Android versions. It uses HAXM to accelerate emulation on Intel computers.
‘NOX’ android emulator is a virtual machine that runs on a virtual box. NOX can be rooted from the settings, and it has a lot of options that can be changed and controlled by the user during runtime.
‘Genymotion’ emulator also runs on VirtualBox and runs the devices in the x86 architecture, which is excellent for performance, but most Android devices today run on ARM.