ANDROID PENTESTING SERIES PART 4 : APK File Structure
APK File Structure
APK is the file format to distribute Android apps. APK stands for Android package Kit and it contain all elements the app requires to function. The apk file is a JAR file (Java Archieve) which is similar to compressed zip file with .apk suffix.
The main contents of APK files are
AndroidMenifest.xml File
The manifest contains key information elements about the application, Some of them are :
- Application’s package name.
- All the application’s components, such as activities, resources.
- What permissions this application requires to run, and the permissions required to access this application’s information by other apps.
- Compatibility features (eg: minimum android version and supported devices).
Full list can be obtained from here : https://developer.android.com/guide/topics/manifest/manifest-intro
META_INF
This folder contains the MANIFEST.MF file, which contains the SHA-256-Digest of all the files in the apk. Is used to verify the validity of each file in the zip. Ensures that the alteration of this file or any of the other files in the zip container, will revoke the signature and make it invalid. The signature of APK is also stored in this folder. Some other files are :
- CERT.SF (May have another file name with the same suffix) – List of all files with their SHA-1 hashes.
- CERT.RSA (May have another file name with the same suffix) – Contains signed content of CERT.RF and is used to verify app integrity with the public key.
assets
This folder contains applicaton assets like video, audio, docs etc.
lib
Contains compiled code like native libraries.
classes.dex
Contains compiled application code in dex format. It basically contains compiled Java/Kotkin application code, dex stands for Dalvik executable.
resources.arsc
This file contains precompiled application resources such as strings, colors, or styles.
res
This folder contains resources not compiled into resources.arsc.
kotlin
This folder is present only if the application was written with Kotlin. It contains Kotlin specific data. Its content might be changed as part of the fusion process, dependable on the selected Fusion policy.
APK Building Process
The below steps gives high level of understanding of how APK is produced :
- The process starts with the application’s source code in Java/Kotlin, along with its dependencies. First, this source code is compiled to Java bytecode using Java/Kotlin compilers. Note that the application’s dependencies are already compiled and require no additional processing in this step. These include both Android dependencies shipped as AAR files and Java-only dependencies in the form of JAR files.
- Java bytecode produced in the previous step together with all the dependencies is then converted into Dex files containing Dalvik bytecode that can run on Android devices. This produces the classes.dex file (or multiple classes*.dex files if multidex is enabled).
- Application resources are compiled with the Android Asset Packaging Tool. This tool processes all resources into a binary format optimized for Android use. Its output is an APK file with all resources except code — i.e. the assets and res directories, the resources.arsc file with precompiled resources, and the application’s manifest.
- The compiled application code with all the classes.dex files produced in step 2 and the native libraries are packaged into the APK file.
- The APK file is then optimized with zipalign. This step ensures that all uncompressed data in the APK file is aligned to a four-byte boundary to improve runtime performance when accessing large binary data such as images.
Finally, the APK file is digitally signed so it can be verified and installed on any Android device.
References
- https://developer.android.com/guide/topics/manifest/manifest-intro
- https://medium.com/androiddevnotes/the-internals-of-android-apk-build-process-article-5b68c385fb20
- https://stackoverflow.com/questions/18951048/how-does-the-android-build-process-work
