This is a docker image for the reverse engineering of Android applications.
Disclaimer: Please use responsibly.
Don't want to read this page through and have only basic requirements?
$ docker pull cryptax/android-re
$ docker run -d --privileged -p 5900:5900 -p 5022:22 --name androidre cryptax/android-re
$ xhost +
$ ssh -p 5022 -X root@127.0.0.1
Login with password rootpass
.
Then:
$ emulator9 &
If that's not working the way you expect, read the rest ;P
This container contains many tools to reverse engineer Android applications.
- Android emulators 5.1 (ARM), 7.1.1 (ARM) and 9.0 (x86)
- androguard
- apktool
- AXMLPrinter
- baksmali / smali
- classyshark
- CFR
- dex2jar
- enjarify
- frida
- google play api
- google play crawler
- google play downloader
- jadx
- java decompiler
- krakatau
- procyon
- radare2
Those are open source tools, or free demos.
There are three steps:
- Install docker ;)
- Download docker image
- Run the container on your host
- Log into the container and use it ;)
Normally, you just need to do:
$ docker pull cryptax/android-re:latest
Unless you want to build your own image - then see below the Customization section.
There are a few options:
- running the container locally: you just want to run on your own machine and don't want to bother about SSH or VNC.
- running to connect via SSH or VNC: the container will be available as a standalone host you can log into via SSH, or VNC.
$ docker run -it --rm -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix cryptax/android-re:latest /bin/bash
You are directly connected to the container.
Note you can also share a directory with your host using -v hostdir:containerdir
.
If you try to use any graphical interface and get an error like No protocol specified
followed by an crash (SEGFAULT
), using this command before running the docker should fix it: xhost +local:docker
.
IMPORTANT: if you want to use the Android emulator x86 image, you need to set the --privileged
option in the command line, i.e:
$ docker run -it --privileged --rm -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix cryptax/android-re:latest /bin/bash
Run the container:
$ docker run -d --name androidre -p SSH_PORT:22 -p VNC_PORT:5900 cryptax/android-re
where:
- NAME is the name you wish to give to this container. You may start several different instances.
- SSH_PORT is the port number the container will listen on for SSH connections. As the standard SSH port (22) is often already used, you may want to use another port here.
- VNC_PORT is the port number the container will listen on for VNC connections.
Note: if you have docker-compose
, you can use (or tune) docker-compose up -d
to launch the container.
For other options in docker run
, please go to docker's documentation. For example, you may want to mount a given directory of your network and make it accessible to the container using -v
option.
Typically, I run (but you may have to modify to suit your own needs):
$ docker run -d --name androidre -p 5022:22 -p 5900:5900 cryptax/android-re
Do not forget to add --privileged
if you are using the x86 emulator.
Once a container is running, it's basically like a virtual Linux host. You need to connect to it. You are expected to log in using either ssh or vncviewer. The default root password is rootpass.
Use -X
to forward X window.
$ ssh -X -p SSH_PORT root@127.0.0.1
where SSH_PORT is the SSH port the container listens on. In my docker run personal example, it's 5022.
Note that X forwarding is known to have issues on Macs.
Please use vncviewer
$ vncviewer HOST::VNC_PORT
where:
- HOST is the IP address of the host running the container. Example: 127.0.0.1
- VNC_PORT is the VNC port the container forwards. In my docker run example, it's 5900.
Android reverse engineering tools are installed in /opt.
3 different emulators are installed by default in the container. Quick aliases are available in the ~/.bashrc
to run them.
Android version | API version | Bashrc alias |
---|---|---|
Android 9.0 for x86_64 | 28 | emulator9 |
Android 7.1.1 (Nougat) | 25 | emulator7 |
Android 6.0 (Marshmallow) | 23 | no alias |
Android 5.1 (Lollipop) | 22 | emulator |
So, for example, to run the Android 7.1.1 emulator, do:
$ emulator7 &
which equivalent to:
$ /opt/android-sdk-linux/tools/emulator -avd Android711 -no-audio -no-boot-anim &
In doubt, list AVDs using /opt/android-sdk-linux/tools/bin/avdmanager list avd
The "normal" Android emulators emulate ARM architecture. If your host uses Intel x86 and supports hardware virtualization instructions, you can use the Android emulator for x86, which will be much faster. The Dockerfile installs the necessary packages, yet, for this option to work, you must:
- Have an Intel x86-64 processor on your host which supports virtualization (e.g Intel VT)
- Launch the container with the
--privileged
option.
Please change the default password in the Dockerfile
for your own setup.
Any other customization consists in modifying the Dockerfile
and re-building your own image. Enjoy!
You are welcome to post issues or suggestions.
Using frida
Only the part on the Linux host is installed. You need to push the frida server to the Android emulator.
$ adb push /opt/frida-server /data/local/tmp
$ adb shell "chmod 755 /data/local/tmp/frida-server"
$ adb shell
1|root@generic:/data/local/tmp # ./frida-server
This docker image has been used in several workshops (Hack.lu, Insomnihack, Nuit du Hack, GreHack).
Workshop samples are provided to participants by other means. This image does not provide any Android sample.
sha256: 7bab7e589d363af35f590ced9483c8f7ae808a42dc6d53944310818fd89a4b09