androguard

Display Android app manifest

$ androguard axml [path/to/app.apk]

$ androguard apkid [path/to/app.apk]

$ androguard decompile [path/to/app.apk] --output [path/to/directory]

androguard [GLOBAL_OPTIONS] SUBCOMMAND [SUBCOMMAND_OPTIONS] [ARGUMENTS]
androguard --version
androguard --help
androguard SUBCOMMAND --help

--help, -h
    Display help message for the main androguard command or a specific subcommand.

--version
    Show androguard's version information and exit.

androguard is a comprehensive open-source Python framework designed for Android application analysis and reverse engineering. It provides a suite of tools to analyze various Android file formats, including APK (Android Package), DEX (Dalvik Executable), ODEX (Optimized Dalvik Executable), AXML (Android XML), and JAR (Java Archive) files.
Primarily used by security researchers, malware analysts, and developers, androguard offers capabilities for static analysis (disassembly, control flow graphs, call graphs, taint analysis) and can interact with Android devices for dynamic analysis. Its modular architecture allows for extensibility, making it a powerful platform for automated analysis, vulnerability detection, and understanding the behavior of Android applications, particularly in the context of security and malware.

• Performance: Can be resource-intensive, especially for large APKs or extensive analysis, requiring significant RAM and CPU.
• Python Dependencies: Relies heavily on various Python libraries; ensuring all dependencies are correctly installed and compatible can sometimes be challenging.
• Learning Curve: While powerful, its comprehensive nature means a steeper learning curve for new users, especially for advanced features or scripting.
• Android Version Compatibility: Analysis results can sometimes vary or be less accurate with newer Android versions due to changes in Dalvik/ART runtime and bytecode.

androguard operates through a system of subcommands, each designed for a specific analytical task. To see options for a specific subcommand, use androguard <SUBCOMMAND> --help.

• analyze: Performs static analysis on given files (APKs, DEXs). It provides detailed information on classes, methods, permissions, and more.
• decompile: Converts DEX bytecode back into a more readable format, often Smali or a pseudo-Java representation.
• apk: Offers utilities specifically for APK files, such as listing package information, permissions, or extracting components.
• dex: Provides tools for detailed analysis and manipulation of DEX files.
• smali: For working with Smali assembly code, which is the human-readable form of Dalvik bytecode.
• scan: Often used for searching for specific patterns or vulnerabilities.
• interactive: Launches an IPython shell pre-loaded with androguard analysis objects, enabling interactive exploration.
• db: Manages a database for storing and querying analysis results.

androguard parses the internal structure of Android binaries, extracting information like AndroidManifest.xml, resources, bytecode, and certificate details. It builds control flow graphs (CFG) and call graphs, enabling deep understanding of application logic and potential execution paths. It also supports taint analysis for tracking data flow within an app.

Being a Python library, androguard is highly extensible. Users can write custom scripts to automate analysis tasks, integrate with other tools, or implement novel analysis techniques tailored to specific research needs.

androguard was initially developed by Anthony Desnos around 2011-2012, aiming to provide a robust framework for static analysis of Android applications. Over the years, it has evolved significantly with contributions from a vibrant open-source community. Its development has mirrored the growth of Android security research, incorporating features for analyzing new Android versions, bytecode changes, and increasingly sophisticated malware techniques. It has become a de facto standard tool in the Android reverse engineering and malware analysis community, frequently used in academic research, cybersecurity firms, and penetration testing. Its strength lies in its programmatic interface, allowing researchers to build custom analysis scripts and tools on top of the framework.

aapt(1), apktool(1), jadx(1), gdb(1), adb(1)