Post

Extracting pre-built native library of another Android App for embedding and method invoking inside our custom Android App

Posted Updated
By Niraj Neupane
2 min read

During reverse engineering android app we might find native libraries. Sometimes we might need to invoke the methods of those library to analyse its behavior. But we cannot call those methods just with library file. We need to build our own custom android app, embed that library to our app, then call the function with our custom input.

Extracting native libraries from APK

  1. Decompile app with apktool

    1

     apktool d <nameofapk.apk>

  2. <nameofapk> folder will be created and there will be lib directory inside it. There it consist native libraries inside the folder named with respective architecture.

    image.png

Embedding native libraries to custom apk

If we have native library in the following directory structure, we can embed them to our custom app. Code base for all these library are same but compiled for different architecture.

native libraries

native libraries

Open the project in which you want to embed the native code library. Initially, your project directory might look similar like below.

image.png

Taking references from https://developer.android.com/studio/projects/gradle-external-native-builds#jniLibs

Place your native library in following format by creating jniLibs directory inside app/**src/main/**

image.png

That’s all for embedding.

Invoking Methods in custom app

Methods can be invoked if and only if we know the package, class and methods name.

image.png

In above example, we get Java_io_hextree_weatherusa_InternetUtil_getKey as function name. The naming convention for native library function name is

1

Java_<package_name>*<class_name>*<method_name>

We get InternetUtil as class name, getKey is method name and io_hextree_weatherusa is package name.

Now, In our custom app we need to create the java file with the name same as class name and declare package and declare the native method.

image.png

Now we can add another method that loads the library at runtime and calls the native function.

1
2
3
4
5
6
7
8
9
10
11
12

package io.hextree.weatherusa;

public class InternetUtil {
    private  static native String getKey(String str);

    public static  String solve(){
        System.loadLibrary("native-lib");
        return  getKey("moiba1cybar8smart4sheriff4securi");
    }

}

Now if we call the solve method anywhere within our app this will executes the getKey function from native library.

Example: we call it at our main activily like below

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

package com.example.simplebutton;

import android.content.Intent;
import android.net.Uri;
import android.os.Bundle;
import android.util.Log;
import android.view.View;
import android.widget.Button;
import android.widget.TextView;

import androidx.activity.EdgeToEdge;
import androidx.appcompat.app.AppCompatActivity;

import io.hextree.weatherusa.InternetUtil;

public class MainActivity extends AppCompatActivity {

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);

        TextView textView = findViewById(R.id.textView);

        Button homeButton = findViewById(R.id.mainButton);

        homeButton.setOnClickListener(new View.OnClickListener() {
            @Override
            public void onClick(View v) {

                textView.setText("Number of clicks are: "+ InternetUtil.solve());
            }
        });
    }
}

This way we successfully extracted pre-built native library of another Android App and embedded and invoked its method inside our custom Android App.

Android App Security
Android App Security Reverse Engineering Android App Security
This post is licensed under CC BY 4.0 by the author.