Indicators Module

apkInspector.indicators.apk_tampering_check(apk_file, strict: bool)

Method to combine the check for tampering in the zip structure and in the AndroidManifest and return the results.

Parameters:
  • apk_file (bytesIO) – The apk file to check

  • strict (bool) – A boolean to strictly check all fields or not. Suggested value: False

Returns:

Returns a combined dictionary with the results from the zip_tampering_indicators and the manifest_tampering_indicators

Return type:

dict

apkInspector.indicators.count_eocd(apk_file)

Counter for the number of time the end of central directory record was found.

Parameters:

apk_file (bytesIO) – The APK file e.g. with open(‘test.apk’, ‘rb’) as apk_file

Returns:

The count of how many times the end of central directory record was found

Return type:

int

apkInspector.indicators.local_and_central_header_discrepancies(dict1, dict2, strict: bool)

Checking discrepancies between local header values and central directory values

Parameters:
  • dict1 (dict) – the central directory dictionary

  • dict2 (dict) – the local headers dictionary

  • strict (bool) – Boolean for strict checking the headers or not

Returns:

Returns a list with the common keys between the dictionaries that have different values.

Return type:

list

apkInspector.indicators.manifest_tampering_indicators(manifest)

Method to check for indicators of tampering in the AndroidManifest.xml

Parameters:

manifest (bytesIO) – The AndroidManifest file to check

Returns:

Returns a dictionary with the indicators of tampering for the AndroidManifest

Return type:

dict

apkInspector.indicators.process_elements_indicators(file)

It starts processing the remaining chunks after the resource map chunk. It also returns whether dummy data have been found between the elements, so it can be reported that the apk employed this evasion technique. The difference between the process_elements method found in the axml module is that in this case it does not take into account the total size of the element as stated in the header, but tries to parse the contents regardless. This means that it will detect any dummy data injected after the actual data.

Parameters:

file (BytesIO) – the axml that will be processed

Returns:

Returns all the elements found as their corresponding classes and whether dummy data were found in between.

Return type:

set(list, set(bool, bool))

apkInspector.indicators.zip_tampering_indicators(apk_file, strict: bool)

Method to check the for indicators of tampering in the ZIP structure of the APK. These tamperings in the ZIP structure, serve as a method of evasion against static analysis tools.

Parameters:
  • apk_file (bytesIO) – The APK file e.g. with open(‘test.apk’, ‘rb’) as apk_file

  • strict (bool) – Whether to be checking strictly or not. Utilizing the application set that was used also for the tests here https://github.com/erev0s/apkInspector/tree/main/tests/top_apps, we tested what kind of indicators would be returned. It turns out that in some cases the local header and the central directory entry for the same file do not have the same values for some keys. So the strict checking was added, to be able to exclude these rare but possible occasions.

Returns:

Returns a dictionary with the detected indicators.

Return type:

dict