Project 1 - Android Reversing
Description
This assignment is focused on the analysis of a specific Android application, named UAMobile, which is publicly available in the Google App store. UAMobile is a mobile application of the University of Aveiro aimed at teachers and students, being one more step in bringing the University of Aveiro closer to its academic community. In this application you can access, in an integrated way and in real time, the existing contents in the PACO, in the e-Learning and in the UA Portal, the canteen menus, the number of parking spaces in the parking lots, the status of the passwords in the counters of the academic management services and the location of rooms in the UA buildings. UAMobile was built over a set of educational tools existing in the Moofwd platform and resulted from a protocol signed between the University of Aveiro and Universia.
The specific objectives of this assignment are the production of a report with the following content:
- characterization of the technologies used, as well as their versions, update status
- characterization of the main logic blocks and processes of the application, with focus on the ones responsible for data persistence, communication and authentication
- characterization of the APIs, communication methods, and message structure
- identification of potential issues and known vulnerabilities
The output should be composed of a report and a series of files, code snippets and related documentation supporting the report. If the students allow it, the reports will be sent to the university staff. We wish that with your knowledge we can validate the application, and find issues requiring some attention.
In the end, someone reading the report should have information about the overall structure of the application, how the main processes are implemented, and which potential vulnerabilities or issues are present.
Rules
The use of automated tools to scan the application is accepted. However, grading will mostly consider your work and your analysis, not on the raw results.
This project is expected to be authored by the students enrolled in the course. The use of existing code snippets, applications, or any other external functional element without proper acknowledgement is strictly forbidden. If any content lacking proper acknowledgment is found in other sources, the current rules regarding plagiarism will be followed.
References and tools
- Frida: https://frida.re/
- APKTool: https://ibotpeaches.github.io/Apktool/
- Android Studio: https://developer.android.com/studio
- Dex2Jar: https://github.com/pxb1988/dex2jar
- JD-Gui: https://github.com/java-decompiler/jd-gui
- OWASP ZAP: https://www.zaproxy.org/