Retrieving APK from a device

Once a app was installed on the device we can pull the apk back to our local computer for static analysis:

  1. Open the App
  2. Open ADB on the local computer and search for the app process
    1. adb shell ps | grep -i {App name}
  3. Find the app location
    1. adb shell pm list packages -f {App name}
  4. Copy the location and run ADB pull
    1. adb pull {Path}
  5. You can unzip the apk using unzip
    1. unzip base.apk -d {App name}

Example:

iot@mob ~/D/> adb shell ps | grep -i NHS
u0_a12    3134  287   1405320 235084    ep_poll f4249bb9 S com.nhs.online.nhsonline

iot@mob ~/D/> adb shell pm list packages -f nhs
package:/data/app/com.nhs.online.nhsonline-1/base.apk=com.nhs.online.nhsonline

iot@mob ~/D/> adb pull /data/app/com.nhs.online.nhsonline-1/base.apk
/data/app/com.nhs.online.nhsonline-1/base.apk: 1 file pulled. 56.1 MB/s (58853640 bytes in 1.001s)

iot@attifyos ~/D/attify_training> unzip base.apk -d NHS
Archive:  base.apk
  inflating: NHS/AndroidManifest.xml  
  inflating: NHS/META-INF/android.support.design_material.version  
  inflating: NHS/META-INF/androidx.activity_activity.version  
  inflating: NHS/META-INF/androidx.appcompat_appcompat-resources.version  
  inflating: NHS/META-INF/androidx.appcompat_appcompat.version  
  inflating: NHS/META-INF/androidx.arch.core_core-runtime.version  
  inflating: NHS/META-INF/androidx.asynclayoutinflater_asynclayoutinflater.version  
  inflating: NHS/META-INF/androidx.browser_browser.version  
[SNIP]
  inflating: NHS/res/xml/backup_rules.xml  
  inflating: NHS/res/xml/network_security_config.xml  
  inflating: NHS/res/xml/nfc_tech_filter.xml  
  inflating: NHS/res/xml/provider_paths.xml  
 extracting: NHS/resources.arsc      
  inflating: NHS/META-INF/GOOGPLAY.SF  
  inflating: NHS/META-INF/GOOGPLAY.RSA  
  inflating: NHS/META-INF/MANIFEST.MF  

iot@mob ~/D/> ls NHS/
AndroidManifest.xml                 firebase-measurement-connector-impl.properties  play-services-ads-identifier.properties
androidsupportmultidexversion.txt   firebase-measurement-connector.properties       play-services-basement.properties
assets/                             firebase-messaging.properties                   play-services-base.properties
classes.dex                         google/                                         play-services-location.properties
firebase-analytics-impl.properties  jj2000/                                         play-services-measurement-base.properties
firebase-analytics.properties       kotlin/                                         play-services-places-placereport.properties
firebase-common.properties          lib/                                            play-services-stats.properties
firebase-core.properties            META-INF/                                       play-services-tasks.properties
firebase-iid-interop.properties     okhttp3/                                        res/
firebase-iid.properties             org/                                            resources.arsc