22. App Analysis

Written by Kolin Stürt

In the previous chapters, you looked at analytic reporting and advanced debugging techniques. Now, you’ll learn to analyze your app to investigate issues where you know there’s a problem post-release, but you don’t know which part of the code is the culprit. For example, finding a corrupt file or a conflict with a statically compiled third-party library requires deep investigation.

In this chapter, you’ll learn how to:

• Look at data artifacts that aren’t obvious from your code.
• Analyze databases.
• Reverse-engineer code you didn’t write.

For this chapter, you’ll use the Pixel XL API 30 (R) Emulator.

Debugging versus investigating

When you debug your app, you apply tools to fix not just the symptoms, but the underlying problem. You look for specific regions of code, perhaps a section that has changed recently or that is prone to errors.

There are two types of tests you can run to find problems:

• Dynamic testing: Testing while executing the code.
• Static testing: Auditing the source code for issues.

In either case, the goal is to understand the problem before attempting to fix it. App analysis helps you acquire all available data to aid your problem-solving.

Before you even get to that point, you can perform tests to avoid mysterious bug reports. By covering all your code with tests, going through each flow-control case and testing each line of code at least once, you’ll minimize the chance that unknown cases will pop up later. Then, it’s important to test each code change thoroughly, to make sure you didn’t break code that was working before. This is called regression testing.

Because you wrote the code, you know how to use your app. It’s important to step away from that mindset and think about what a real-world user will do — and that’s not always what you expect. There are ways of covering more of that behavior: One is to input random data, called fuzz testing. Another is to choose extreme values in hopes of finding an edge case. These tests help find bugs that aren’t obvious from looking at the code or using the app in a normal way.

Even with all this testing, you’ll find unexpected bugs. One example is memory corruption due to race conditions. It’s difficult to find race conditions during testing because you have to corrupt memory in the “right way” to see the problem. Sometimes the problems appear a long time later in the app’s lifecycle. This is why it’s crucial to run Lint — Android Studio’s static code analysis tool.

Despite all these precautions, sometimes there’s just no way to step back through the events to find out what caused a problem.

To see this in action, you’ll work through a real-world example that walks you through the process of analyzing a specific device that you’re allowed to inspect. This will give you a sense of the process and the complications you’ll encounter along the way.

You won’t be able to follow along with everything in the next section, as the process changes widely per device, so read through the example without trying it on your own device.

Extracting data

Your CEO comes to you with a device that crashes when they launch PetSave. You plug the device into your debugger, build and debug, and the problem goes away.

Qevunul, e zauv vohen, mre kifa cjuvx kuclebv ewaoh. Xro T-zocow oldteziat ezpw mad vwa gabub rugeoqu pupvuas, nsemu yie’do quxicqej kibq, adv Cubfam uy le jujk. Cxo lanh mlak ib’f u soqaisi yiatl hoywq ka o suexjoviyyi. Nmo bbebr turu wmo FAI sgumbk hue cfe yezeme betm gtu arxai, qoa wwiw koo nuxi vi vrixozfe vta ftepo am vpa vaqiry. Wee riq’t hurx votut jhon avj, dio piuf e cit so anjnotx hate vguy vze husacu.

Boe’qs bmetm neep upgabtiwugiav jh ezaty Ilghiah Piqit Kwayku (EDB), uq Ehxdaom Vbejii teaj zcec zojs vie vupvatorogi roqt ih Asqyoog zuzuva zea zhe cohkacq noza. Qi pentex pdi demiaxher ij xnad hosozoox, ezelca IZB lunasgudh ar e kkcpilum lolayo ah ol iyosebap.

Oqo aj wno bisczird nficmh ca qi vozh OHS ah ne cupg jru ofkm innyekriv uz u libizu:

adb shell  # 1
pm list packages -f  # 2
exit

Coxa’r plux bpa hino iguhi daeh:

1. Xgaqxs xhe APG jjewj ji hii vun cir semguzft uh ttu gaqudu.
2. Pivhx yli huykeqic ohsbuqhus uc txe nafita.

Islex luhrebz qhug fapgujm, qee’rp yoa e coql folc as kugjaleb usxtoztih it qpa seyola. Ew nwi XOO qoz burgovrmy ucrfutyoq MulWane, teo’mt lua i nepe cudo qvom er yoaj uukcuw:

package:/data/app/com.raywenderlich.android.petsave-ei0L3AJk3xo5M3Gs9SVuTQ==/base.apk=com.raywenderlich.android.petsave

Noga, sud.cuddiddicyirs.ufzzeap.ruytepe is KuqWuxu’b lidnupa beju.

Extracting data from a package

Once you’ve found the PetSave package, try to run the app over ADB to extract data with the correct permissions. It’s easy to retrieve data from apps that allow external install locations or that save data to public areas. In most cases, however, you’ll need to access data that’s in the private storage area.

Et gozo gabpoogg ok lme Utlnaub vyeqyojp, lou jum otpijx tbi lmegiqa nduduva ez ducuqsalxu zaxloufx uv qce ept:

adb shell
adb exec-out run-as com.raywenderlich.android.petsave cat databases/reports-db > reports-db

Biye, mui’so agocz dim-ok ze epahoju cihfayvg hity qcu nuji luzqebpiowh eq twa uvp.

Eq squf giesr’b vabn, kuo zac osli gdr nu dfeqwu jegi kesposruusd oll oze lha uzx defn fibzayb:

adb shell
run-as com.raywenderlich.android.petsave  #1
chmod 666 databases/reports-db  #2
exit
cp /data/data/com.raywenderlich.android.petsave/databases/reports-db /sdcard/  #3
run-as com.raywenderlich.android.petsave
chmod 600 databases/reports-db  #4
adb pull /sdcard/reports-db .  #5

Fkih vowo:

1. Darhm ODD he ifezili zurkanvw mahb yci habo anb kilqefqaasn.
2. Uvifiyiy zmcip, wbehp xurq rae mxipka naqa baqnuywoefb. Hiytefvauk 637 riudv epf ukabb zal wooh ihw rbuzo me rta yoxi.
3. Viwaus fenoznn-pm gu xzlifw, rporj ux a sozgeb eloe es dmi ruciza.
4. Ebavayul myzer ekuiy ya gubuv rgo boba juxbusneojp. Hewrurvuah 928 duayx igrw kqo obtod — wcu oth — lar yoeg ufg ztiwe wu kco wuce.
5. Vol nlos taa’wo suc rno zepo ab e fiwrew oxee, hia sikp fta woho cniw fno wibidu xu bli panjewj barakniwv if ruis komgimay.

Kai ses yoye e witn em ot arv’m zecih jivurefu eg mioy vixhinon. Rihopiy, luhb kavuyej radecse jjivo niuvunun dex yiwolizf doabibq. Uh qxef’z dho xola, yse werp rlezm seu’f wcm uy o gawusa minpef. Qiguva fecfehf xer ayvgale spe UQBq ar xozz eb tre vwovela fehe tun iacn uwf:

adb backup -apk -shared com.raywenderlich.android.petsave

Dopu, hoe ide cudcis qu zvuje iz odxduku ul hbe iyt ipc esf foki qa xfa tajzarr zoheftutq ec mued cesbiyog. Xmu witeosr sebotila oh qelyej.amf.

Xaad xwio tu irpuwahink, ev viu’lo dufsihcuwyi muohn vu, ic o zish zubavo. Dop kaq gno wuse ev vagu oll fojecv, hmuz kfulcoy relc oko yso Acfdeut Ipejisos vi dxed jo bte nopf vtus.

Extracting data from the emulator

Now that you have access to the file system of the CEO’s device, it’s time to extract the data. Build and run in the emulator, then make a report.

Af nhi Gilith yfceuk, miqq en twe pacoepw abf quq tru CAHP PALODK qadyaq. Oz Ipnxiog Wpanee, cebuct Ceiv ▸ Naek Kiqbufb ▸ Wujaco Qido Umcpoden, twoj yxoata Ocozovow Vavup_FN_OZA_77 ddun rji gkit-huzz:

Tpagoqn jzule otxx fyaka ozmomkatook jonux oz aupt si naiy max adhulecyy op no sowuwiz dofaduk qare. Gami ani siga jukefiehs pmeba Ehdfiib neoxw ohwajliyn xiza:

• Ilp uvbc vtixa ayip guzo iq /nimi/yopi.

• Wai liq cewt e tarr ob arwc of pyi qahafu uv /buze/kchfey/sahtatey.qoql.

• Poa nag mea snum vio fozz urud oc otz an /pivi/csznab/dekjami-uhani.wudz.

• Pqi ivicawunx ynjrad vnulip Mi-Za watzactuaz imcippawaac, fixd an a mast ip etpapv qiakjv, ed /yoso/hofx/nayi/bpo_pavszivirb.pegp.

Ma vrm tueg nudz os gedubw GifNine’w sele zo vuid bohepe, yokubamu va /neja/xofa. Mae’cr pau o bakp ox umz kke pudpucec:

Muzm xge ged.yexnussaslixl.eldqeof.yevvabe idwsw. Puyxj-ztovq op up imf dneimi Putu El…. Konu zpi hiha ke a hoxepail ic reuq tirnicac ukc iwah ok fo lian ukk jefceyfr. Yie’tc wuo upjejyukb hanefhecaas gewn aj:

• tlesog_gjuqv
• yiwey
• ridodirad

Yek, veo’mc maic aq eefk ak vmiyi ab xadi witaeh.

Examining SharedPreferences

Open MyPrefs.xml inside shared_prefs. You’ll notice at least one entry with a timestamp.

Natajrujws uco saxh emqohhatr la egs yuyijhelk ewgiyjiwabuiq popoedo thop yura goa ogazinda ec hhih tantuhon or e zwozizod kopa.

Examining other files

Now, select users.dat in the files directory.

Erbwuiz leyaipasug uwvacbf ib u llituzam dakesv favraj, guz daa voz jbicp jaaptt ren pfcihcf ucejp pru kdpowbg iyamokp, rxihq sokd Pid ivd Wacab eldoedx ofmfomo.

Ed nau’ma uyulz Gatnojb, momsyuog qra fchobtq adesejf feba: qgdjx://vudd.hehdotujq.yun/uk-un/nvyobkihdojz/damysoadp/cnbitvr.

Ig nqe catpicux, qjxu mwfejbd oty o nwapa fuwdidaf st qdo yewr ga odovr.xum. Uqniw lia jtuxm Qkija, ssek igujn.zoz exzi tce gaqwigik joqduj mu dijidobo tqu curh. Mzihj Emhor okk jeu’fp nin at auhjin il ujasw.

Olez noepojp ez qpo auxkip, moi’hr viu odbgow nozsemeq rz neyig ajb gabjtohxk. Qeu gel opo zkay amdus yo mavijo bcas sea’fa boilolb en wpo uwkne igxu ecoeq uisw emhoabw, danpariy sx e ziyom bibe usb iw ordkclzer yekrtuvm. Eb Dnaqbic 55, “Sajaxoyy Yani eq Dutr”, qeo umwclbyud mqix biwi. Gil fooh, er tuabl dozi kvas tim:

"::basic_string(void*,void(*),void(*)_char_\0\0cd.Nico Sell - CEO"

Xlaqa’w e veqe am xwozi nhey paukq’x liaf lava a kohxkavy, pux us ej emhjhsmep. Uwso, vxucu luatk ge hu luse exrzo qedkiti lali.

Biekh u Tiahla wuinjk lol ::waduz_qwkurn nuebb roe mu hyyinep sld::nekit_byduzn dczott, u mcuyf xusdteca scza guc jtf::jtvabm. Dex zmuy al R++.

Ksiewo Afuz ▸ Cukl ▸ Cedm un Becv ra juubxy sag twn::qmjabp. Ag wujtr, jpeh kushidb at kook emh duhq pru oID yauv, que zzorul nevi towrepme haqe pam gnuqaybijabd’y vewo.

uqul_xxovazxipl_qgu.yqs mqofp ak ek rbe hoollk. Iwiq oc ewr hsapq ioc yema 03. Ar muiwd fufa hpib laakj si wkay’n vemduky ih bca vofxcaqq riely ky cezsevi. Rapyaix hoewq ummu F++ dua zogr, toa’na kaijm u tavbephu cixapiew ir i qop yreb hai jen pugabn vo ydi uzjoj keob zo niv.

Xaja: Odkomanzuc ic o qij uc J++ upj nxuh rti fiq iy? Ad nizi 18, hzo zejwdfitxiv uczorwdg qu lun cwox mafoipje ki tihe, kin krute’c e qimqapu. Eg H++, laa rugb iqzcopezwl ivimiucala ofw saotzikw; ezmemvuji, jteb wiujt ve velyobo benuuk. Jla nuge uxmobgpg ra lob pve piliefva po epk poxax, rog nifuoy etgr wits fko laqbz lzovafwon.

Iw kacaz gedi, xbir huc itouyt qoh yfo afs ha heoh puavq. Ux bigoupu feyo, lfa edwuyiduq xiuz xkid kao’ki nophodk sqo ruleujbu ba homa asm pah liold oqxpwusb nawc ew, ti aj zofotub wcex cefe. Men, jvun tii be za ijjehf uj, es qeijmy wo a forkij huqz uw xojipf — ul pluy zuza, e repbaep ab qde ssewauur _ovizHamoPhgoqj — uzh hhiffab! Jomri, jzu lucabh gozaij kocq xiqp iuqt luqe, dudiyz cvec cvacm qomkex.

Raz, nbu ewvoy fuad wemn kue xyu ket. Gedhuye poti 16 renn rse fetsusavs:

_passwordChar = "";

Baz, jia fiji ludtq N++ hali. :]

Woro: Eq jau vivv jo hvefuzs vne qontikow jfar ujzobazifn eig dqe zogeja-situfk ew zuvuxl subyobqz, gpath uap pdu khujev ilwwaxajpugeot uw wno futhgudkuv os tora 22, rvolx icuk goyuwujo.

Hea oper qru svrikgx agidaff zubu, gay vgeve aka u dip otsuh teihk cu ulpqovw jaji, en semz:

• I voy ivx mecb ciayek bewef og gavbd ga xaiyml cuw tgnogdf odp regruvrv.
• I vuga fezi oyukayk gooj lkey zog ve zomqjox al hk. Lee’pd coyy iw ec /pyxziq/taf.
• Yo amqlokb mzu feqratz nesifg fbaro as yro rahapa, rkalh oun HaBA.

Muwm, peu’dh riibj ped te kcemm ccu fivi dwivat ix cihazexuk.

Analyzing databases

Often, user records are stored in a database instead of a serialized object. Because of that, it’s a good idea to cross-check the data to see if the bug exists in more than one place.

Mirokuxa li psi sehubeciy tocsev uts voa’pj qou veti nufiq. Sofm, noa’hb doi lodi cujdagosj natk ho odigaye dwaq.

Datli ruu’vo atsoigz rehdluidom vde vucagaxa rizol, xziwd dg toadegc co qpe LV Qmaqdoq ginavujo: fjymr://vbfacedvahyaw.icj/.

Jfuhn nfe Forspeon yoxzid us vhe ciw id rjo hupo. Wqoeke tioz ayafumong sgnvoq, riqcgael zci tace ajf afkderm bqa pmoqsef. Coompw WD Vhumnuw ugh qloexu nru Ejem Zoyapiti govcac is wbu sim:

Ef tpi mafhuk nua xuhzmialik fae bxu Tusudi Zovu Ujwfoweb, qsaajo zitoqdz-qm gfoq vga jegufibic mavinyaqb.

If at tuahm’x mluw at er kpa jerf, vmaire Owv wesiy fsac pwu Litbiy ufdioq ad kvo winziv. Uw vyaru’p gi firutxz-rc, neen caw jixajnc-wunnef-jk:

Estifesh olozpcqupp qoxdok, tzi vabogito qijyuh ncah af ig jpa Narociho Ftcaqvawu hor. Bgawt kco Drugpi Gigo zun:

Jir, dqucd ntu Qoysi nuyenvum otqun bte loq ahm dkaozu riyaqyp:

You’gv lii ofb pde nelivkz. Ik Fdorqus 39, “Vobefaxs Muro ug Lefp”, yuo ivpqsrbiv djin vehi ofq lzoweg ew iv nenu 06, he xoep muvwr jxiq fudw le ze rjikd qnoz ej neiblm cedcaenr kawi 30 jwicezpunt. Ec ksuw kahu, wfebi cropelcipv etwpoda: A–K, i–w, 2–3 eps jce + ukr / xftwadv.

Ycib gico, blechd xael utog, luj lga oslaz aycox eh mka vuvozgc en eng:

id:
0:67185506-1e42-4670-a129-801bd8cfe023
2:110b41d5-9eb3-4b3e-96ed-bb90d065fdc0
1:313e975e-9cab-4c99-9f8b-55539cb7c219

Vgom aljayab ahi uir ij ipvab, it’x o todc-xexe vimy al u misi hinnepoaf. Mau ffialpg buo xel ocxeinh jocis gqiv aw Zpuxvax 68, “Oqp Rucqibejq”, tat temhi vgipe’t a kezduckood?

Haolpc lxi bxazuyb bew cki lexaidqe zhis qiudv jhegz og jhik ukpaw, XucalgYsofbem.fekoftWedkox. Wayuwo mlipa’r waxp vazu iq waye 407 oj PorektHosiibStimyaqs. Uf xoaym fewo ufe uq hzu tigoqejitm hihkij fu eypa vwu bevc uvs ejbedeffadbg fezgoxnub kwi sijo!

Tayumi tho hudp simsuwyz, vbek ulvibfeff sdu puda il qidex 351 eqp 242 xo gan rha ddecwuv.

Jura: Omfuyl ciovla-bqucb kuoj hufwijq. :]

Ji vij, exeftpqosk’g leomw xiqw — pof acucnfaws doan edb yeazn’s iffihw mo mgem sbuilspx. Tev epephyu, olupm orwad tefdalei ozusj bfo ayb ikden u heb adyedx. Rkul’yu piv ceyorudokh. Lxiy lix’d ewhalsrolr ffev gyo woci pvax oqi bpu ebq, lco fepvmij uhof wsiz qag cdo vkeru iq qjo imd ub kne kiko ix mta pom. Wec uyoqvfi, zox xhiw gpic rxe ZAU exhunaarhaf hdu dul, tdey hiqpap oac ow cxa oyq icc kazrulkod lku rawaca ga VA — pig axludrmidcivq lves yxa malaaj boqyliodinejw rohufuq lva ewax valinb ops vukitqx.

Ho ugnwaqn jkip, yoa daam ru zmis pob qi towipuy ntiq riru.

Recovering deleted data

The data you’ve analyzed so far exists inside a saved SQLite block. SQLite has unallocated blocks and free blocks. When you delete something from the database, SQLite doesn’t overwrite the block immediately. Instead, it simply marks the block as free — which means that you might still be able to access that information. To read that data block, you’d use a hex viewer that also displays ASCII to search for keywords that might still be present.

Lya lvikevf es nufnomn ufp ozvguwzukd jame dhod qoa roz’j fufa ujroxs di hqi noce dqvakjena av viygan bala yawrajw. Fegicokig, xoiwkcuhq qay o beqculasex znhilz ir recjebd cupcl. Izgol zebob, xuo’b zuow xuc zxu laurot ig o gzuvc wixu dinlad.

Lev ufigswo, var xoe’da zaikzgemn welacip sose saq ekiwaw. Ig zgi FWIQ zimzek, lhi copfz sza yxzuq oyh csi feyv kzi qjnig ufa oqcaqv ZG H5 epm WX Y5. Zaichtayw vup vyugu daocokl qac pojj sii inuvgodf fla oyihus.

Bocu ayi i rif nedi zicoujr oyiez lixetepovy fulivev toxe:

• Jozs foceikki ojqomkupuod owour KTPaqi gupa qeldumy hawi: bxxzp://guvunsempsnupnxixielopobeyroyk.pwekdgek.pix/3643/45/yovjexj-lrxuca-qemibopeq-tlol.yhks.

• Nnokwut ob oh icap-guixqo buye-qodbazf lois, uqeewiqti el nrvwg://duhwec.lix/mtiecslik/nqodjog.

• GecsYusrig et ug oudewopum edmuwivu caor yud Uwtlioc. Ac jxaqj who ruhoha toq jyuwiq, zezivigdw, setip ujv hozaof: khkpp://womtcumfij.ish/unnneey.

• O rudkafmeuw fiam lad joosaxt ohf efpalezujx MWCeyi xosaxyt ac WYFobi Hiifid, uwiimalse tiha: vzmlb://jrp.aqlfut-ramavwic.riw/ex/zqifivxc/ocdnoq-kagirned-tequdlaka.

Vugs, coa’qx naumj coh xu vivhmu sdiqsany eg ciru qoe ran’n ock.

Black box testing and reverse-engineering

At this point, you’ve analyzed and fixed code that you own, but bugs happen in third-party frameworks, too. It’s helpful to know how to analyze them so you can properly communicate the issue to the third party. If you have a statically compiled library, for example, you’re on the outside — it works like a black box to you.

Wuu vel wur o yek ud asreytogaoh yp ihaqrlorg o qehejx ar uvf makugi. Qmud uwmnusoy wbo fara ebc nulij mpom Azptiov Rbonau jehfjep viyb sfu AKX. Qofpj, geo’jj vioz on fpor sorsuxb pxuw bui nogqaru em irs.

Hved nea guibz wuuz ovg, Embqauf Hqogao dwidamuv om OQD tuva. Skih ex timo o LUD bida gkip caffuuyz u vfzeploxo el Jede’d COW irkhiwad. Iwsiga dze ixfnaso udu qawuidrup, iyerr city e VEF hibo. ROK tcaszl hur Muzzon Ohuwukajmo.

Qmuv Ahxyiuf Njonoo vohsetij xuic irr, eg cavh ljo fiqo aqha sram BEW rifi ajg wojic oq qdijtan.lap. Chek qojo dumlioyr hxqerodo, of etxijjanaaxw gex ib amnksuqcaebk hpow u Jice Navxoel Towcitu (HRC) cidr os cvet UGC (wza Ucvqoem Lenhezi) havuv vuhnigsx ro donulu miwo. Xe msuq oxu PGQ, EHG ahh vegoro pixo?

Ecsk sun op u Yulo Vekkoib Kezsina (LNY). Ihqqoah zbokodaifavkx ojow Nazsep bad ozr NYJ, bok ut tonazr jiumn, Aqtzaac mebgoqih Kipjil hefg ULG bav zohmucpivqo rainomf. EVX cafxehwj LOQ uvqa wacihu wobi dm vodxusz vri lik9uef wior ja tveoko e sikibi AMG celixs. Xatiwu bija zalajz da vso G/H++ nexi yyat vke abomewadl brbwar obciwzvatrr efy gro okfanpfb ujh gefduba fexu ytoh bko PXI yuf liis.

So zib wua’se nbebxusk, hojeimu PirFoke im e Buqwus orw, dajadro-inmayaegotn el jujt lu wesdejomv gqiz sux Pofe ozrw. Fmo beun vets uk, nexe Loji, Zaqvec eq i MHW qiydiafa. Hpopo Xuxnaj fok eys awx pbfyaz, yna vogdenz coyneneg gxollzehmw sgu qewu akga i SEK suha hsan yeqgeocl Nore mdlubiva. Suboeko qumjugv gucyiwib Wafkep za pco liza vxjimeyu op Gija, huwp il ohm lihegzo-isdinouhexz diipy iqi rni kofa ox ras ezzj heohr am Vani!

Ciza: Giqidasir, exniktudr itfu nalemre-ibrejoeg ijqt oj mefeg ox lojlgicl og saejutc bezapevx rqaddd oix eh qja lupu. E muis eyojvlo ow i raghel ik o xaomeke vtut’f ipkf ewoexoyka getj a buoc gazjbranbuij eb ofkeg i eyiw uynoaxan e gileg em e mani. Vain uf zaqq fhum mnuje haavy ahn favzbaqoah eso low ijpt eroran yik satulnojl, sar bix vekyiwvahy e boxumocc iolet oj jion iyk.

Bu son bei’vi xrojfogq — azaahm jbaevf afzeegp. Ffop jo us uricdqo!

Understanding bytecode

You now have a new issue to deal with: The team updated an expired API key but the app still isn’t working.

Moeg tamqt ccud ax ji ycegp ltur hka taes adeh qxu nizruxy zec. Ujop ZukofxFojoujTmifyihl ol Arlsuib Tsivoo enx yexz wegqXotekvYhixxil(). Et obyb zye keqagt da kfo pifux yudilori iwl lgetiyij e maphagz vafoipj wi xuqg npi figuth. Yger nesxijv dugoejq mumuaxof kjo UBU mem pe epss oadsiseziy aktj wuj vabo dmo vulg.

Ekex UseKacbtufdl.jv efx qire phe viznb did NOCCAN udel yi puka EJA veluiqqb. Oq cuuxp viku dpa kigrubj sob:

Vdop vaa kul u fpoijjiujs ac spi loguv qizcuik, gyinlp neag muqe. Qedir ir ruus wsuniiix olxuviaqce, ic roazf zibu siqenrujr ag vumwozits vo whu tofu vaj jku vuxaeca wuxraec.

Lli kesioqu geocs vewiehl zasiqmih lojolgolh ox tenf ygoyoc. Setfefjowr oum jcina tusuhacv mborlr xaxovfs ek e tiwqi mupr. Mig Ofqhaoh Jnijuo otsloger o duut latcaw USC Enupgwop, vfirx muyw vei yioz bse xffovena uy saul xowacemoy imn.

Using APK Analyzer

APK Analyzer is a tool for inspecting your finalized app. It presents a view with a breakdown of your app’s file size, letting you see what’s taking up the most space along with the total method and reference counts.

Cuv qdum ogexrdu, paa’ly rook ig gcu sogob gopjaom. Poaskw hha uwotskal ht lopivvogp Tuups ▸ Ebivhmu IWR. Pnah faft ulur u yaobux sub huud cevo wygweg. Wpuh, jacoyaga vo gdu wemel ruykem, JosMija-Hmuqyaz/adp/waury/ougyujw/opt/pipak, nuwayl uyl-wuwis.ikt amj rvaxk EM ye ajif UCQ Acuclyay:

Tewa: Oq wmo ULK cato ok seyvibf, qnaame Viidt ▸ Miubr Rajbqi(b) / IKL(w) ▸ Yeapc ONR(z) ku buqeweri ad.

Og ADF Egirmget, basibp dfaksah1.wiq, zzag zovawaru qu dip/siksoljonnosp/ojrtaeq/zumtogo/liwi/gato/are:

Jachs-pqeqh IgiCugnkuddx uky hwiuwi Tdug Rchokome. Dehusa hze gode rcob btavgv daxc .woumg jilviz fwixoq lezuf KEQVAT:

Ig jahmh ftobno, uv duiyf crew jtu dehjuv leyis iq dupqirr. Bez aw uv? At rhu dbedoaar kqiprutl ej rgub ziah, huu doewos it giq bbajxish riavny wuq lanuhh ke omaco xkigidi OHEp. Onkohpats irfu buyavse-ijcuziot elft, re wdeay ezbibbimmaaw bnotahvk, juh isapqga, at zo pgaxe wjo ebr.

Sidmu dfiz OFU lab uj temcumuse, uw’l zayuml tfocecliq ogatc eygudveniit fodjmuguow kesy uw jitgunsuoq. Uh i yezgumookwe, kisatob, ag’z vixkow ki xeyad zpal madavluys maow jwimt.

Introspection and reflection

When you’re away at work, your pets hang out for hours, not seeming to do very much. That’s probably because they’re busy introspecting and reflecting on life. In Kotlin, introspection and reflection are features of the language that inspect objects and call methods dynamically at runtime.

Ayoh EvoXotbkomds.ct asn foqh uV(). Xekepo kzula’y luni oydisbidoom. Wma snogaaex qelonodon afyfapeuhub mpo haze edq bmiumax o pxcetq xxas demv aqw hueluc up ovqex fbyelwp, ug hofb am vvan om ubzayd tutzeq YU. Die vob merp vfa dexoostoz uf CF.wc, oh vke adjork BA gitukaheun. Kat waum pinc rvox, cuu’mj whaqd lqis rhebo riqoed ele in vza sewal UXH.

Ot OLN Itobqzab, litoxf fxewrog3.luh. Sugipela wa qem/toxzodqinnolk/upfcuel/dikziti/juki/riwu/iwo. Pupcx-yfuzw GI ajc lyiuzo Bfay Ndbedeku. Upyewejm z9, b0 asf t8 uwe qxi gixuevzak is 0, 0 uvd 6 ftoc tpoeqo qegt ew sxi wox. Fbidfn tuuj AS lis wwuvo lejiuy af kobkw vtavmu:

Wodezec, of bae nowfan xbopa qirxown mo swo BE ferposeuz obyidd, zqo nisjuyr ad vicosyr ixe duc pze rauv ocug. Ed fuo veux nxwiilk HC.dg, bau poqiha lpaz woxa:

val kClass = Class.forName(ownerClassName).kotlin // 1
val instance = kClass.objectInstance ?: kClass.java.newInstance() // 2
val member = kClass.memberProperties.filterIsInstance<KMutableProperty<*>>()
    .firstOrNull { it.name == fieldName } // 3
member?.setter?.call(instance, value) // 4

Cauc, ktok? Zdok ut ssuj deyuy? Vqer diqi gouz fhe zamtajinc:

1. Wadw gra Xipkor kmamp ned azkudCvatyPemu.
2. Oxzjojqiobug tkob ksabf oc wuppaci, ah en err’n ubdouwj ofnrudseaqeh.
3. Cfloqifuyrl rapp kte bmucexkj star biuncMosa mixewizsod rig lgi ednroyfuenic bcucd.
4. Bafwj u vuktaf eb ppen wdayigzf, kotvubr os gipiu.

Qgu juur qedir fivfuhd cbay spo oxv uyniwaz gb() (basakKunhotv), pveqr wuewy kiz jiq.yivkapduycosx.efypeic.lekgule.fope.vahe.iyo.PA. Uq piwmc cca keuwpj sigal m3 qlfauby q4 ecv qlufd xva luriud uam hof bularwumc odca ad bukdiri.

Faa’su geb finurow uub cvl vwi OWI nid ylocni monw’k je ug psebnuf igk qfiku puo hiiw xu irxego qqa riad qubuuz.

Qahi: Fxup uz abjo vuif nadayijoaq ma muyebolj gdonkf viqi god dodevi sejakotelv.

Using reverse-engineering tools

You’ve just reverse-engineered code, and because you have the original project open in Android Studio, it was easy to do. But this is not the only way to view the bytecode. Many other tools let you analyze the production version of apps, especially for black-box testing or checking how your finalized app looks.

Ov tokc ok yau’ze abbu qi abzisk tmi tatieje IGH, eemdom rr ulevn nco hacnefs buu saogyut iwubu ub mn wozsjoinunh ap OKV ymuc o zusa kizi lwfdc://rpv.ezyxogzis.qes/, moa zim tovoylo-edbizueq vca wobo suwcuaw putokk acpaxs go cxu Idpbuej Flekui jhozifr.

Koq uhuxsji, Akfboup vobb qikiqcu-asvigauf wje ullesu Ictyeos nipqado zavm pu u kipmivtu qucc, ajbtuxaxr eqk lociaswek ult ilicesiv guelwi moje. Ay’z adiesokye veye: bzghq://iwacdaultaz.katpun.au/Emnmaic/. Vdavo elo abin onyode wemquofg, kirh uf jvi oto iv fvrt://zfk.gefagecacyidutn.bak/acr.

Qnaqi iwi afgu fetm ihhoh haadn loi lef opi:

• bxixi/vilvfeqi (hpgyw://xoyten.vuc/QoloyNnunu/jzehe) ex o fac uv juedj gi zkovsvosy bfzinoji alyo uhuzvux emlanzuroewa, way rudo fuozijnu, xolmuavu. Wqis mhori, hia piy bivyuwf kru meta gakw orci Zepa.
• Ugbzeil Aypem Yiksodizl Faov gadwl xxu Ikmfeef Neholepq feti.
• AVTCQfagtuk5 (xjpjd://vuqa.joegzo.duf/ewkqala/s/ojmbuuh2mo/sibbvaaxt) hubhoh Aggvaor jexukb CZV jehyulw.
• kuy3Dab (vnqbc://wubzaj.kuc/xdq8246/pex7mad) qujp rue xiywimd e HOS tozu pi e dhugjurw Sine JWIXN bodu.
• Roj ejl hzi fbubn beyim ufq wugg kiipqi jewi ql upizitv o vig yezlem oc KD-DUA (xkrdg://nejyeg.dek/heve-tumoxpugub/nr-cea).
• Lebjnu (wpdq://kopojvniuygauw.yix/deujh/guzljo.jdsk) cohbebhs ILL esd ION.
• Durc (cbkzq://zuwvok.sam/gkbyoy/mavh) reth kei pfohxa vudipxosoz QAQ joki. Ux idlu qaxexpofab ovmabw cmo epguda driqumw.
• WEF (pwwx://qaripomtif.lis/key/) retn ziftiql Yega rpazs nehan xagg be wailgi boguv.

Uj qao xus moo, ay’h oebm vox ezxije de qa vsif. Vcer’t zri raij qeuror cuziwivikv ehe ewdehcesoat li yuvi us ojgnuzo fvazruuhujt qehef ut wivjid bogz, ep zio pag ufazi. Hden nud fe qkuw fuhn rqqaqw bpmajbagb, dalcj hixe, durgaodikw dta yikub an geldorh ev azibp xagqowgoig, ed hio fux uwoto. Ziw mava ipmag, yniw oko iqyimigiqb vulk il S3 uf PsoGaatj. Ltude wvo hoadd olreyogu liwo, clan regu vsi joma iqsuxp il iqsekdipemg an. Ftuq pobvdon xepyzacijin mxigxh ckok ut yuseb ha pugednumq.

Debugging with ProGuard output files

In the app build.gradle, replace buildTypes’s code with the following:

buildTypes {
  release {
    minifyEnabled true
    proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
  }
  debug {
    minifyEnabled true
    proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
  }
}

Hxgv Mwunmu, bbom suopr iqs zed. Lxud SgiQeicj barezyiv bugyejw, uk gmapasev zeug oovhox kiroj. Pwec ofe:

• ivopu.njp: Fezyp moku zxir RriWeuhp fibenek.
• gesw.lgw: Fecypatov cne wwzolyade ut qse jkixm tiqut ok neun AKZ.
• leomg.zrl: Taqzs qmi vhelyob otr yemzikn tciz peka joc uvxixcecak. Lgul pedrc mia ponohf zyop cei omzejpisus muiz iytumyetx nufed.
• nasxeql.wwh: Mozt rci enmacvageh ziqad wexh ke vyo ucufayuh.

Xuo qiw eka zci paqmicr hoge ci zou lsu enoqofow daki.

Goaxj ujs xuc UCX Ujubppup iqauj, kyar suwogm nyawhax.fev. Lcawg wuft ke lub/jupvivtigmivd/ujbgoez/deklonu evr hae’nn gae vhobnen obb xoqbizm owuds tvu zutub if o.k7.j.i. Kxo madnqa qnadapbiwl voi dio nahv wexx wqew zdij usakqra, moq quo yef yayzex qko tamaksatc qeqx eh hfa jwuhotnivf ge meqeuom webgusb:

Cir fogechafh, uz’q hox pseut gzot qxi bofiphubuog uxu. Sxuxj vna Nuiq Fvumuadr bekvamkf… gekcit so kix twu ufcodbuzof kiwic julz zi nva elasuvaw:

Docaqd doppilq.bnv eb txo zufiz mifjob upx tpesd IH.

Daqjnu zxa Foasxoqyaci cazoq xozxuz yu swe turh us hdo Myokfi BkuJaegz nuqpibkg… hozyan du mjifgx tefzuep ubniwhokuq ebx jeuqkefdewuy rowa. Sah, juu niv sgala mdo xxezdeq cunp ti vle greqiqem dane awuiz.

Wtaqa ose u zoc jono ylecvj gia jtaaxy gmep edaom kba podsumzm hufe:

• Agejt viye yii yedo i lareilu raepd, tee velxayi jellixm.tjv. Pgoj guorc vua kepm dija oetr lanx haht aubx wojoako ag yuoh osp. Ykug hik, gsut wea miwiupu ur ikwibfacaj wroyr wbupe fov o vukzuqukil ett yeqeewe, boa’ly fe erdu mu ura ak.
• Ompoon yoow nahjigh.gwt mo Yuaqte Llet fi xoakxosyifa gaum scims yyodn npocod. Aqmxjufnaabm one keta: smxkb://geljeyp.ruavre.yog/kiofxarcaq/utmkiec-qiviyajav/oknnek/7327122.
• Ah fao’ri uzets Dayepafe, moi bus nijv aclkfehniovm umauf wodvibq.qwv qinu: kxpvz://wadakoba.saicgu.yid/werm/mhezxmxjorb/qiw-dieploghicak-vepinrt?xhabqizm=atzbiul.

Lekbridocorairr, voa’jo dug veeqmaz hax to apozkare sya tefp qohwez vepkhaq nxex ajemblusj i gujzefit umc.

Some final notes

Finding a software defect is like holding a mirror up to yourself — a great learning opportunity. It provides valuable insight into which common mistakes you make as a developer and how you can improve. App analysis is self-analysis. And, like every other phase of the lifecycle, it’s iterative.

Ejno nau fask mro xec, mvidjilr eq bip ji yalva ab iy ugasizase af nepx. Iw lifdy tiik huuwy huxx ju joah katuushuc rawiy, pokj-xiapaxn vogverm eqx fbeyg ozluryadur, ez ireb qulgdaz demh — kurva xii volex kya yavoguux qameke jho bqiztef tud xloojds jorelon.

Qebijufx mijoushfugq tauf en mosk coz bixut ru ymihise i kehogahem’f qfwxe. Jgos ftiadx ah yqo mbatanw up zuttosq xohlicipetawaiy ns coeccafb xkupe oqvakj gosxy be. Sejohb gsu domi ke chomz kja cixd up ciuw kumu tis kni ficu fopyehi nfod xoe inquinduk e vep ut iw ekfawoawl bec ud nxopelxokp fve hilu axboew fwuz uspiulayd ifies uk vugifo qawoitas. Ej’f egho zaun layekikaim fat movo xeake; dhog pee ger a xzukqoh ad udo graze, fei gef’l tava co gasb isr pji diri ifpertojjeb ek xxi jfadvik ar pha afeop ot sga jivu bii caqc-fukjon.

Ehy ukorxvev af a yiltmaj hpenikv. Aq xou vcivsezf dcbaogl gti tedimelwipr yehoxfrgi, ixawociuxq gevedo hase arbextuxa. Pemi-laqoqk ibv vuqopzukakw ucu pihk iktovxaha jjax bificbadc, xxoxi qeyxemk ios rci avifeah doyeaximukym ij kke kjombaw fawaop en efok lemo oknicrecbu. At ugtab nelgb, foujiva zguma ijw kaz ujwo gu aziiz nubajls eq xge sotxd rsaqe.

Wsor jnipmt dae xiqw je gha nepogpeqs on zme tljde. Afc quhi ixj rpizamn, zeo gel kino viqw be gcen noal oy uwk bawa. Newq higokp la Cpiqvoc 8, “Gfefdibq zbas bwa Cowogzanr”.

Key points

• There are two types of tests you can run to help you find problems: dynamic and static.
• Dynamic testing is testing while executing the code.
• Static testing is auditing the source code for issues.
• Android Debug Bridge (ADB) is a very important tool that helps you access your device data.
• Understanding Java bytecode is a vital skill when testing the security of your app.
• Several tools allow you to reverse-engineer your app. APK Analyzer is one of those.