Previous material
We recommend the reader to be familiar with the platform-agnostic sections Actions, Views, and Decompiling before proceeding with Android-specific contents.
JEB is a well-known industry tool used to reverse-engineer and audit Android applications. You will be able to:
- Analyze APK files and their contents, including DEX files, Certificates, Resources, Assets, Native Library code, etc.
- Examine encoded resource files and manifests, including resources with obfuscated names and locations.
- Examine app certificates (legacy, v2, v3)
- Decompile DEX bytecode, with full-support for multi-DEX reconstruction.
- Analyze native library code: more on the Native code analysis section
- Debug Android applications (Dalvik and Native - x86, arm, mips - code) and transition seamlessly from Dalvik to Native, and vice-versa.
- Write your own extensions using the API (client scripts in Python, back-end plugins and scripts).
Plugins#
The plugins used to analyze Android apps consist of:
- The APK plugin is responsible for processing APK files. Encoded resources (arsc) are decoded by this plugin. Other jobs, such as analyzing dex files, analyzing certificates, processing asset files, analyzing binary files, etc. are delegated to appropriate plugins.
- The DEX plugins: DEX analyzer (DEX parsing and merging, Dalvik disassembling, etc.), DEX decompiler, DEX debuggers, emulator and sandbox (incl. the generic unpacker module).
- Native code analyzers: disassemblers, decompilers, etc.
- A handful of other plugins, such as Certificate parsers, XML/HTML/JSON/etc. parsers.
This section mostly focuses on the APK plugin and the DEX analyzer. Other plugins are documented in separate sections of this manual.
Technical Blogs#
Our blog is filled with technical posts that will help you make the most of JEB. It is the ideal companion to this manual. Link: All PNF Software blog posts tagged Android.
API Levels#
API levels are regularly mentioned throughout this document. Here is a list of "recent" Android versions, their corresponding API levels, as well as notable changes regarding security.
| Codename | Version | API level | Date | New security features |
|---|---|---|---|---|
| Vanilla Ice Cream | 15 | 35 | 2024 | Private spaces, in-app passkeys for login |
| Upside Down Cake | 14 | 34 | 2023 | More granular permissions, privacy dashboard, cannot install apps tSDK<23 |
| Tiramisu | 13 | 33 | 2022 | Privacy improvements |
| Snow Cone v2 | 12.1 | 32 | 2022 | - |
| Snow Cone | 12 | 31 | 2021 | Privacy dashboard, Private Compute Core, approximate location, a/v indicators |
| Red Velvet Cake | 11 | 30 | 2020 | Privacy updates, APK Signature Scheme v4 |
| Quince | 10 | 29 | 2019 | Permissions for privacy, BiometricPrompt |
| Pie | 9 | 28 | 2018 | ART: Vdex with Cdex, AS-FBE, biometric API, lockdown mode, APK Signature Scheme v3 |
| Oreo | 8, 8.1 | 26, 27 | 2017 | ART: OAT with Vdex (oat w/o dex, separate vdex with dex'es), Google Play Protect |
| Nougat | 7, 7.1 | 24, 25 | 2016 | APK Signature Scheme v2, File Based Encryption (FBE - and consequently, DirectBoot), AS-FDE, Android Things |
| Marshmallow | 6 | 23 | 2015 | Adoptable Storage (AS), granular permissions and permission levels (NORMAL, DANGEROUS), Doze & App Standby, Android Wear |
| Lollipop | 5, 5.1 | 21, 22 | 2014 | ART: OAT with dex'es in .rodata, 64-bit support (x86_64, arm64-v8a), Android Auto |
| KitKat | 4.4, 4.4W | 19, 20 | 2013 | ART (optional), VerifiedBoot, Full Disk Encryption (FDE) |
| Jelly Bean | 4.1, 4.2, 4.3 | 16, 17, 18 | 2012 | SELinux introduction, multi-users |