Androguard is a tool used during Android application assessments, primarily focused on reverse engineering of the apk file and application analysis. The tool is python based and can be used through a command prompt to assess an apk file, by extracting and analysing the Android manifest, identifying all available activities, services and content providers and reverse engineering the dex files to the equivalent Java classes.

Androguard also provides a plugin for Sublime Text, one of the best text editors for developers and testers, which can be used to make significantly faster the first steps of an Android application assessment. This article primarily focus on the installation and usage of the Androguard plugin for Sublime Text and how it can be used to effectively speed up the static analysis process of an Android application.

Installation

First of all, you will need a version of Sublime text to be able to install the plugin. The plugin at the moment works only for version 2 of the software, so it is important to use the correct version.
You can find Sublime Text version 2 here: http://www.sublimetext.com/2

You have to also download the Androguard plugin zip file, which can be found here: https://androguard.googlecode.com/files/ag-st-1.9.zip

There are several versions of sublime text, so I will focus only on the installation of the plugin for the Windows and Portable version of the software.

Windows version

After successfully installing Sublime Text, you have to run the application once so that the appropriate folders are successfully created. Following this, the androguard plugin zip file must be copied and extracted on the appropriate location. For the Windows version, you have to copy and extract the ag-st-1.9 zip file to the following location:

• C:\Users\<User_name>\AppData\Roaming\Sublime Text 2\Packages

After extracting the folder to the Packages folder, restart Sublime Text and you should be now ready to use the plugin.

Portable Version

After successfully downloading Sublime Text portable extract the zip to a location of your choice and run the sublime_text.exe once so that the appropriate folders are successfully created. Following this, the Androguard plugin zip file must be copied and extracted on the appropriate location. For the Portable version, you have to copy and extract the ag-st-1.9 zip file to the following location:

• <Sublime_Text_location>/Data/packages

After extracting the folder to the Packages folder, restart Sublime Text and you should be now ready to use the plugin.

Usage

To use the Androguard Plugin, just drag and drop the Android apk file to the application. For illustration purposes, the WordPress Android application has been used. The moment the apk is loaded, it should look like the following:

By pressing the combination Ctrl+F5, you can enable the Androguard plugin and start the analysis of the APK file.

The most important files inside the apk, that can be also further analysed, are highlighted with a pink colour. First of all, is the Android manifest file. Through the manifest, we can identify the permissions needed by the application, the main activity in use, retrieve a list of all activities, as well as the number and name of any content providers and receivers present inside the application. By double clicking the AndroidManifest.xml entry, we can see that Androguard presents all this information in a compact format, after analysing the xml file.

If you need to access the original XML manifest, you can simply click the F5 button and the original format will be shown with the appropriate highlighting.

Getting back to the main page of the analysis of the application, we can now double-click on the classes.dex file to see all the classes contained inside the application. Depending on the size of the app, the editor may seem to hang while a full analysis and decompilation of the application is performed. After the analysis is finished a new page opens, containing all the classes of the application along with their methods and fields.

Double-clicking on any of the available methods, we can see the decompiled code in a Dalvik bytecode format.

By just pressing F5, we can switch to the Java code equivalent of the decompiled class.

While inside a method, we can press Ctrl+F6 to see all the calls towards this function.

And finally, by pressing Ctrl+F7 we can see all the classes that contain functions called inside this method.

As you can see, this plugin helps significantly to speed up the process of the information gathering and decompilation of an Android application during an assessment. It is an excellent tool that can help both during a malware analysis or a penetration test of a mobile app.