Binary Protections

Java and Kotlin are strictly typed programming languages, and in most cases are immune to memory corruption vulnerabilities. The exception is when the application includes library files that are written in C/C++, which then opens them up for memory vulnerabilities. These files should be checked for proper stack canaries.

Extract the APK file

If you have not already decoded the app with apktool, do that now. If you have, change into that directory now, and look for the lib directory.

apktool d -o Example ExampleApp.apk
cd Example/lib/{arch}

Stack Protection

Android applications can include external libraries written in C/C++ which can suffer from the same buffer overflow vulnerabilities as traditional C/C++ code. All shared libraries should be in a single 'lib' directory in the application's output when decompiled with apktool.

If, for some reason, you do not know the architecture of the device you can query it to get this information:

$ adb shell getprop ro.product.cpu.abi    
arm64-v8a

• After decompilation with apktool, shared object libraries can be in lib/<arch>

• Each library properly protected should match the output of the following grep command. If not, stack protection is not present:

  cd <lib dir>
  for o in `ls`; do echo && echo && echo $o: && strings $o | grep stack_chk; done
  

• Additionally, you could use Radare2 to check for proper stack protections:

  rabin2 -I ${LIBRARY} | grep canary