Introduction: The Imperative of Automated Android Analysis

In the vast and ever-expanding ecosystem of Android applications, identifying and extracting sensitive information from compiled APKs is a critical task for security researchers, reverse engineers, and quality assurance professionals. Manually sifting through thousands of classes and methods for hardcoded API keys, URLs, credentials, or proprietary algorithms is not only time-consuming but also highly error-prone. This challenge underscores the need for robust, automated analysis tools.

JEB Decompiler stands out as a powerful platform for Android reverse engineering, offering unparalleled decompilation quality and, crucially, a highly extensible scripting engine. This article will guide you through leveraging JEB’s Python scripting capabilities to automate the process of sniffing sensitive information from Android APKs, transforming a tedious manual chore into an efficient, repeatable process.

Why JEB Scripting for Automated Extraction?

JEB’s strength lies not just in its decompilation but also in its comprehensive Python API. This API provides programmatic access to almost every aspect of the loaded application, including the bytecode, control flow graphs, cross-references, and even the decompiled Java source. By writing scripts, you can:

• Scale Analysis: Process multiple APKs without manual intervention.
• Target Specific Patterns: Search for custom string patterns, API calls, or data structures.
• Integrate with Other Tools: Export findings in structured formats for further processing.
• Customize Workflows: Adapt analysis to specific threat models or research goals.

Getting Started with JEB Scripting

1. Environment Setup

Ensure you have JEB Decompiler installed. Scripts are typically written in Python 2 or 3 (depending on your JEB version and configuration). JEB’s scripting console or an external IDE can be used to write and execute scripts.

2. Basic Script Structure

A JEB script typically starts with annotations that describe the script. The core logic resides within a function, often triggered by an event or a manual execution.

# -*- coding: utf-8 -*-#
from datetime import datetime

import jeb.api.ui
from jeb.api import IScript
from jeb.api.ui import UIFx

class AutomatedDataExtractor(IScript):
  def run(self, ctx):
    # Basic checks and setup
    if not ctx.getProject():
      ctx.log('No project loaded. Please load an APK first.')
      return

    self.ctx = ctx
    self.log = ctx.log
    self.results = []

    self.log('Starting automated data extraction...')
    self.analyze_apk()
    self.log_results()

  def analyze_apk(self):
    # This method will contain the core logic for iterating and analyzing
    pass

  def log_results(self):
    # This method will output the findings
    if self.results:
      self.log('--- Extracted Sensitive Data ---')
      for result in self.results:
        self.log(result)
    else:
      self.log('No sensitive data found.')

3. Loading an APK and Accessing Units

Before running your script, load the target APK into JEB. The script can then access the loaded project and its units (e.g., Java units, DEX units).

  def analyze_apk(self):
    # Get the primary DEX unit (or iterate through all units)
    prj = self.ctx.getProject()
    unit = prj.findUnit(None, 'Ljava/lang/Object;', True)
    if not unit or not unit.is and unit.isInstanceOf('jeb.android.dex.DexUnit'):
      self.log('Could not find a DEX unit to analyze.')
      return

    self.log(f'Analyzing DEX unit: {unit.getName()}')

    # Iterate through all classes in the DEX unit
    for c in unit.getClasses():
      self.analyze_class(c)

  def analyze_class(self, c):
    self.log(f'  Analyzing class: {c.getName()}')
    # Iterate through methods
    for m in c.getMethods():
      self.analyze_method(m)

Techniques for Detecting Sensitive Information

1. String Constant Analysis

The most straightforward way to find sensitive data is by examining hardcoded string constants. These often include API keys, URLs, encryption keys, or identifiable fragments of credentials. JEB’s API allows you to inspect method instructions and extract string literals.

Example: Finding Hardcoded API Keys

Let’s extend our `analyze_method` function to look for strings that resemble API keys. We’ll use a simple heuristic: strings containing ‘API_KEY’, ‘KEY=’, or strings that are sufficiently long and alphanumeric.

  def analyze_method(self, m):
    # self.log(f'    Analyzing method: {m.getName()}')
    if not m.getBody():
      return

    # Get the IR method to analyze its instructions (better than bytecode for strings)
    ir_method = m.get and m.getIRMethod() # Requires JEB Pro/Enterprise for IR
    if not ir_method:
      # Fallback to bytecode analysis if IR not available or method is native/abstract
      return

    # Iterate through all IR instructions
    for block in ir_method.getCFG().getBlocks():
      for insn in block.getInstructions():
        # Check for string literal arguments
        for op in insn.getOperands():
          if op and op.getData() and isinstance(op.getData(), str):
            s = op.getData()
            # Heuristic for API keys: starts with common patterns, or is long and looks like a hash
            if len(s) > 16 and (s.startswith('AK-') or s.startswith('pk_') or s.startswith('sk_') or s.startswith('Bearer') or 
                               'API_KEY' in s or 'KEY=' in s or 'token=' in s or 
                               (s.isalnum() and len(s) > 32)):
              self.results.append(f'  [POTENTIAL API KEY] Class: {m.getParent().getName()}, Method: {m.getName()}, String: "{s}"')
            # Heuristic for sensitive URLs
            elif ('http://' in s or 'https://' in s) and 
                 ('password' in s or 'credential' in s or 'login' in s or 'secret' in s):
              self.results.append(f'  [POTENTIAL SENSITIVE URL] Class: {m.getParent().getName()}, Method: {m.getName()}, URL: "{s}"')
            # Heuristic for base64 encoded strings
            elif len(s) > 20 and s.endswith('=') and s.replace('=', '').isalnum():
              self.results.append(f'  [POTENTIAL BASE64 ENCODED] Class: {m.getParent().getName()}, Method: {m.getName()}, String: "{s}"')


# Helper for logging (can be added to the script file)
# To make this script runnable in JEB, you'd integrate the analyze_method into the class.
# A full script would look like this:
#
# class AutomatedDataExtractor(IScript):
#   def run(self, ctx):
#     self.ctx = ctx
#     self.log = ctx.log
#     self.results = []
#     self.analyze_apk()
#     self.log_results()
#
#   def analyze_apk(self):
#     # ... (code from above for finding unit and iterating classes) ...
#   def analyze_class(self, c):
#     # ... (code from above for iterating methods) ...
#   def analyze_method(self, m):
#     # ... (code for string analysis from above) ...
#   def log_results(self):
#     # ... (code for logging results) ...

2. Analyzing Method Calls

Beyond static strings, sensitive data often interacts with specific API calls. For instance, calls to `android.util.Base64.decode` followed by `String` construction might indicate decoding of embedded secrets. Similarly, `System.loadLibrary` or `Runtime.exec` calls could point to native code or command injection vulnerabilities.

You can identify method calls by inspecting the instruction operands for references to `MethodReference` objects.

  def analyze_method_calls(self, m):
    ir_method = m.getIRMethod()
    if not ir_method:
      return

    for block in ir_method.getCFG().getBlocks():
      for insn in block.getInstructions():
        if insn.getMnemonic() == 'call': # Example for an IR instruction mnemonic
          # Look for method call targets
          for op in insn.getOperands():
            if op.getType() == 'MethodReference':
              method_ref = op.getData()
              full_method_name = f'{method_ref.getSignature()}'
              if 'Base64.decode' in full_method_name:
                self.results.append(f'  [POTENTIAL BASE64 DECODING] Class: {m.getParent().getName()}, Method: {m.getName()}, Call: {full_method_name}')
              elif 'Cipher.init' in full_method_name or 'SecretKeySpec' in full_method_name:
                self.results.append(f'  [POTENTIAL CRYPTO KEY USAGE] Class: {m.getParent().getName()}, Method: {m.getName()}, Call: {full_method_name}')

3. Cross-Referencing and Data Flow

For more sophisticated analysis, JEB’s API allows you to follow data flows and cross-references. If a suspicious string is found, you can query its cross-references (`IUnit.get and .getReferences(address)`) to see where it’s being used, potentially uncovering its context or whether it’s passed to sensitive functions.

Refining Your Script and Best Practices

• Specificity: Start with broad searches and refine your regex or heuristics to reduce false positives.
• Error Handling: Implement `try-except` blocks, especially when dealing with potentially null objects from JEB’s API.
• Logging: Use `ctx.log` extensively to understand your script’s execution path and findings.
• Modularity: Break down complex analysis into smaller, testable functions (e.g., `analyze_strings`, `analyze_method_calls`).
• Performance: For very large APKs, be mindful of nested loops. Optimize by pre-filtering classes or methods if possible.
• Output: Consider exporting results to a structured format like JSON or CSV using Python’s built-in libraries for easier post-processing.

Conclusion

Automating sensitive data extraction from Android APKs using JEB scripts transforms the daunting task of manual reverse engineering into an efficient, scalable, and repeatable process. By combining JEB’s powerful decompilation with its flexible Python API, security researchers can quickly identify hardcoded secrets, analyze method interactions, and gain deeper insights into application behavior. This approach not only saves valuable time but also enhances the thoroughness and accuracy of security audits, making it an indispensable skill for anyone involved in Android application security.