Understanding Split APKs

In modern mobile app development, split APKs are becoming increasingly common. They divide a large app into smaller packages, allowing for more efficient downloads and installations, especially on devices with limited storage. For mobile penetration testers, understanding and working with split APKs is essential.

  1. Understanding Split APKs
  2. Structure of a Split Apk
  3. Split Apks vs App Bundle
    1. Split APKs
    2. Android App Bundles
  4. Tools for Installing Split APKs
  5. Signing and Installing Patched Split APKs
    1. Extract Split APKs
    2. Decompile Split APKs for Patching
    3. Generate, Sign, and Install Split APKS
  6. Conclusion

Structure of a Split Apk

To effectively work with split APKs, it’s essential to understand their underlying structure. A typical split APK consists of the following components:

  • Base APK: This is the core APK that contains the essential components of the app, including the manifest file, classes.dex, and the resources directory.
  • Feature APKs: These APKs contain optional features that can be downloaded and installed on-demand, providing users with flexibility and reducing initial download sizes.
  • Configuration APKs: These APKs contain additional code and resources that are specific to certain device configurations, such as screen size, CPU architecture, and language.

Split Apks vs App Bundle

Another discussion that I encounter frequently is about app bundles. Both split APKs and Android App Bundles are designed to optimize app delivery and installation on Android devices. However, they differ significantly in their approach and advantages.

Split APKs

A split APK is a smaller package of an app that contains a subset of the app’s code and resources. It is used to reduce download sizes and improve installation times, especially for devices with limited storage. Developers manually create split APKs by dividing their app’s code and resources into smaller packages based on factors like device configuration (e.g., screen size, CPU architecture).

Android App Bundles

An Android App Bundle is a single upload format that contains all your app’s code and resources. It is used to allow Google Play to generate and serve the optimal APK combination for each device, reducing download sizes and improving installation times. Developers create a single Android App Bundle using the Android Gradle Plugin, which includes all the app’s code and resources.

Several tools and techniques can be used to install split APKs on Android devices:

  1. Split APKs Installer: This dedicated app from the Play Store provides a user-friendly interface for installing split APKs. Simply download the app, select the split APKs, and follow the on-screen instructions.
  2. ADB (Android Debug Bridge): For more advanced users, ADB can be used to install split APKs. Connect your Android device to your computer via USB, enable developer options, and enable USB debugging. Then, use the following command to install multiple APKs: 
adb install-multiple apk1.apk apk2.apk ...
  1. MMSF (Massive Mobile Security Framework): MMSF, a powerful tool for mobile penetration testing, has built-in functionality for handling split APKs, allowing you to focus more on testing, rather than handling different types of data.

Signing and Installing Patched Split APKs

Most of the time you would also need to work with those Split APKs and perform different actions like patching the APKs and re-install the application. This is not always straightforward; sometimes this is even harder than expected. But let’s see how we can leverage MMSF to extract, decompile, sign, generate, and install Split APKs.

To extract Split APKs from an Android device, all you have to do is to know the application’s package name. The rest is done by MMSF for effectiveness. The following should be run to extract the APKs from the device:

mmsf> usemodule splitapk
mmsf (splitapk)> usemodule pull
mmsf (splitapk/pull)> set
mmsf (splitapk/pull/set)> app com.netflix.mediaclient
mmsf (splitapk/pull/set)> path /tmp
mmsf (splitapk/pull/set)> run

Decompile Split APKs for Patching

Now that we have the APKs, the next step is to decompile them for further analysis and patching. Decompiling allows us to examine the application’s code structure and identify vulnerabilities.

We have to decompile not only the base.apk but also all associated APKs. This ensures that all components are signed with the same certificate, maintaining the application’s integrity. 

mmsf (splitapk)> usemodule decompile
mmsf (splitapk/decompile)> set
mmsf (splitapk/decompile/set)> path /tmp/com.netflix.mediaclient
mmsf (splitapk/decompile/set)> run
Decompile Split APKs

Generate, Sign, and Install Split APKS

Once the patching is complete, the next steps involve:

  • Generating new APKs: Create new APK files incorporating the desired changes or patches.
  • Signing the APKs: Sign the newly generated APKs with the original certificate to ensure authenticity and integrity.
  • Installing the APKs: Deploy the signed APKs onto the device for testing and verification.

This can all be automated using MMSF. 

mmsf (splitapk)> usemodule generate
mmsf (splitapk/generate)> set
mmsf (splitapk/generate/set)> path /tmp/com.netflix.mediaclient/decompiled
mmsf (splitapk/generate/set)> run
Generate new APKs
mmsf (splitapk)> usemodule sign
mmsf (splitapk/sign)> set
mmsf (splitapk/sign/set)> path /tmp/com.netflix.mediaclient/decompiled/modified
mmsf (splitapk/sign/set)> run
Sign Split APKs
mmsf (splitapk)> usemodule install
mmsf (splitapk/install)> set
mmsf (splitapk/install/set)> path /tmp/com.netflix.mediaclient/decompiled/modified/signed
mmsf (splitapk/install/set)> run
The patched application is now installed

Conclusion

Split APKs are a common component of modern mobile apps, and understanding how to install them is crucial for mobile penetration testers. By utilizing tools like Split APKs Installer, ADB, or MMSF, you can effectively install and analyze split APKs to identify potential vulnerabilities.