Everybody knows that Android application packages contain code and resources, however, some contain information that is designed to be kept private to the application, hence it is encoded or encrypted.
In this presentation, we present a series of failed attempts to keep valuable information (for instances in databases) from the eye of the interested reverse engineer. Often a single database file in an APK contains more useful information than what is exposed by the enclosing app.
This presentation gives insights into what can be learned from analyzing the optional composites of an APK file. Does the vendor catch up with security patches of embedded components? Does the vendor follow secure coding practices? How about fails in using encrypted native libraries or database encryption? Is the application just a mule for ad placement or coin mining? There are many questions that can be answered without or before running the application.
We demonstrate interesting findings and the toolsets to discover those.