androguard package


androguard.misc module

androguard.misc.AnalyzeAPK(_file, session=None, raw=False)

Analyze an android application and setup all stuff for a more quickly analysis! If session is None, no session is used at all. This is the default behaviour. If you like to continue your work later, it might be a good idea to use a session. A default session can be created by using get_default_session().

  • _file (string (for filename) or bytes (for raw)) – the filename of the android application or a buffer which represents the application

  • session – A session (default: None)

  • raw – boolean if raw bytes are supplied instead of a filename

Return type

return the APK, list of DalvikVMFormat, and Analysis objects

androguard.misc.AnalyzeDex(filename, session=None)

Analyze an android dex file and setup all stuff for a more quickly analysis !

  • filename (string) – the filename of the android dex file or a buffer which represents the dex file

  • session – A session (Default None)

Return type

return a tuple of (sha256hash, DalvikVMFormat, Analysis)

androguard.misc.AnalyzeODex(filename, session=None)

Analyze an android odex file and setup all stuff for a more quickly analysis !

  • filename (string) – the filename of the android dex file or a buffer which represents the dex file

  • session – The Androguard Session to add the ODex to (default: None)

Return type

return a tuple of (sha256hash, DalvikOdexVMFormat, Analysis)

androguard.misc.RunDecompiler(d, dx, decompiler_name)

Run the decompiler on a specific analysis

  • d (DalvikVMFormat object) – the DalvikVMFormat object

  • dx (VMAnalysis object) – the analysis of the format

  • decompiler (string) – the type of decompiler to use (“dad”, “dex2jad”, “ded”)

androguard.misc.clean_file_name(filename, unique=True, replace='_', force_nt=False)

Return a filename version, which has no characters in it which are forbidden. On Windows these are for example <, /, ?, …

The intention of this function is to allow distribution of files to different OSes.

  • filename – string to clean

  • unique – check if the filename is already taken and append an integer to be unique (default: True)

  • replace – replacement character. (default: ‘_’)

  • force_nt – Force shortening of paths like on NT systems (default: False)


clean string


Return the default Session from the configuration or create a new one, if the session in the configuration is None.

Return type


androguard.misc.sign_apk(filename, keystore, storepass)

Use jarsigner to sign an APK file.

  • filename – APK file on disk to sign (path)

  • keystore – path to keystore

  • storepass – your keystorage passphrase

androguard.session module


load your session!


s = session.Load("")

filename (string) – the filename where the session has been saved

Return type

the elements of your session :)

androguard.session.Save(session, filename=None)

save your session to use it later.

Returns the filename of the written file. If not filename is given, a file named androguard_session_<DATE>.ag will be created in the current working directory. <DATE> is a timestamp with the following format: %Y-%m-%d_%H%M%S.

This function will overwrite existing files without asking.

If the file could not written, None is returned.


s = session.Session()
session.Save(s, "")
  • session – A Session object to save

  • filename (string) – output filename to save the session

class androguard.session.Session(export_ipython=False)

Bases: object

A Session is able to store multiple APK, DEX or ODEX files and can be pickled to disk in order to resume work later.

The main function used in Sessions is probably add(), which adds files to the session and performs analysis on them.

Afterwards, the files can be gathered using methods such as get_objects_apk(), get_objects_dex() or get_classes().


s = Session()
digest = s.add("some.apk")

print("SHA256 of the file: {}".format(digest))

a, d, dx = s.get_objects_apk("some.apk", digest)

# Reset the Session for a fresh set of files

digest2 = s.add("classes.dex")
print("SHA256 of the file: {}".format(digest2))
for h, d, dx in s.get_objects_dex():
    print("SHA256 of the DEX file: {}".format(h))
add(filename, raw_data=None, dx=None)

Generic method to add a file to the session.

This is the main method to use when adding files to a Session!

If an APK file is supplied, all DEX files are analyzed too. For DEX and ODEX files, only this file is analyzed (what else should be analyzed).

Returns the SHA256 of the analyzed file.

  • filename – filename to load

  • raw_data – bytes of the file, or None to load the file from filename

  • dx – An already exiting Analysis object


the sha256 of the file or None on failure

addAPK(filename, data)

Add an APK file to the Session and run analysis on it.

  • filename – (file)name of APK file

  • data – binary data of the APK file


a tuple of SHA256 Checksum and APK Object

addDEX(filename, data, dx=None, postpone_xref=False)

Add a DEX file to the Session and run analysis.

  • filename – the (file)name of the DEX file

  • data – binary data of the dex file

  • dx – an existing Analysis Object (optional)

  • postpone_xref – True if no xref shall be created, and will be called manually


A tuple of SHA256 Hash, DalvikVMFormat Object and Analysis object

addDEY(filename, data, dx=None)

Add an ODEX file to the session and run the analysis


Yields a list of tuples of SHA256 hash of the APK and APK objects of all analyzed APKs in the Session.


Returns the Analysis object which contains the current_class.


current_class (androguard.core.bytecodes.dvm.ClassDefItem) – The class to search for

Return type



Returns all Java Classes from the DEX objects as an array of DEX files.


Return the SHA256 hash of the object containing the ClassDefItem

Returns the first digest this class was present. For example, if you analyzed an APK, this should return the digest of the APK and not of the DEX file.


Returns the filename of the DEX file where the class is in.

Returns the first filename this class was present. For example, if you analyzed an APK, this should return the filename of the APK and not of the DEX file.


current_class – ClassDefItem


None if class was not found or the filename


Returns the DalvikVMFormat of a given ClassDefItem.


current_class – A ClassDefItem


Return the total number of strings in all Analysis objects

get_objects_apk(filename=None, digest=None)

Returns APK, DalvikVMFormat and Analysis of a specified APK.

You must specify either filename or digest. It is possible to use both, but in this case only digest is used.


s = Session()
digest = s.add("some.apk")
a, d, dx = s.get_objects_apk(digest=digest)


s = Session()
filename = "some.apk"
digest = s.add(filename)
a, d, dx = s.get_objects_apk(filename=filename)
  • filename – the filename of the APK file, only used of digest is None

  • digest – the sha256 hash, as returned by add() for the APK


a tuple of (APK, [DalvikVMFormat], Analysis)


Yields all dex objects inclduing their Analysis objects


tuple of (sha256, DalvikVMFormat, Analysis)


Yields all StringAnalysis for all unique Analysis objects


Test if any file was analyzed in this session


True if any file was analyzed, False otherwise


Reset the current session, delete all added files.


Save the current session, see also Save().


Print information to stdout about the current session. Gets all APKs, all DEX files and all Analysis objects.

androguard.util module

androguard.util.get_certificate_name_string(name, short=False, delimiter=', ')

Format the Name type of a X509 Certificate in a human readable form.

  • name (dict or asn1crypto.x509.Name) – Name object to return the DN from

  • short (boolean) – Use short form (default: False)

  • delimiter (str) – Delimiter string or character between two parts (default: ‘, ‘)

Return type

str, binary=True)

Open and read a file

  • filename – filename to open and read

  • binary – True if the file should be read as binary


bytes if binary is True, str otherwise

Module contents