Android App Repackaging

Transcript

1. Android App Repackaging JD Copyright ⓒ All Right Reserved by

   Buzzvil

2. Copyright ⓒ All Right Reserved by Buzzvil App Build Process

3. Copyright ⓒ All Right Reserved by Buzzvil ApkBuilder private void

   init(File apkFile, File resFile, File dexFile, PrivateKey key, X509Certificate certificate, PrintStream verboseStream) throws ApkCreationException { ... mBuilder = new SignedJarBuilder( new FileOutputStream(mApkFile, false /* append */), key, certificate); ... } ApkBuilder.java private void doAddFile(File file, String archivePath) throws DuplicateFileException, IOException { ... mBuilder .writeFile(file, archivePath); } ApkBuilder.java • APK file is zip file format

4. Copyright ⓒ All Right Reserved by Buzzvil APK File Structure

   • APK file is zip file format • We can do zip operation with APK file $ unzip [.apk] -d [output] $ unzip com.buzzvil.adhours.apk -d com.buzzvil.adhours $ ls com.buzzvil.adhours AndroidManifest.xml META-INF assets classes.dex classes2.dex res resources.arsc

5. Copyright ⓒ All Right Reserved by Buzzvil APK File Structure

   • APK file is zip file format • We can do zip operation with APK file • But, Zip file created through the general method not equals APK file. $ zip -r com.buzzvil.adhours.apk com.buzzvil.adhours $ adb install com.buzzvil.adhours.apk adb: failed to install com.buzzvil.adhours.apk: Failure [INSTALL_PARSE_FAILED_UNEXPECTED_EXCEPTION: ... Because

6. Copyright ⓒ All Right Reserved by Buzzvil Do repack $

   target=com.buzzvil.adhours $ java -jar apktool.jar d $target.apk -o $target $ java -jar apktool.jar b $target $ java -jar signapk.jar [.pem] [.pk] $target/dist/$target.apk [signed apk] $ adb install [signed apk] Success

7. Copyright ⓒ All Right Reserved by Buzzvil APK Repackaging Tools

   apktool - baksmali - smali jarsigner / signapk dex2jar with jd-gui jadx Main tools Sub tools

8. Copyright ⓒ All Right Reserved by Buzzvil Attacks • Code

   Injection • Library Injection import android.util.Log; import java.util.Map; import java.util.HashMap; public class Dump { public static void dump(String str) { Log.d("jd", "" + str); } public static void dump(Map<String, String> map) { for( Map.Entry<String, String> elem : map.entrySet() ) { Log.d("jd", "" + elem.getKey() + " " + elem.getValue()); } } } # Build $ javac -cp android.jar Dump.java # make dex $ dx --dex --output=Dump.dex Dump.class # make smali from dex $ java -jar baksmali.jar d Dump.dex -o out

9. Copyright ⓒ All Right Reserved by Buzzvil Attacks • Code

   Injection • Library Injection Dump.smali Attack.smali Sniff Library smalis TargetApp

10. Copyright ⓒ All Right Reserved by Buzzvil Attacks - Reason

    • Linking Process ◦ find class or method that matches descriptor. ◦ String(descriptor) will be find by using index in dex file. • So, attackers can inject malicious code more easily ObjPtr<mirror::Class> ClassLinker::FindClass( Thread* self, const char* descriptor, Handle<mirror::ClassLoader> class_loader) { … } FindClass(thread, “java/lang/String”, loader);

11. Thank you! Copyright ⓒ All Right Reserved by Buzzvil