Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Bypassing APK Protections

Daiane Santos
December 23, 2022
24

Bypassing APK Protections

Go Hacking for Change 2022

Daiane Santos

December 23, 2022
Tweet

Transcript

  1. Disclaimer: The content presented here is from my responsibility and

    has nothing to do with the opinions of my employer.
  2. It's okay not to know all the answers. It's better

    to admit our ignorance than to believe answers that might be wrong. Pretending to know everything, closes the door to finding out what's really there. Neil deGrasse Tyson
  3. 02 01 whoami mobile timeline 03 owasp mobile top 10

    04 protections 05 bypasses 06 contact what we have for today Agenda
  4. Daiane Santos Mobile Security Engineer @ Nubank CTF Player and

    Captain @ RATF Autist AH/SD Enthusiast of Neuroscience I like chess whoami
  5. 1987 Calls Mobira Cityman 900 First GSM (2G) phone Calls

    SMS 1992 1996 Vibrate Mode GSM SMS Calls 2000 FM Radio Opera mini web browser Camera Voice Recorder Vibrate Mode GSM (3G) SMS Calls 2007 First iPhone Apps A lot of new features Timeline Nokia 2110 Motorola StarTAC Nokia 3310 iPhone 2G
  6. Change .apk for .zip And you're be able to see

    all the folders, AndroidManifest, etc. easy "hack"
  7. API calls or endpoints understanding the way some security controls

    are implemented root detection -> SuperUser hardcoded sensitive information inside the code backdoor accounts, API keys and secrets, passwords... interesting strings points of encryption and obfuscation so we can decrypt and de-obfuscate What we are looking for?
  8. Activities: Broadcast receivers: Services: Components that provide a screen with

    which users can interact. Components that receive and respond to broadcast messages from other apps or from the operating system. Components that perform operations in the background. What we are looking for?
  9. attacks on activities If an application has an activity that

    is exported, other applications can also invoke it. <activity android:label="@string/profile" android:name=".activities.ViewProfile" android:exported="true" /> This can be invoked by other malicious applications that are running on the device.
  10. attacks on broadcast receivers That means any application will be

    able to send arbitrary, uncontrolled SMSs.
  11. Tempering Smali We can see there is a “if” condition

    is the decision maker element that decides whether the application is rooted or a Non-rooted device.
  12. MagiskSU: Magisk Modules: MagiskBoot: Zygisk: Provide root access for applications

    Modify read-only partitions by installing modules The most complete tool for unpacking and repacking Android boot images Run code in every Android applications' processes What we can do?