Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[HES2014] Vaccinating APK’s by Milan Gabor & Da...

[HES2014] Vaccinating APK’s by Milan Gabor & Danijel Grah

Number of mobile applications is rising and Android still holds large market share.
As these numbers of applications grow, we need better tools to understand how applications work and to analyze them. There is always a question if we can trust mobile applications to do only that that they are allowed to do and if they are really secure when transmitting our personal information to different servers. We will demonstrate, what can be found in mobile applications based on our experience. In the presentation some runtime techniques will be discussed and tool will be demonstrated. We will also be releasing and presenting tool can help developers to analyze runtime mobile Android applications and help them to look for different kind of vulnerabilities.
Basic principle of this method is injecting small piece of code into APK and then connect to it and use Java Reflection to runtime modify value, call methods, instantiate classes and create own scripts to automate work.
Tool is Java based and simple to use, but offers quite few new possibilities for security engineers and pentesters.

More information about Hackito Ergo Sum here : http://www.hackitoergosum.org

HackitoErgoSum

April 25, 2014
Tweet

More Decks by HackitoErgoSum

Other Decks in Research

Transcript

  1. adb pull /data/app(or app-private)/app1.apk unzip app1.apk dex2jar classes.dex jdgui classes2jar.jar

    adb pull /data/app/app1.apk unzip app1.apk java –jar baksmali.jar –o C:\pentest\app\classes.dex