AnDevCon: Android Reverse Engineering

Transcript

1. None

2. Agenda: -Intro -Purpose -Tools -APK Structure -Obtaining APKs -Decompiling -Manipulation

   -Repackage/signing -Examples -Prevention !

3. Ego slide Mobile Developer @ Sixt M. Sc. UCM/RWTH CS

   Teacher at Alcalá University ! ! ! +EnriqueLópezMañas @eenriquelopez

4. Reverse Engineering Obtaining source code from a compiled source !

5. Why Java? -Java code is partially compiled and then interpreted

   -JVM and opcodes are fixed -Few instructions -No real protection

6. Why Android? -APKs are easily downloadable -Obfuscation does not happen

   by default - APK to JAR translation is easy

7. Legal issues Small set: ! - Don’t decompile, recompile and

   pass it off as your own - Don’t try to sell it as your own - If License Agreement forbids decompiling, do not decompile -Don’t decompile to remove protection mechanisms

8. Legal issues US ! - Precedents allowing decompilation ! (Sega

   vs. Acolade, http://digital- law-online.info/cases/ 24PQ2D1561.htm)

9. Legal issues EU (Directive on the Legal Protection of Computer

   Programs ) - Allows decompilation ! (if you need access to internal calls and authors refuse to divulge API) ! BUT: ! -Only to interface your program -Only if they are not protected

10. Generally YES: ! - Understand interoperatibility - Create a program

    interface ! NO: ! - Create a copy and sell it.

11. Malware Privacy leaks Cheating Code injection Passwords Score manipulation Download

    from obscure sources Personal data Asset manipulation Unrequested data collection/steal Ads

12. Educational Interfacing Protection Learning code Creating interfaces Checking our own

    mistakes! Researching bugs Improving existing resources

13. Dex2Jar

14. JD-GUI

15. JAD

16. apktool

17. Eclipse

18. Java programming (SDK/NDK) Compiling to DEX, running in DVM Package

    signed as APK Distribution (freely, Google Play or other)

19. Obtaining APK Converting DEX to Jar Decompiling Java

20. How to obtain APKs 1.- Pulling from device 2.- Using

    GooglePlay Python API 3.- Alternative sources 4.- Sniffer transfer

21. Pulling from device: Connect with USB cable ADB Root

22. Alternative Sources:

23. Sniffer:

24. Google Play Python API:

25. First unzip

26. Using dex2jar to create a Jar

27. Using a Java Decompiler

28. Some tips: •Look for known strings •Not only code: also

    XML and resources •Be aware of obfuscation

29. •Edit and modify resources •Change essential code •SMALI

30. •Create certificate with JDK Keytool •Sign Jar with JDK jarsigner

31. •HelloWorld •Crackme •Code injection

32. Protecting your source [We want] to protect [the] code by

    making reverse engineering so technically difficult that it becomes impossible or at the very least economically inviable. ! -Christian Collberg,

33. Idea #1 Writing two versions of the app

34. Idea #2 Obfuscation When obfu scation is outlawed, only outlaw

    s will sifj difdm wofiefiemf eifm.

35. Idea #3 WebServices

36. Idea #4 FingerPrinting our code

37. Idea #5 Native methods

38. None

39. Thank you ! + Enrique López Mañas @eenriquelopez