DroidCon London 2014

Transcript

1. None

2. Agenda: -Intro -Purpose -Tools -APK Structure -Obtaining APKs -Decompiling -Manipulation

   -Repackage/signing -Examples -Prevention

3. Ego slide Mobile Developer @ Sixt M. Sc. UCM/RWTH +EnriqueLópezMañas

   @eenriquelopez

4. Reverse Engineering Obtaining source code from a compiled source

5. Why Java? -Java code is partially compiled and then interpreted

   -JVM and opcodes are fixed -Few instructions -No real protection

6. Why Android? -APKs are easily downloadable -Obfuscation does not happen

   by default - APK to JAR translation is easy

7. Legal issues Small set: - Don’t decompile, recompile and pass

   it off as your own - Don’t try to sell it as your own - If License Agreement forbids decompiling, do not decompile -Don’t decompile to remove protection mechanisms

8. Legal issues US - Precedents allowing decompilation (Sega vs. Acolade,

   http://digital-law- online.info/cases/24PQ2D1561.htm) - But also forbidding it! (http://digital- law- online.info/cases/ 24PQ2D1015.htm)

9. Legal issues EU (Directive on the Legal Protection of Computer

   Programs ) - Allows decompilation (if you need access to internal calls and authors refuse to divulge API) BUT: -Only to interface your program -Only if they are not protected

10. Generally YES: - Understand interoperatibility - Create a program interface

    NO: - Create a copy and sell it.

11. Malware Privacy leaks Cheating Code injection Passwords Score manipulation Download

    from obscure sources Personal data Asset manipulation Unrequested data collection/steal Ads

12. Educational Interfacing Protection Learning code Creating interfaces Checking our own

    mistakes! Researching bugs Improving existing resources

13. Dex2Jar

14. JD-GUI

15. JAD

16. apktool

17. Eclipse

18. Java programming (SDK/NDK) Compiling to DEX, running in DVM Package

    signed as APK Distribution (freely, Google Play or other)

19. Obtaining APK Converting DEX to Jar Decompiling Java

20. How to obtain APKs 1.- Pulling from device 2.- Using

    GooglePlay Python API 3.- Alternative sources 4.- Sniffer transfer

21. Pulling from device: Connect with USB cable ADB Root

22. Alternative Sources:

23. Sniffer:

24. Google Play Python API:

25. First unzip

26. Using dex2jar to create a Jar

27. Using a Java Decompiler

28. Some tips: • Look for known strings • Not only

    code: also XML and resources • Be aware of obfuscation

29. • Edit and modify resources • Change essential code •

    SMALI

30. • Create certificate with JDK Keytool • Sign Jar with

    JDK jarsigner

31. • HelloWorld • Crackme • Code injection

32. Protecting your source [We want] to protect [the] code by

    making reverse engineering so technically difficult that it becomes impossible or at the very least economically inviable. -Christian Collberg,

33. Idea #1 Writing two versions of the app

34. Idea #2 Obfuscation Inserting dead or irrelevant code

35. Idea #2 Obfuscation Extending loop conditions

36. Idea #2 Obfuscation Interleaving methods

37. Idea #3 WebServices

38. Idea #3a HTTPS. Period.

39. Idea #4 FingerPrinting our code

40. Idea #5 Native methods

41. Idea #6 Checking root

42. Idea #7 DexGuard

43. Idea #7 DexGuard

44. None

45. Thank you ! + Enrique López Mañas @eenriquelopez