Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DroidCon London 2014

DroidCon London 2014

Talk about Android Reverse Engineering and prevention

Enrique López Mañas

October 31, 2014
Tweet

More Decks by Enrique López Mañas

Other Decks in Technology

Transcript

  1. None
  2. Agenda: -Intro -Purpose -Tools -APK Structure -Obtaining APKs -Decompiling -Manipulation

    -Repackage/signing -Examples -Prevention
  3. Ego slide Mobile Developer @ Sixt M. Sc. UCM/RWTH +EnriqueLópezMañas

    @eenriquelopez
  4. Reverse Engineering Obtaining source code from a compiled source

  5. Why Java? -Java code is partially compiled and then interpreted

    -JVM and opcodes are fixed -Few instructions -No real protection
  6. Why Android? -APKs are easily downloadable -Obfuscation does not happen

    by default - APK to JAR translation is easy
  7. Legal issues Small set: - Don’t decompile, recompile and pass

    it off as your own - Don’t try to sell it as your own - If License Agreement forbids decompiling, do not decompile -Don’t decompile to remove protection mechanisms
  8. Legal issues US - Precedents allowing decompilation (Sega vs. Acolade,

    http://digital-law- online.info/cases/24PQ2D1561.htm) - But also forbidding it! (http://digital- law- online.info/cases/ 24PQ2D1015.htm)
  9. Legal issues EU (Directive on the Legal Protection of Computer

    Programs ) - Allows decompilation (if you need access to internal calls and authors refuse to divulge API) BUT: -Only to interface your program -Only if they are not protected
  10. Generally YES: - Understand interoperatibility - Create a program interface

    NO: - Create a copy and sell it.
  11. Malware Privacy leaks Cheating Code injection Passwords Score manipulation Download

    from obscure sources Personal data Asset manipulation Unrequested data collection/steal Ads
  12. Educational Interfacing Protection Learning code Creating interfaces Checking our own

    mistakes! Researching bugs Improving existing resources
  13. Dex2Jar

  14. JD-GUI

  15. JAD

  16. apktool

  17. Eclipse

  18. Java programming (SDK/NDK) Compiling to DEX, running in DVM Package

    signed as APK Distribution (freely, Google Play or other)
  19. Obtaining APK Converting DEX to Jar Decompiling Java

  20. How to obtain APKs 1.- Pulling from device 2.- Using

    GooglePlay Python API 3.- Alternative sources 4.- Sniffer transfer
  21. Pulling from device: Connect with USB cable ADB Root

  22. Alternative Sources:

  23. Sniffer:

  24. Google Play Python API:

  25. First unzip

  26. Using dex2jar to create a Jar

  27. Using a Java Decompiler

  28. Some tips: • Look for known strings • Not only

    code: also XML and resources • Be aware of obfuscation
  29. • Edit and modify resources • Change essential code •

    SMALI
  30. • Create certificate with JDK Keytool • Sign Jar with

    JDK jarsigner
  31. • HelloWorld • Crackme • Code injection

  32. Protecting your source [We want] to protect [the] code by

    making reverse engineering so technically difficult that it becomes impossible or at the very least economically inviable. -Christian Collberg,
  33. Idea #1 Writing two versions of the app

  34. Idea #2 Obfuscation Inserting dead or irrelevant code

  35. Idea #2 Obfuscation Extending loop conditions

  36. Idea #2 Obfuscation Interleaving methods

  37. Idea #3 WebServices

  38. Idea #3a HTTPS. Period.

  39. Idea #4 FingerPrinting our code

  40. Idea #5 Native methods

  41. Idea #6 Checking root

  42. Idea #7 DexGuard

  43. Idea #7 DexGuard

  44. None
  45. Thank you ! + Enrique López Mañas @eenriquelopez