Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[mDevCamp 2020] Reversing Android Apps

Marc Obrador
June 11, 2020
Programming
3
2.4k

[mDevCamp 2020] Reversing Android Apps

Marc Obrador

June 11, 2020
Tweet

More Decks by Marc Obrador

See All by Marc Obrador
[WeAreDevelopers World Conference] Reversing Android Apps
marcobrador
0
390
Introduction to Mobile App Security
marcobrador
2
320
[ICE71 CyberSecurity Networking Night] Mobile App Security: A developer's introduction
marcobrador
0
710
[GDG BCN 2019] Introduction to Android App Security
marcobrador
1
820
[DroidCon Lisbon 2019] Intro to Android App Security
marcobrador
2
340

Other Decks in Programming

See All in Programming
PDF_TDX_2023_Apex__What_s_New_and_What_s_Coming.pdf
fishofprey
3
740
Recon Slides by Anon_Y0gi
y0gi
0
210
UICollectionView Compositional Layout
usamik26
0
180
mrubyでマイコンの世界に足を踏み入れる
yuuu
0
440
Spring と AWS サービスを活用して実現する安全なデプロイメント / How to launch safely using Spring and AWS services
kanamasa
3
180
テキストエディタのブラウザ実装 / tokyo_study
oliver_diary
0
150
サバンナ便り〜自動テストに関する連載で得られた知見のまとめ〜
twada
PRO
12
2.3k
ANDPADの攻めと守り
andpad
1
260
音声合成してみよう
xztaityozx
2
620
Dart3を試す
masumitsu
0
160
Ruby (MRI) の好きなところ 30
coe401_
0
340
KMMのCI/CD
kubode
3
260

Featured

See All Featured
Bootstrapping a Software Product
garrettdimon
299
110k
How To Stay Up To Date on Web Technology
chriscoyier
779
250k
Code Reviewing Like a Champion
maltzj
508
38k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
Design by the Numbers
sachag
271
18k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
657
120k
Navigating Team Friction
lara
177
12k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
7
650
Building Better People: How to give real-time feedback that sticks.
wjessup
346
17k
What's new in Ruby 2.0
geeforr
336
30k
The World Runs on Bad Software
bkeepers
PRO
59
5.8k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8k

Transcript

  1. Reversing Android Apps

    View Slide

  2. Marc Obrador
    Lead Architect @ Build38
    Barcelona
    [email protected]
    @marcobrador
    /in/marc-obrador

    View Slide

  3. View Slide

  4. Source: https://en.wikipedia.org/wiki/Reverse_engineering
    It’s illegal (in
    the EU)!

    View Slide

  5. View Slide

  6. Josep Bernad
    iOS
    Albert Sunyer
    UI

    View Slide

  7. Artà is in Mallorca
    ABF takes place
    (usually) in June
    COVID-19 pushed it to
    … ?

    View Slide

  8. View Slide

  9. Get to know the app
    Step 0

    View Slide

  10. Get to know
    the app

    View Slide

  11. Get to know
    the app

    View Slide

  12. Get to know
    the app

    View Slide

  13. Get to know
    the app

    View Slide

  14. Static Analysis
    Step 1

    View Slide

  15. Static Analysis

    View Slide

  16. Getting the APK

    View Slide

  17. Decompiling the app
    https://ibotpeaches.github.io/Apktool/
    $ brew install apktool

    View Slide

  18. Decompiling
    the app

    View Slide

  19. View Slide

  20. View Slide

  21. View Slide

  22. View Slide

  23. View Slide

  24. Let’s keep
    looking
    around

    View Slide

  25. Wait… “discount
    codes”?

    View Slide

  26. App users get a
    discount for
    events

    View Slide

  27. View Slide

  28. Let’s take a closer look…

    View Slide

  29. View Slide

  30. HTTP Basic Authorisation =
    Base64(“username:password”)

    View Slide

  31. View Slide

  32. HTTP Basic Authorisation =
    Base64(“username:password”)
    username = “string1” xor “string2”
    pasword = “string3” xor “string2”

    View Slide

  33. View Slide

  34. Protecting against static analysis
    ProGuard is a good start… for regular apps
    • It’s just method renaming and code shrinking
    • Tools for reversing ProGuard exist: http://apk-deguard.com/
    Other (paid) alternatives exist for obfuscation
    Writing sensitve code in native (NDK) is a good idea

    View Slide

  35. Dynamic Analysis
    Step 2

    View Slide

  36. Dynamic Analysis

    View Slide

  37. Dynamic Analysis

    View Slide

  38. Network Sniffing
    a.k.a MITM

    View Slide

  39. Network Sniffing
    https://www.charlesproxy.com/

    View Slide

  40. Setting Up
    Charles
    Proxy

    View Slide

  41. Setting Up
    Charles
    Proxy

    View Slide

  42. Setting Up
    Charles
    Proxy

    View Slide

  43. First
    attempt…

    View Slide

  44. First attempt…

    View Slide

  45. Setting Up Charles Proxy

    View Slide

  46. Setting Up
    Charles
    Proxy

    View Slide

  47. Let’s try
    again…

    View Slide

  48. View Slide

  49. View Slide

  50. View Slide

  51. View Slide

  52. View Slide

  53. • Implement Root/Debugger/Emulator/Hooking Framework detection
    • Use certificate pinning
    • Try to detect app tampering
    Protecting against dynamic analysis

    View Slide

  54. Using Certificate Pinning
    Source: https://developer.android.com/training/articles/security-config

    View Slide

  55. Tampering with the App
    Step 3

    View Slide

  56. Assuming the app implemented
    Certificate Pinning…

    View Slide

  57. $ adb install “Downloads/Artà Beer Festival_v1.2.5_apkpure.com.apk”
    Performing Streamed Install
    Success
    $ adb shell am start com.marcobrador.android.artabeerfestival/.SplashActivity
    Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category
    .LAUNCHER] cmp=com.marcobrador.android.artabeerfestival/.SplashActivity }

    View Slide

  58. Let’s try to remove it

    View Slide

  59. View Slide

  60. View Slide

  61. View Slide

  62. Time to give it a try!

    View Slide

  63. View Slide

  64. View Slide

  65. Preventing Repackaging

    View Slide

  66. Looks like we
    are done here
    Looks like we
    are done here

    View Slide

  67. This code can be
    removed, too!

    View Slide

  68. Closing Thoughts

    View Slide

  69. View Slide

  70. View Slide

  71. View Slide

  72. Thank you!

    View Slide