Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[mDevCamp 2020] Reversing Android Apps

[mDevCamp 2020] Reversing Android Apps

Marc Obrador

June 11, 2020
Tweet

More Decks by Marc Obrador

Other Decks in Programming

Transcript

  1. Reversing Android Apps

    View Slide

  2. Marc Obrador
    Lead Architect @ Build38
    Barcelona
    [email protected]
    @marcobrador
    /in/marc-obrador

    View Slide

  3. View Slide

  4. Source: https://en.wikipedia.org/wiki/Reverse_engineering
    It’s illegal (in
    the EU)!

    View Slide

  5. View Slide

  6. Josep Bernad
    iOS
    Albert Sunyer
    UI

    View Slide

  7. Artà is in Mallorca
    ABF takes place
    (usually) in June
    COVID-19 pushed it to
    … ?

    View Slide

  8. View Slide

  9. Get to know the app
    Step 0

    View Slide

  10. Get to know
    the app

    View Slide

  11. Get to know
    the app

    View Slide

  12. Get to know
    the app

    View Slide

  13. Get to know
    the app

    View Slide

  14. Static Analysis
    Step 1

    View Slide

  15. Static Analysis

    View Slide

  16. Getting the APK

    View Slide

  17. Decompiling the app
    https://ibotpeaches.github.io/Apktool/
    $ brew install apktool

    View Slide

  18. Decompiling
    the app

    View Slide

  19. View Slide

  20. View Slide

  21. View Slide

  22. View Slide

  23. View Slide

  24. Let’s keep
    looking
    around

    View Slide

  25. Wait… “discount
    codes”?

    View Slide

  26. App users get a
    discount for
    events

    View Slide

  27. View Slide

  28. Let’s take a closer look…

    View Slide

  29. View Slide

  30. HTTP Basic Authorisation =
    Base64(“username:password”)

    View Slide

  31. View Slide

  32. HTTP Basic Authorisation =
    Base64(“username:password”)
    username = “string1” xor “string2”
    pasword = “string3” xor “string2”

    View Slide

  33. View Slide

  34. Protecting against static analysis
    ProGuard is a good start… for regular apps
    • It’s just method renaming and code shrinking
    • Tools for reversing ProGuard exist: http://apk-deguard.com/
    Other (paid) alternatives exist for obfuscation
    Writing sensitve code in native (NDK) is a good idea

    View Slide

  35. Dynamic Analysis
    Step 2

    View Slide

  36. Dynamic Analysis

    View Slide

  37. Dynamic Analysis

    View Slide

  38. Network Sniffing
    a.k.a MITM

    View Slide

  39. Network Sniffing
    https://www.charlesproxy.com/

    View Slide

  40. Setting Up
    Charles
    Proxy

    View Slide

  41. Setting Up
    Charles
    Proxy

    View Slide

  42. Setting Up
    Charles
    Proxy

    View Slide

  43. First
    attempt…

    View Slide

  44. First attempt…

    View Slide

  45. Setting Up Charles Proxy

    View Slide

  46. Setting Up
    Charles
    Proxy

    View Slide

  47. Let’s try
    again…

    View Slide

  48. View Slide

  49. View Slide

  50. View Slide

  51. View Slide

  52. View Slide

  53. • Implement Root/Debugger/Emulator/Hooking Framework detection
    • Use certificate pinning
    • Try to detect app tampering
    Protecting against dynamic analysis

    View Slide

  54. Using Certificate Pinning
    Source: https://developer.android.com/training/articles/security-config

    View Slide

  55. Tampering with the App
    Step 3

    View Slide

  56. Assuming the app implemented
    Certificate Pinning…

    View Slide

  57. $ adb install “Downloads/Artà Beer Festival_v1.2.5_apkpure.com.apk”
    Performing Streamed Install
    Success
    $ adb shell am start com.marcobrador.android.artabeerfestival/.SplashActivity
    Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category
    .LAUNCHER] cmp=com.marcobrador.android.artabeerfestival/.SplashActivity }

    View Slide

  58. Let’s try to remove it

    View Slide

  59. View Slide

  60. View Slide

  61. View Slide

  62. Time to give it a try!

    View Slide

  63. View Slide

  64. View Slide

  65. Preventing Repackaging

    View Slide

  66. Looks like we
    are done here
    Looks like we
    are done here

    View Slide

  67. This code can be
    removed, too!

    View Slide

  68. Closing Thoughts

    View Slide

  69. View Slide

  70. View Slide

  71. View Slide

  72. Thank you!

    View Slide