Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
[WeAreDevelopers World Conference] Reversing An...
Search
Marc Obrador
June 30, 2021
Programming
0
660
[WeAreDevelopers World Conference] Reversing Android Apps
Marc Obrador
June 30, 2021
Tweet
Share
More Decks by Marc Obrador
See All by Marc Obrador
[Droidcon London 2023] REST in Peace: A Journey Through API Protection
marcobrador
0
110
[Droidcon Berlin 2023] Obfuscation in Mobile Apps
marcobrador
0
1.3k
[mDevCamp 2020] Reversing Android Apps
marcobrador
3
2.8k
Introduction to Mobile App Security
marcobrador
2
380
[ICE71 CyberSecurity Networking Night] Mobile App Security: A developer's introduction
marcobrador
0
780
[GDG BCN 2019] Introduction to Android App Security
marcobrador
1
900
[DroidCon Lisbon 2019] Intro to Android App Security
marcobrador
2
470
Other Decks in Programming
See All in Programming
[FEConf 2025] 모노레포 절망편, 14개 레포로 부활하기까지 걸린 1년
mmmaxkim
0
810
バイブコーディング × 設計思考
nogu66
0
120
【第4回】関東Kaggler会「Kaggleは執筆に役立つ」
mipypf
0
670
Jakarta EE Core Profile and Helidon - Speed, Simplicity, and AI Integration
ivargrimstad
0
110
Comparing decimals in Swift Testing
417_72ki
0
170
Scale out your Claude Code ~自社専用Agentで10xする開発プロセス~
yukukotani
9
2.5k
AI時代のドメイン駆動設計-DDD実践におけるAI活用のあり方 / ddd-in-ai-era
minodriven
22
8.7k
エンジニアのための”最低限いい感じ”デザイン入門
shunshobon
0
120
コンテキストエンジニアリング Cursor編
kinopeee
1
660
『リコリス・リコイル』に学ぶ!! 〜キャリア戦略における計画的偶発性理論と変わる勇気の重要性〜
wanko_it
1
580
CSC305 Summer Lecture 05
javiergs
PRO
0
100
Constant integer division faster than compiler-generated code
herumi
2
680
Featured
See All Featured
Product Roadmaps are Hard
iamctodd
PRO
54
11k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
61k
The Invisible Side of Design
smashingmag
301
51k
RailsConf 2023
tenderlove
30
1.2k
Testing 201, or: Great Expectations
jmmastey
45
7.6k
Optimising Largest Contentful Paint
csswizardry
37
3.4k
A better future with KSS
kneath
239
17k
Building a Modern Day E-commerce SEO Strategy
aleyda
43
7.5k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
34
6k
For a Future-Friendly Web
brad_frost
179
9.9k
Designing for Performance
lara
610
69k
Art, The Web, and Tiny UX
lynnandtonic
302
21k
Transcript
Reversing Android Apps
Marc Obrador Lead Architect @ Build38 Barcelona
[email protected]
@marcobrador /in/marc-obrador
None
Source: https://en.wikipedia.org/wiki/Reverse_engineering It’s illegal (in the EU)!
None
Josep Bernad iOS Albert Sunyer UI
Artà is in Mallorca ABF takes place (usually) in June
COVID-19 pushed it to … ?
None
Get to know the app Step 0
Get to know the app
Get to know the app
Get to know the app
Get to know the app
Static Analysis Step 1
Static Analysis
Getting the APK
Decompiling the app https://ibotpeaches.github.io/Apktool/ $ brew install apktool
Decompiling the app
None
None
None
None
None
Let’s keep looking around
Wait… “discount codes”?
App users get a discount for events
None
Let’s take a closer look…
None
HTTP Basic Authorisation = Base64(“username:password”)
None
HTTP Basic Authorisation = Base64(“username:password”) username = “string1” xor “string2”
pasword = “string3” xor “string2”
None
Protecting against static analysis ProGuard is a good start… for
regular apps • It’s just method renaming and code shrinking • Tools for reversing ProGuard exist: http://apk-deguard.com/ Other (paid) alternatives exist for obfuscation Writing sensitve code in native (NDK) is a good idea
Dynamic Analysis Step 2
Dynamic Analysis
Dynamic Analysis
Network Sniffing a.k.a MITM
Network Sniffing https://www.charlesproxy.com/
Setting Up Charles Proxy
Setting Up Charles Proxy
Setting Up Charles Proxy
First attempt…
First attempt…
Setting Up Charles Proxy
Setting Up Charles Proxy
Let’s try again…
None
None
None
None
None
• Use certificate pinning • Implement Root/Debugger/Emulator/Hooking Framework detection •
Try to detect app tampering Protecting against dynamic analysis
Using Certificate Pinning Source: https://developer.android.com/training/articles/security-config
Tampering with the App Step 3
Assuming the app implemented Certificate Pinning…
$ adb install “Downloads/Artà Beer Festival_v1.2.5_apkpure.com.apk” Performing Streamed Install Success
$ adb shell am start com.marcobrador.android.artabeerfestival/.SplashActivity Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category .LAUNCHER] cmp=com.marcobrador.android.artabeerfestival/.SplashActivity }
Let’s try to remove it
None
None
None
Time to give it a try!
None
None
Preventing Repackaging
Looks like we are done here Looks like we are
done here
This code can be removed, too!
Closing Thoughts
None
None
None
Thank you!