Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
[WeAreDevelopers World Conference] Reversing Android Apps
Search
Marc Obrador
June 30, 2021
Programming
0
540
[WeAreDevelopers World Conference] Reversing Android Apps
Marc Obrador
June 30, 2021
Tweet
Share
More Decks by Marc Obrador
See All by Marc Obrador
[Droidcon London 2023] REST in Peace: A Journey Through API Protection
marcobrador
0
63
[Droidcon Berlin 2023] Obfuscation in Mobile Apps
marcobrador
0
1.2k
[mDevCamp 2020] Reversing Android Apps
marcobrador
3
2.6k
Introduction to Mobile App Security
marcobrador
2
370
[ICE71 CyberSecurity Networking Night] Mobile App Security: A developer's introduction
marcobrador
0
760
[GDG BCN 2019] Introduction to Android App Security
marcobrador
1
860
[DroidCon Lisbon 2019] Intro to Android App Security
marcobrador
2
400
Other Decks in Programming
See All in Programming
Git Rebase
bkuhlmann
11
1.6k
単体テストを書かない技術 #phpcon_odawara
o0h
PRO
27
8.3k
Let's learn code review
riofujimon
2
440
GraphQLサーバの構成要素を整理する #ハッカー鮨 #tsukijigraphql / graphql server technology selection
izumin5210
4
840
冗長なエラーログを削減し、スタックトレースを手に入れる / Reducing Verbose Error Logs and Obtaining Stack Traces
upamune
0
820
Java 22 Overview
kishida
1
180
サイコロで理解する統計的仮説検定の考え方
tatamiya
4
960
Scalable Customer Journey Orchestration (CJO)
lewuathe
0
340
Netty Chicago Java User Group 2024-04-17
sullis
0
180
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
190
スキーマ駆動開発による品質とスピードの両立 - 私達は何故、スキーマを書くのか
kentaroutakeda
0
170
1BRC--Nerd Sniping the Java Community
gunnarmorling
0
340
Featured
See All Featured
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
The Cost Of JavaScript in 2023
addyosmani
16
3.9k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
40
4.4k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
19
1.7k
The Pragmatic Product Professional
lauravandoore
25
5.8k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
25
2.3k
Bash Introduction
62gerente
604
210k
How GitHub (no longer) Works
holman
304
140k
Debugging Ruby Performance
tmm1
70
11k
Writing Fast Ruby
sferik
621
60k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
Producing Creativity
orderedlist
PRO
337
39k
Transcript
Reversing Android Apps
Marc Obrador Lead Architect @ Build38 Barcelona
[email protected]
@marcobrador /in/marc-obrador
None
Source: https://en.wikipedia.org/wiki/Reverse_engineering It’s illegal (in the EU)!
None
Josep Bernad iOS Albert Sunyer UI
Artà is in Mallorca ABF takes place (usually) in June
COVID-19 pushed it to … ?
None
Get to know the app Step 0
Get to know the app
Get to know the app
Get to know the app
Get to know the app
Static Analysis Step 1
Static Analysis
Getting the APK
Decompiling the app https://ibotpeaches.github.io/Apktool/ $ brew install apktool
Decompiling the app
None
None
None
None
None
Let’s keep looking around
Wait… “discount codes”?
App users get a discount for events
None
Let’s take a closer look…
None
HTTP Basic Authorisation = Base64(“username:password”)
None
HTTP Basic Authorisation = Base64(“username:password”) username = “string1” xor “string2”
pasword = “string3” xor “string2”
None
Protecting against static analysis ProGuard is a good start… for
regular apps • It’s just method renaming and code shrinking • Tools for reversing ProGuard exist: http://apk-deguard.com/ Other (paid) alternatives exist for obfuscation Writing sensitve code in native (NDK) is a good idea
Dynamic Analysis Step 2
Dynamic Analysis
Dynamic Analysis
Network Sniffing a.k.a MITM
Network Sniffing https://www.charlesproxy.com/
Setting Up Charles Proxy
Setting Up Charles Proxy
Setting Up Charles Proxy
First attempt…
First attempt…
Setting Up Charles Proxy
Setting Up Charles Proxy
Let’s try again…
None
None
None
None
None
• Use certificate pinning • Implement Root/Debugger/Emulator/Hooking Framework detection •
Try to detect app tampering Protecting against dynamic analysis
Using Certificate Pinning Source: https://developer.android.com/training/articles/security-config
Tampering with the App Step 3
Assuming the app implemented Certificate Pinning…
$ adb install “Downloads/Artà Beer Festival_v1.2.5_apkpure.com.apk” Performing Streamed Install Success
$ adb shell am start com.marcobrador.android.artabeerfestival/.SplashActivity Starting: Intent { act=android.intent.action.MAIN cat=[android.intent.category .LAUNCHER] cmp=com.marcobrador.android.artabeerfestival/.SplashActivity }
Let’s try to remove it
None
None
None
Time to give it a try!
None
None
Preventing Repackaging
Looks like we are done here Looks like we are
done here
This code can be removed, too!
Closing Thoughts
None
None
None
Thank you!