provide us a disassembled representation of the Dalvik bytecode, so sort “low level”, with registers, but very understandable because of bytecode metadata. Very useful to disable tampering protections, the code can be modiﬁed and the application can be recompiled and resigned.
jad …) dex2jar will convert the .dex ﬁle to a .jar containing Java code We can then use the freely available Java decompilers and obtain back a Java representation of the code. Very readable if no obfuscation is in place.
It can be done with few lines in Proguard and Dexguard, they remove all the calls to Log.d, Log.e etc in the build process • It’s very easy for third party malware or an attacker to access the Logs on Android.
data in the shared storage, almost any application can read it. (In 4.4 a small protection at permission level was added android.permission.READ_EXTERNAL _STORAGE, usually users does not check permissions too much anyway… Don’t rely on this.)
With root access they can be modiﬁed, avoid store sensitive data at all if possible • With a backup, they can be retrieved from the device usually • The private folder can be found on the device at path /data/data/yourpackage
in transit! • Don’t transmit sensitive information without SSL/TLS • Implement if possibile Certiﬁcate Pinning, in this way your communications will be more resistant to MITM attacks, for example if a malicious certiﬁcate is pushed into the device, or if an attacker can impersonate your web service with a trusted certiﬁcate.
forced for technical limitation in the sharing process between the PC and the device. • Without root permissions, the user can only write in the shared folder, or the application can use third party services, such ﬁle sharing API by Dropbox, to share the wallet ﬁle.
an attacker can easily understand the logic of the application and the weak points. • First weak spot: LOGS, the application disabled in productions the logging of the user credentials and other internal information to the Logcat, but the logs are only disabled, the code that logs at the critical points (even the user password) it’s in there.