Droidcon IT 2014

REVERSE ENGINEERING, PENTESTING
AND HARDENING OF ANDROID APPS
Droidcon IT Torino 2014
!
Marco Grassi

@marcograss

-

Mobile Security Analyst @ viaForensics

View Slide

$ whoami
• R&D Team Member @ viaForensics

• Developer background (both Android
and iOS)

• Part of my job is to attack and break
mobile apps

View Slide

View Slide

AGENDA
• Reverse Engineering and Obfuscation

• Tampering Detection

• Logging

• File Storage

• Secure Network Communications

• IPC Attack Surface

• RAM memory attacks

• More Advanced Material : Runtime Manipulation

• Extra: Creating Cheats for Android Games : )

View Slide

SANTOKU LINUX
https://santoku-linux.com/

View Slide

PULLING THE APK FROM THE DEVICE

View Slide

REVERSE ENGINEERING

FREE TOOLS
• apktool and smali/baksmali
It will provide us a disassembled
representation of the Dalvik bytecode,
so sort “low level”, with registers, but
very understandable because of
bytecode metadata. Very useful to disable
tampering protections, the code can be
modiﬁed and the application can be
recompiled and resigned.

View Slide

DISASSEMBLED SMALI CODE

View Slide

REVERSE ENGINEERING

FREE TOOLS
• dex2jar + Java decompiler (jd-gui, jad …)
dex2jar will convert the .dex ﬁle to a .jar
containing Java code

We can then use the freely available Java
decompilers and obtain back a Java
representation of the code.

Very readable if no obfuscation is in
place.

View Slide

DECOMPILED JAVA CODE

View Slide

REVERSE ENGINEERING

PRO TOOLS
• JEB Decompiler
Renaming feature, very handy with
obfuscated applications

Python APIs

Native Dalvik decompiler, it does not
pass through Java byte code,
decompilation is usually much better

View Slide

REVERSE ENGINEERING

PRO TOOLS
• IDA + Hex Rays Decompiler
De facto the best interactive disassembler
and decompiler on the market.

Impressive set of APIs, you can write
modules or scripts for everything.

View Slide

REVERSE ENGINEERING

PRO TOOLS
• Hopper Disassembler
Very nice disassembler and decompiler
with a killer price.

View Slide

OBFUSCATION

PROGUARD
• Free

• Integrated into the build environment

• NOT Android speciﬁc

• http://developer.android.com/tools/
help/proguard.html

View Slide

DECOMPILED CODE WITH PROGUARD

View Slide

OBFUSCATION

DEXGUARD
• Commercial product from ProGuard
author.

• Android specific
• Native support to string and code
encryption and tamper detection
• Very easy to use, with a config file like
ProGuard

View Slide

DECOMPILED CODE WITH DEXGUARD

View Slide

TAMPERING DETECTION

View Slide

DEFEATING TAMPERING DETECTION

WHY OBFUSCATION IS FUNDAMENTAL

View Slide

LOGGING
• Remove Logcat logging from your production builds.
• It can be done with few lines in Proguard and Dexguard, they
remove all the calls to Log.d, Log.e etc in the build process

• It’s very easy for third party malware or an attacker to access the
Logs on Android.

View Slide

FILE STORAGE

EXTERNAL STORAGE
• Try to avoid storing your
data in the shared storage,
almost any application can
read it. (In 4.4 a small protection at
permission level was added
android.permission.READ_EXTERNAL
_STORAGE, usually users does not check
permissions too much anyway… Don’t rely
on this.)

View Slide

FILE STORAGE

PRIVATE APP FOLDER
• Encrypt your preferences/ﬁles
• With root access they can be modiﬁed, avoid store sensitive data at all if possible

• With a backup, they can be retrieved from the device usually

• The private folder can be found on the device at path /data/data/yourpackage

View Slide

FILE STORAGE

SQLITE DATABASES

View Slide

SQLCIPHER

View Slide

#1 RULE: YOU DO
NOT IMPLEMENT
YOUR OWN
CRYPTOGRAPHY
#2 Rule: You do NOT implement your
own Cryptography

View Slide

SECURE NETWORK COMMUNICATIONS
• It’s your responsibility to protect data in transit!
• Don’t transmit sensitive information without SSL/TLS
• Implement if possibile Certificate Pinning, in this way your
communications will be more resistant to MITM attacks, for example
if a malicious certificate is pushed into the device, or if an attacker
can impersonate your web service with a trusted certificate.

View Slide

IPC ATTACK SURFACE

THE ANDROID MANIFEST

View Slide

IPC ATTACK SURFACE

EXAMPLE: SCREEN BYPASS

View Slide

1PASSWORD READER
• Password wallet application for Android, a
companion application of the Mac/Windows
client, to be able to share our passwords
between our PC and the mobile device,
leveraging Dropbox or the Shared Storage.

View Slide

BE CAREFUL WITH BROADCASTED
INTENTS

View Slide

LET’S INSTALL SOME MALWARE

View Slide

RESULTS

View Slide

RAM MEMORY ATTACKS
• An attacker can retrieve and
inspect the ram memory used
by our application and search for
sensitive informations.

• Avoid storing such sensitive
informations inside instance or
static variables.

View Slide

RAM MEMORY ATTACKS
• An easiest way to get an incomplete
(VM only) chunk of live memory from
our application is to use the “Dump
HPROF” functionality in the monitor
tool, with a debuggable application or
a device with the ﬂag
ro.debuggable=1

View Slide

APPENDIX
Extras with more advanced material

View Slide

RUNTIME MANIPULATION
Why modify the code of the application
recompiling it when we can modify the
code at runtime, without alerting the
basic tampering detection?

View Slide

RUNTIME MANIPULATION

View Slide

MOST POPULAR FRAMEWORKS
• Cydia Substrate

• Xposed Framework

View Slide

HOW CAN WE DEVELOP A PLUGIN AND
WHAT WE CAN DO WITH IT?

View Slide

1PASSWORD READER
• Password wallet application for Android, a
companion application of the Mac/Windows
client, to be able to share our passwords
between our PC and the mobile device,
leveraging Dropbox or the Shared Storage.

View Slide

1PASSWORD: WHY SHARED STORAGE
AND DROPBOX?
• This choices are forced for technical limitation in the sharing process
between the PC and the device.

• Without root permissions, the user can only write in the shared
folder, or the application can use third party services, such ﬁle sharing
API by Dropbox, to share the wallet ﬁle.

View Slide

FIRST LOOK
• The 1Password wallet is totally unobfuscated, so an attacker can
easily understand the logic of the application and the weak points.

• First weak spot: LOGS, the application disabled in productions the
logging of the user credentials and other internal information to the
Logcat, but the logs are only disabled, the code that logs at the critical
points (even the user password) it’s in there.

View Slide

HELLO WORLD: WHAT CODE CHANGE?
LET’S ENABLE LOGGING

View Slide

REPLACED METHODS

View Slide

RESULTS

View Slide

CANDY!
Reverse Engineering it’s fun!

View Slide

LET’S USE RUNTIME MANIPULATION
TO CHEAT IN ANDROID GAMES!

View Slide

AGIMAT
• Simple cheat engine/app for Android
using runtime manipulation

• When more games are supported and
if there is interest, it will be open
sourced (no time)

View Slide

SUPER HEXAGON
Addictive but difﬁcult game for Android

View Slide

View Slide

VIDEO DEMO

View Slide

SECURITY IS A PROCESS.

View Slide

View Slide

SECURE MOBILE DEVELOPMENT BEST PRACTICES
AVOIDING COMMON PROBLEMS AND CREATING MORE SECURE
APPS FOR IOS AND ANDROID

View Slide

View Slide

Great book to start with Secure Android Development, written by my
friend @scottyab

View Slide

GET CERTIFIED
bit.ly/1lwIGjl

View Slide

WE ARE HIRING!

View Slide

View Slide

@marcograss
[email protected]

View Slide

Droidcon IT 2014

Droidcon IT 2014

Marco Grassi

More Decks by Marco Grassi

Other Decks in Research

Featured

Transcript