Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Droidcon IT 2014

A98925181b2256d38addf9c3f5bf4dea?s=47 Marco Grassi
February 06, 2014

Droidcon IT 2014

A98925181b2256d38addf9c3f5bf4dea?s=128

Marco Grassi

February 06, 2014
Tweet

More Decks by Marco Grassi

Other Decks in Research

Transcript

  1. REVERSE ENGINEERING, PENTESTING AND HARDENING OF ANDROID APPS Droidcon IT

    Torino 2014 ! Marco Grassi @marcograss - Mobile Security Analyst @ viaForensics
  2. $ whoami • R&D Team Member @ viaForensics • Developer

    background (both Android and iOS) • Part of my job is to attack and break mobile apps
  3. None
  4. AGENDA • Reverse Engineering and Obfuscation • Tampering Detection •

    Logging • File Storage • Secure Network Communications • IPC Attack Surface • RAM memory attacks • More Advanced Material : Runtime Manipulation • Extra: Creating Cheats for Android Games : )
  5. SANTOKU LINUX https://santoku-linux.com/

  6. PULLING THE APK FROM THE DEVICE

  7. REVERSE ENGINEERING FREE TOOLS • apktool and smali/baksmali It will

    provide us a disassembled representation of the Dalvik bytecode, so sort “low level”, with registers, but very understandable because of bytecode metadata. Very useful to disable tampering protections, the code can be modified and the application can be recompiled and resigned.
  8. DISASSEMBLED SMALI CODE

  9. REVERSE ENGINEERING FREE TOOLS • dex2jar + Java decompiler (jd-gui,

    jad …) dex2jar will convert the .dex file to a .jar containing Java code We can then use the freely available Java decompilers and obtain back a Java representation of the code. Very readable if no obfuscation is in place.
  10. DECOMPILED JAVA CODE

  11. REVERSE ENGINEERING PRO TOOLS • JEB Decompiler Renaming feature, very

    handy with obfuscated applications Python APIs Native Dalvik decompiler, it does not pass through Java byte code, decompilation is usually much better
  12. REVERSE ENGINEERING PRO TOOLS • IDA + Hex Rays Decompiler

    De facto the best interactive disassembler and decompiler on the market. Impressive set of APIs, you can write modules or scripts for everything.
  13. REVERSE ENGINEERING PRO TOOLS • Hopper Disassembler Very nice disassembler

    and decompiler with a killer price.
  14. OBFUSCATION PROGUARD • Free • Integrated into the build environment

    • NOT Android specific • http://developer.android.com/tools/ help/proguard.html
  15. DECOMPILED CODE WITH PROGUARD

  16. OBFUSCATION DEXGUARD • Commercial product from ProGuard author. • Android

    specific • Native support to string and code encryption and tamper detection • Very easy to use, with a config file like ProGuard
  17. DECOMPILED CODE WITH DEXGUARD

  18. TAMPERING DETECTION

  19. DEFEATING TAMPERING DETECTION WHY OBFUSCATION IS FUNDAMENTAL

  20. LOGGING • Remove Logcat logging from your production builds. •

    It can be done with few lines in Proguard and Dexguard, they remove all the calls to Log.d, Log.e etc in the build process • It’s very easy for third party malware or an attacker to access the Logs on Android.
  21. FILE STORAGE EXTERNAL STORAGE • Try to avoid storing your

    data in the shared storage, almost any application can read it. (In 4.4 a small protection at permission level was added android.permission.READ_EXTERNAL _STORAGE, usually users does not check permissions too much anyway… Don’t rely on this.)
  22. FILE STORAGE PRIVATE APP FOLDER • Encrypt your preferences/files •

    With root access they can be modified, avoid store sensitive data at all if possible • With a backup, they can be retrieved from the device usually • The private folder can be found on the device at path /data/data/yourpackage
  23. FILE STORAGE SQLITE DATABASES

  24. SQLCIPHER

  25. #1 RULE: YOU DO NOT IMPLEMENT YOUR OWN CRYPTOGRAPHY #2

    Rule: You do NOT implement your own Cryptography
  26. SECURE NETWORK COMMUNICATIONS • It’s your responsibility to protect data

    in transit! • Don’t transmit sensitive information without SSL/TLS • Implement if possibile Certificate Pinning, in this way your communications will be more resistant to MITM attacks, for example if a malicious certificate is pushed into the device, or if an attacker can impersonate your web service with a trusted certificate.
  27. IPC ATTACK SURFACE THE ANDROID MANIFEST

  28. IPC ATTACK SURFACE EXAMPLE: SCREEN BYPASS

  29. 1PASSWORD READER • Password wallet application for Android, a companion

    application of the Mac/Windows client, to be able to share our passwords between our PC and the mobile device, leveraging Dropbox or the Shared Storage.
  30. BE CAREFUL WITH BROADCASTED INTENTS

  31. LET’S INSTALL SOME MALWARE

  32. RESULTS

  33. RAM MEMORY ATTACKS • An attacker can retrieve and inspect

    the ram memory used by our application and search for sensitive informations. • Avoid storing such sensitive informations inside instance or static variables.
  34. RAM MEMORY ATTACKS • An easiest way to get an

    incomplete (VM only) chunk of live memory from our application is to use the “Dump HPROF” functionality in the monitor tool, with a debuggable application or a device with the flag ro.debuggable=1
  35. APPENDIX Extras with more advanced material

  36. RUNTIME MANIPULATION Why modify the code of the application recompiling

    it when we can modify the code at runtime, without alerting the basic tampering detection?
  37. RUNTIME MANIPULATION

  38. MOST POPULAR FRAMEWORKS • Cydia Substrate • Xposed Framework

  39. HOW CAN WE DEVELOP A PLUGIN AND WHAT WE CAN

    DO WITH IT?
  40. 1PASSWORD READER • Password wallet application for Android, a companion

    application of the Mac/Windows client, to be able to share our passwords between our PC and the mobile device, leveraging Dropbox or the Shared Storage.
  41. 1PASSWORD: WHY SHARED STORAGE AND DROPBOX? • This choices are

    forced for technical limitation in the sharing process between the PC and the device. • Without root permissions, the user can only write in the shared folder, or the application can use third party services, such file sharing API by Dropbox, to share the wallet file.
  42. FIRST LOOK • The 1Password wallet is totally unobfuscated, so

    an attacker can easily understand the logic of the application and the weak points. • First weak spot: LOGS, the application disabled in productions the logging of the user credentials and other internal information to the Logcat, but the logs are only disabled, the code that logs at the critical points (even the user password) it’s in there.
  43. HELLO WORLD: WHAT CODE CHANGE? LET’S ENABLE LOGGING

  44. REPLACED METHODS

  45. RESULTS

  46. CANDY! Reverse Engineering it’s fun!

  47. LET’S USE RUNTIME MANIPULATION TO CHEAT IN ANDROID GAMES!

  48. AGIMAT • Simple cheat engine/app for Android using runtime manipulation

    • When more games are supported and if there is interest, it will be open sourced (no time)
  49. SUPER HEXAGON Addictive but difficult game for Android

  50. None
  51. VIDEO DEMO

  52. SECURITY IS A PROCESS.

  53. None
  54. SECURE MOBILE DEVELOPMENT BEST PRACTICES AVOIDING COMMON PROBLEMS AND CREATING

    MORE SECURE APPS FOR IOS AND ANDROID
  55. None
  56. Great book to start with Secure Android Development, written by

    my friend @scottyab
  57. GET CERTIFIED bit.ly/1lwIGjl

  58. WE ARE HIRING!

  59. None
  60. @marcograss MGrassi@viaforensics.com