Android App Repackaging JD Copyright ⓒ All Right Reserved by Buzzvil 

Copyright ⓒ All Right Reserved by Buzzvil App Build Process 

Copyright ⓒ All Right Reserved by Buzzvil ApkBuilder private void init(File apkFile, File resFile, File dexFile, PrivateKey key, X509Certificate certificate, PrintStream verboseStream) throws ApkCreationException { ... mBuilder = new SignedJarBuilder( new FileOutputStream(mApkFile, false /* append */), key, certificate); ... } ApkBuilder.java private void doAddFile(File file, String archivePath) throws DuplicateFileException, IOException { ... mBuilder .writeFile(file, archivePath); } ApkBuilder.java ● APK file is zip file format 

Copyright ⓒ All Right Reserved by Buzzvil APK File Structure ● APK file is zip file format ● We can do zip operation with APK file $ unzip [.apk] -d [output] $ unzip com.buzzvil.adhours.apk -d com.buzzvil.adhours $ ls com.buzzvil.adhours AndroidManifest.xml META-INF assets classes.dex classes2.dex res resources.arsc 

Copyright ⓒ All Right Reserved by Buzzvil APK File Structure ● APK file is zip file format ● We can do zip operation with APK file ● But, Zip file created through the general method not equals APK file. $ zip -r com.buzzvil.adhours.apk com.buzzvil.adhours $ adb install com.buzzvil.adhours.apk adb: failed to install com.buzzvil.adhours.apk: Failure [INSTALL_PARSE_FAILED_UNEXPECTED_EXCEPTION: ... Because 

Copyright ⓒ All Right Reserved by Buzzvil Do repack $ target=com.buzzvil.adhours $ java -jar apktool.jar d $target.apk -o $target $ java -jar apktool.jar b $target $ java -jar signapk.jar [.pem] [.pk] $target/dist/$target.apk [signed apk] $ adb install [signed apk] Success 

Copyright ⓒ All Right Reserved by Buzzvil APK Repackaging Tools apktool - baksmali - smali jarsigner / signapk dex2jar with jd-gui jadx Main tools Sub tools 

Copyright ⓒ All Right Reserved by Buzzvil Attacks ● Code Injection ● Library Injection import android.util.Log; import java.util.Map; import java.util.HashMap; public class Dump { public static void dump(String str) { Log.d("jd", "" + str); } public static void dump(Map map) { for( Map.Entry elem : map.entrySet() ) { Log.d("jd", "" + elem.getKey() + " " + elem.getValue()); } } } # Build $ javac -cp android.jar Dump.java # make dex $ dx --dex --output=Dump.dex Dump.class # make smali from dex $ java -jar baksmali.jar d Dump.dex -o out 

Copyright ⓒ All Right Reserved by Buzzvil Attacks ● Code Injection ● Library Injection Dump.smali Attack.smali Sniff Library smalis TargetApp 

Copyright ⓒ All Right Reserved by Buzzvil Attacks - Reason ● Linking Process ○ find class or method that matches descriptor. ○ String(descriptor) will be find by using index in dex file. ● So, attackers can inject malicious code more easily ObjPtr ClassLinker::FindClass( Thread* self, const char* descriptor, Handle class_loader) { … } FindClass(thread, “java/lang/String”, loader); 

Thank you! Copyright ⓒ All Right Reserved by Buzzvil