Tweet
Tweet

Slide 1

Slide 1 text

Android Reverse Engineering and Analysis

Slide 2

Slide 2 text

Android Chapter Lead @ TBC tatocaster.me debuggerpodcast.ge Tato Kutalia tatocaster

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

Plan ● Tools ● Static Analysis vs Dynamic ● What is Reverse Engineering (RE) ● Stats ● CTF

Slide 5

Slide 5 text

Tools Static Analysis ● JADX - Decompiler ● ApkTool - Decompiler ● Dex2Jar - Dex decompiler to Jar ● JD-GUI - Java Decompiler Dynamic analysis ● FRIDA Disassembler ● GHIDRA ● IDA PRO

Slide 6

Slide 6 text

● AndroidManifest.xml ● META-INF/ - java meta/signatures ● classes.dex - dalvik bytecode ● lib/ - native libs ● assets/ - other Application Structure APK

Slide 7

Slide 7 text

Java vs Android compilation

Slide 8

Slide 8 text

Java vs Smali Java private static void myMethod() smali .method private static myMethod()V

Slide 9

Slide 9 text

Java vs Smali Java public Boolean myStrMethod(byte mybyte, String str) smali .method public myStrMethod(B; Ljava/lang/String)Z – http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html https://github.com/JesusFreke/smali/wiki

Slide 10

Slide 10 text

Entry point ● Activity ● Services ● Receivers ● ContentProviders ● Application ● exported components!!

Slide 11

Slide 11 text

RE? Malware analysis? Pentest? ● list activities and exported components ● monitor api calls - Burp Suite + (bypass SSL pinning)? ● analyze decompiled code

Slide 12

Slide 12 text

RE: DEMO

Slide 13

Slide 13 text

What about .so files?

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

Dynamic analysis ● change and examine app in runtime

Slide 18

Slide 18 text

: DEMO

Slide 19

Slide 19 text

FRIDA Gadget vs FRIDA Server // Gadget - decompile APK - add FRIDA native library to lib/ - inject into bytecode - add permission - repackage - sign - install System.loadLibrary("frida-gadget") const-string v0, "frida-gadget" invoke-static {v0}, Ljava/lang/System;->loadLibrary(Ljava/lang/String;)V

Slide 20

Slide 20 text

Scanned Apps

Slide 21

Slide 21 text

Scanned Apps - bypass otp/pin - client side check only - SQL injection - base64 decoding leading to app crash - mobile number / otp / pin / email enumeration - exposed client secrets - save sessionId in preferences - password reset does not kill the current session - leaking Google API keys - leaking test url and users in prod - leaking test features in production app

Slide 22

Slide 22 text

Scanned Apps

Slide 23

Slide 23 text

Bug Bounty

Slide 24

Slide 24 text

Catch the Flags

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

Questions