Reverse-Engineering apps on the device - how far can we go? (Droidcon UK 2019)

Slide 1

Slide 1 text

@jebstuart — ware.to/reverse Reverse-Engineering on the Device:  How Far Can We Go? Jeb Ware American Express

Slide 2

Slide 2 text

@jebstuart — ware.to/reverse Reverse-Engineering on the Device:  How Far Can We Go? Jeb Ware American Express

Slide 3

Slide 3 text

@jebstuart — ware.to/reverse Views expressed here are my own   and do not necessarily reﬂect   the views of my employer.

Slide 4

Slide 4 text

@jebstuart — ware.to/reverse Reverse-Engineering on Device? APK

Slide 5

Slide 5 text

@jebstuart — ware.to/reverse Reverse-Engineering on Device? APK

Slide 6

Slide 6 text

@jebstuart — ware.to/reverse # Reverse-Engineering on Device? APK

Slide 7

Slide 7 text

@jebstuart — ware.to/reverse Reverse-Engineering on Device! APK APK

Slide 8

Slide 8 text

@jebstuart — ware.to/reverse App Sandboxing APK Sandbox res dex so asset files db shared pref keys APK Sandbox res dex so asset files db shared pref keys APK Sandbox res dex so asset files db shared pref keys

Slide 9

Slide 9 text

@jebstuart — ware.to/reverse /data/app/com.example.yourapp-1/base.apk

Slide 10

Slide 10 text

@jebstuart — ware.to/reverse /data/app/com.example.yourapp-1/base.apk context.packageManager .getInstalledApplications(...) .map { it.publicSourceDir }

Slide 11

Slide 11 text

@jebstuart — ware.to/reverse /data/app/com.example.yourapp-1/base.apk context.packageManager .getInstalledApplications(...) .map { it.publicSourceDir }

Slide 12

Slide 12 text

@jebstuart — ware.to/reverse APK • AndroidManifest.xml • assets/ • … • classes.dex • classes2.dex • res/ • anim/ • color/ • drawable/ • layout/ • raw/ • …

Slide 13

Slide 13 text

@jebstuart — ware.to/reverse val zip = ZipFile(appInfo.publicSourceDir)  zip.entries().toList() .map { zip.getInputStream(it) } .onEach { ... }

Slide 14

Slide 14 text

@jebstuart — ware.to/reverse Compiled XML ? @.;FP}?  interpolatordurationshareInterpolator fromYDeltatoYDeltaandroid**http:// schemas.android.com/apk/res/androidset translate?A????????8????????????t???????????? ?????????????????????????????????

Slide 15

Slide 15 text

@jebstuart — ware.to/reverse val appId = “com.example.yourapp" val res: Resources = packageManager.getResourcesForApplication(appId)

Slide 16

Slide 16 text

@jebstuart — ware.to/reverse val res: Resources = packageManager.getResourcesForApplication(appId) res.getString(0x7f0e0003)

Slide 17

Slide 17 text

@jebstuart — ware.to/reverse val res: Resources = packageManager.getResourcesForApplication(appId) res.getString(0x7f0e0003) “Hello, World!”

Slide 18

Slide 18 text

@jebstuart — ware.to/reverse val res: Resources = packageManager.getResourcesForApplication(appId) res.getString(0x7f0e0003) “Hello, World!” ???

Slide 19

Slide 19 text

@jebstuart — ware.to/reverse Resource IDs 0x7f0e0003

Slide 20

Slide 20 text

@jebstuart — ware.to/reverse Resource IDs 0x7f0e0003 ??? ??? ???

Slide 21

Slide 21 text

@jebstuart — ware.to/reverse

Slide 22

Slide 22 text

@jebstuart — ware.to/reverse

Slide 23

Slide 23 text

@jebstuart — ware.to/reverse Resource IDs 0x7f0e0003

Slide 24

Slide 24 text

@jebstuart — ware.to/reverse 0e Resource IDs { const 0x7f 0003

Slide 25

Slide 25 text

@jebstuart — ware.to/reverse 0e Resource IDs { { const type 0x7f 0003

Slide 26

Slide 26 text

@jebstuart — ware.to/reverse 0e Resource IDs { { { const type identiﬁer 0x7f 0003

Slide 27

Slide 27 text

@jebstuart — ware.to/reverse Enumerating Resources 0x7f 0000 01

Slide 28

Slide 28 text

@jebstuart — ware.to/reverse Enumerating Resources 0x7f 0001 01

Slide 29

Slide 29 text

@jebstuart — ware.to/reverse Enumerating Resources 0x7f 0002 01

Slide 30

Slide 30 text

@jebstuart — ware.to/reverse Enumerating Resources 0x7f 0003 01

Slide 31

Slide 31 text

@jebstuart — ware.to/reverse Enumerating Resources 0x7f 0003 01 ResourceNotFoundException

Slide 32

Slide 32 text

@jebstuart — ware.to/reverse Enumerating Resources 0x7f 0000 02

Slide 33

Slide 33 text

@jebstuart — ware.to/reverse Enumerating Resources val res: Resources = packageManager.getResourcesForApplication(appId) val name = res.getResourceName(0x7f0e0003) val type = res.getResourceTypeName(0x7f0e0003) val entry = res.getResourceEntryName(0x7f0e0003)

Slide 34

Slide 34 text

Slide 35

Slide 35 text

@jebstuart — ware.to/reverse Loading Resource Values val res: Resources = packageManager.getResourcesForApplication(appId) res.getBoolean(0x7f0e0123) res.getColor(0x7f0e0123, null) res.getDimension(0x7f0e0123) res.getDrawable(0x7f0e0123, null) res.getInteger(0x7f0e0123) res.getString(0x7f0e0123)

Slide 36

Slide 36 text

@jebstuart — ware.to/reverse Live demo!

Slide 37

Slide 37 text

@jebstuart — ware.to/reverse Enumerating Assets val res: Resources = packageManager.getResourcesForApplication(appId) val fileNames = res.assets.list("")

Slide 38

Slide 38 text

@jebstuart — ware.to/reverse Enumerating Assets val res: Resources = packageManager.getResourcesForApplication(appId) val fileNames = res.assets.list("") AMobileConfig.json bar.properties fonts html settings.json

Slide 39

Slide 39 text

@jebstuart — ware.to/reverse Enumerating Assets val inputStream = res.assets.open(path) // for image val bitmap = BitmapFactory.decodeStream(inputStream) // for text file val text = inputStream.reader().readLines()

Slide 40

Slide 40 text

@jebstuart — ware.to/reverse Live demo?

Slide 41

Slide 41 text

@jebstuart — ware.to/reverse DEX ﬁles

Slide 42

Slide 42 text

@jebstuart — ware.to/reverse DEX ﬁles

Slide 43

Slide 43 text

@jebstuart — ware.to/reverse DEX ﬁles val apk = ZipFile(appInfo.publicSourceDir) val dexEntries = apk.entries().toList() .filter { it.name.startsWith("classes") && it.name.endsWith(".dex") }

Slide 44

Slide 44 text

@jebstuart — ware.to/reverse

Slide 45

Slide 45 text

@jebstuart — ware.to/reverse .class ﬁles

Slide 46

Slide 46 text

@jebstuart — ware.to/reverse .dex ﬁle .class ﬁles

Slide 47

Slide 47 text

@jebstuart — ware.to/reverse .dex ﬁle

Slide 48

Slide 48 text

@jebstuart — ware.to/reverse .dex ﬁle header

Slide 49

Slide 49 text

@jebstuart — ware.to/reverse .dex ﬁle header strings table

Slide 50

Slide 50 text

@jebstuart — ware.to/reverse .dex ﬁle header strings table code ’n’ stuﬀ

Slide 51

Slide 51 text

@jebstuart — ware.to/reverse .dex ﬁle header strings table code ’n’ stuﬀ

Slide 52

Slide 52 text

@jebstuart — ware.to/reverse implementation 'com.jakewharton.android.repackaged:dalvik-dx:9.0.0_r3'

Slide 53

Slide 53 text

@jebstuart — ware.to/reverse import com.android.dex.Dex val strings = dexFiles.flatMap { val dex = Dex(it.readBytes()) dex.strings() }

Slide 54

Slide 54 text

@jebstuart — ware.to/reverse import com.android.dex.Dex val strings = dexFiles.flatMap { val dex = Dex(it.readBytes()) dex.strings() }

Slide 55

Slide 55 text

@jebstuart — ware.to/reverse import com.android.dex.Dex val strings = dexFiles.flatMap { val dex = Dex(it.readBytes()) dex.strings() }

Slide 56

Slide 56 text

@jebstuart — ware.to/reverse import com.android.dex.Dex val strings = dexFiles.flatMap { val dex = Dex(it.readBytes()) dex.strings() }

Slide 57

Slide 57 text

@jebstuart — ware.to/reverse ¡Live demo!

Slide 58

Slide 58 text

@jebstuart — ware.to/reverse .dex ﬁle header strings table code ’n’ stuﬀ

Slide 59