DroidCon2014 - Speaker Deck

Slide 1

Slide 1 text

REVERSE ENGINEERING, PENTESTING AND HARDENING OF ANDROID APPS Droidcon IT Torino 2014 ! Marco Grassi @marcograss - Mobile Security Analyst @ viaForensics

Slide 2

Slide 2 text

$ whoami • R&D Team Member @ viaForensics • Developer background (both Android and iOS) • Part of my job is to attack and break mobile apps

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

AGENDA • Reverse Engineering and Obfuscation • Tampering Detection • Logging • File Storage • Secure Network Communications • IPC Attack Surface • RAM memory attacks • More Advanced Material : Runtime Manipulation • Extra: Creating Cheats for Android Games : )

Slide 5

Slide 5 text

SANTOKU LINUX https://santoku-linux.com/

Slide 6

Slide 6 text

PULLING THE APK FROM THE DEVICE

Slide 7

Slide 7 text

REVERSE ENGINEERING FREE TOOLS • apktool and smali/baksmali It will provide us a disassembled representation of the Dalvik bytecode, so sort “low level”, with registers, but very understandable because of bytecode metadata. Very useful to disable tampering protections, the code can be modiﬁed and the application can be recompiled and resigned.

Slide 8

Slide 8 text

DISASSEMBLED SMALI CODE

Slide 9

Slide 9 text

REVERSE ENGINEERING FREE TOOLS • dex2jar + Java decompiler (jd-gui, jad …) dex2jar will convert the .dex ﬁle to a .jar containing Java code We can then use the freely available Java decompilers and obtain back a Java representation of the code. Very readable if no obfuscation is in place.

Slide 10

Slide 10 text

DECOMPILED JAVA CODE

Slide 11

Slide 11 text

REVERSE ENGINEERING PRO TOOLS • JEB Decompiler Renaming feature, very handy with obfuscated applications Python APIs Native Dalvik decompiler, it does not pass through Java byte code, decompilation is usually much better

Slide 12

Slide 12 text

REVERSE ENGINEERING PRO TOOLS • IDA + Hex Rays Decompiler De facto the best interactive disassembler and decompiler on the market. Impressive set of APIs, you can write modules or scripts for everything.

Slide 13

Slide 13 text

REVERSE ENGINEERING PRO TOOLS • Hopper Disassembler Very nice disassembler and decompiler with a killer price.

Slide 14

Slide 14 text

OBFUSCATION PROGUARD • Free • Integrated into the build environment • NOT Android speciﬁc • http://developer.android.com/tools/ help/proguard.html

Slide 15

Slide 15 text

DECOMPILED CODE WITH PROGUARD

Slide 16

Slide 16 text

OBFUSCATION DEXGUARD • Commercial product from ProGuard author. • Android specific • Native support to string and code encryption and tamper detection • Very easy to use, with a config file like ProGuard

Slide 17

Slide 17 text

DECOMPILED CODE WITH DEXGUARD

Slide 18

Slide 18 text

TAMPERING DETECTION

Slide 19

Slide 19 text

DEFEATING TAMPERING DETECTION WHY OBFUSCATION IS FUNDAMENTAL

Slide 20

Slide 20 text

LOGGING • Remove Logcat logging from your production builds. • It can be done with few lines in Proguard and Dexguard, they remove all the calls to Log.d, Log.e etc in the build process • It’s very easy for third party malware or an attacker to access the Logs on Android.

Slide 21

Slide 21 text

FILE STORAGE EXTERNAL STORAGE • Try to avoid storing your data in the shared storage, almost any application can read it. (In 4.4 a small protection at permission level was added android.permission.READ_EXTERNAL _STORAGE, usually users does not check permissions too much anyway… Don’t rely on this.)

Slide 22

Slide 22 text

FILE STORAGE PRIVATE APP FOLDER • Encrypt your preferences/ﬁles • With root access they can be modiﬁed, avoid store sensitive data at all if possible • With a backup, they can be retrieved from the device usually • The private folder can be found on the device at path /data/data/yourpackage

Slide 23

Slide 23 text

FILE STORAGE SQLITE DATABASES

Slide 24

Slide 24 text

SQLCIPHER

Slide 25

Slide 25 text

#1 RULE: YOU DO NOT IMPLEMENT YOUR OWN CRYPTOGRAPHY #2 Rule: You do NOT implement your own Cryptography

Slide 26

Slide 26 text

SECURE NETWORK COMMUNICATIONS • It’s your responsibility to protect data in transit! • Don’t transmit sensitive information without SSL/TLS • Implement if possibile Certificate Pinning, in this way your communications will be more resistant to MITM attacks, for example if a malicious certificate is pushed into the device, or if an attacker can impersonate your web service with a trusted certificate.

Slide 27

Slide 27 text

IPC ATTACK SURFACE THE ANDROID MANIFEST

Slide 28

Slide 28 text

IPC ATTACK SURFACE EXAMPLE: SCREEN BYPASS

Slide 29

Slide 29 text

1PASSWORD READER • Password wallet application for Android, a companion application of the Mac/Windows client, to be able to share our passwords between our PC and the mobile device, leveraging Dropbox or the Shared Storage.

Slide 30

Slide 30 text

BE CAREFUL WITH BROADCASTED INTENTS

Slide 31

Slide 31 text

LET’S INSTALL SOME MALWARE

Slide 32

Slide 32 text

RESULTS

Slide 33

Slide 33 text

RAM MEMORY ATTACKS • An attacker can retrieve and inspect the ram memory used by our application and search for sensitive informations. • Avoid storing such sensitive informations inside instance or static variables.

Slide 34

Slide 34 text

RAM MEMORY ATTACKS • An easiest way to get an incomplete (VM only) chunk of live memory from our application is to use the “Dump HPROF” functionality in the monitor tool, with a debuggable application or a device with the ﬂag ro.debuggable=1

Slide 35

Slide 35 text

APPENDIX Extras with more advanced material

Slide 36

Slide 36 text

RUNTIME MANIPULATION Why modify the code of the application recompiling it when we can modify the code at runtime, without alerting the basic tampering detection?

Slide 37

Slide 37 text

RUNTIME MANIPULATION

Slide 38

Slide 38 text

MOST POPULAR FRAMEWORKS • Cydia Substrate • Xposed Framework

Slide 39

Slide 39 text

HOW CAN WE DEVELOP A PLUGIN AND WHAT WE CAN DO WITH IT?

Slide 40

Slide 40 text

Slide 41

Slide 41 text

1PASSWORD: WHY SHARED STORAGE AND DROPBOX? • This choices are forced for technical limitation in the sharing process between the PC and the device. • Without root permissions, the user can only write in the shared folder, or the application can use third party services, such ﬁle sharing API by Dropbox, to share the wallet ﬁle.

Slide 42

Slide 42 text

FIRST LOOK • The 1Password wallet is totally unobfuscated, so an attacker can easily understand the logic of the application and the weak points. • First weak spot: LOGS, the application disabled in productions the logging of the user credentials and other internal information to the Logcat, but the logs are only disabled, the code that logs at the critical points (even the user password) it’s in there.

Slide 43

Slide 43 text

HELLO WORLD: WHAT CODE CHANGE? LET’S ENABLE LOGGING

Slide 44

Slide 44 text

REPLACED METHODS

Slide 45

Slide 45 text

RESULTS

Slide 46

Slide 46 text

CANDY! Reverse Engineering it’s fun!

Slide 47

Slide 47 text

LET’S USE RUNTIME MANIPULATION TO CHEAT IN ANDROID GAMES!

Slide 48

Slide 48 text

AGIMAT • Simple cheat engine/app for Android using runtime manipulation • When more games are supported and if there is interest, it will be open sourced (no time)

Slide 49

Slide 49 text

SUPER HEXAGON Addictive but difﬁcult game for Android

Slide 50

Slide 50 text

No content

Slide 51

Slide 51 text

VIDEO DEMO

Slide 52

Slide 52 text

SECURITY IS A PROCESS.

Slide 53

Slide 53 text

No content

Slide 54

Slide 54 text

SECURE MOBILE DEVELOPMENT BEST PRACTICES AVOIDING COMMON PROBLEMS AND CREATING MORE SECURE APPS FOR IOS AND ANDROID

Slide 55

Slide 55 text

No content

Slide 56

Slide 56 text

Great book to start with Secure Android Development, written by my friend @scottyab