Reverse Engineering android apps

Slide 1

Slide 1 text

Securing Your Android Apps By Pranay Airan @pranayairan

Slide 2

Slide 2 text

Pranay Airan Web application developer @Intuit Android Developer by choice  Assistant organizer Blrdroid @pranayairan

Slide 3

Slide 3 text

Current Threats Code Protection Tools Code Analysis Tools Android App Build Process How to disassemble Different protection techniques

Slide 4

Slide 4 text

Current Threats Stealing App Code Stealing App Assets Unauthorized API Access Stealing App DB Repackaging and selling Malwares and viruses Piracy

Slide 5

Slide 5 text

Code Protectors Progaurd Dexgaurd Java obfuscators

Slide 6

Slide 6 text

Code Analysis Tools Dexdump Smali IDA Pro Dex2jar

Slide 7

Slide 7 text

Android Application Build Process .java files Java Compiler .class files Dx tool .dex files APK Builder .apk files Jar Signer .so files resource Obfuscator Obfuscator Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf

Slide 8

Slide 8 text

Reverse Engineering An App

Slide 9

Slide 9 text

Federal Offence This can be used on your apps Use this methods ethically

Slide 10

Slide 10 text

Lets disassemble .apk files Extract APK Images DB asset etc .class files dex -> class (dex2jar) Java files Class -> java App on phone Apk Extractor .dex files resource Manifest AAPT Readable XML

Slide 11

Slide 11 text

Code Protection Using Progaurd in Android Obfuscation Shrinker Optimization Progaurd

Slide 12

Slide 12 text

Reversed APK with Progaurd

Slide 13

Slide 13 text

Reversed APK with Dexgaurd

Slide 14

Slide 14 text

Other Techniques junk byte insertion Dynamic Code loading Self Modifying code Obfuscation at dex level Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf

Slide 15

Slide 15 text

API Protection Google Play Service Google Authutil audience:server:client_id:9414861317621.apps.googleusercontent.com Token + Your Parameters Access Token Client id Your Backend Google Verify Token Signature Verify Token Fields

Slide 16

Slide 16 text

API Protection Use HTTPS (self signed will work) Use User Agent Identifier Use time & encoding in parameters Hiding url & parameters

Slide 17

Slide 17 text

DB Protection Hash your data 3rd Party DB encryption like SQLCipher String Encryption

Slide 18

Slide 18 text

To Sum Up Nothing is full proof Don’t give away your code just like that Use progaurd to protect your code Use Google Api Verification for Sensitive backend calls

Slide 19

Slide 19 text

Questions ??

Slide 20

Slide 20 text

Thank You @pranayairan [email protected] http://goo.gl/okiJp

Slide 21

Slide 21 text

Useful Links • http://www.honeynet.org/downloads/Android.tar.gz • http://proguard.sourceforge.net/index.html#manual/examples. html • http://code.google.com/p/dex2jar/ • http://code.google.com/p/android-apktool/ • http://android-developers.blogspot.in/2013/01/verifying-backend-calls-from-android.html • http://sqlcipher.net/sqlcipher-for-android/