Slide 1

Slide 1 text

Découvrir et maîtriser l’obfuscation sur Android 0%

Slide 2

Slide 2 text

About us Renaud Boulard @_renaudb Francois Lolom @flolom 1%

Slide 3

Slide 3 text

Steps and Methodology Obfuscation technics Go further Conclusion Introduction Delivery and Exploit Summary 2%

Slide 4

Slide 4 text

To render obscure To darken To hide Obfuscate To make something less clear and harder to understand, especially intentionally Obfuscate * wiktionary.org *dictionary. cambridge.org Obfuscation 4%

Slide 5

Slide 5 text

Obfuscation goals Makes sensitive assets harder to find Limits cloning / app repackaging Protects other security features located on the app Makes inner implementation « more secret » 8%

Slide 6

Slide 6 text

Security Improper Platform Usage Insecure Data Storage Insecure Communication Insecure Authentication Insufficient Cryptography Insecure Authorization Client Code Quality Code Tampering Reverse Engineering Extraneous functionality 9%

Slide 7

Slide 7 text

Improper Platform Usage Insecure Data Storage Insecure Communication Insecure Authentication Insufficient Cryptography Insecure Authorization Client Code Quality Code Tampering Reverse Engineering Extraneous functionality 10% Security

Slide 8

Slide 8 text

Obfuscation Techniques & tools 12%

Slide 9

Slide 9 text

.apk .dex .class Java code Build & obfuscation pipeline javac Manifest Resources 13%

Slide 10

Slide 10 text

.apk .dex .class Java code apktool baksmali JD-GUI JD-Core Apktool Tools .smali Dex2jar 14%

Slide 11

Slide 11 text

Some GUI Jadx JD-GUI ClassyShark 15%

Slide 12

Slide 12 text

.apk .dex .class Java code Build & obfuscation pipeline javac Manifest Resources 16%

Slide 13

Slide 13 text

.apk .dex .class Java code javac .class (obfuscated) proguard mapping Manifest Resources 16% Build & obfuscation pipeline

Slide 14

Slide 14 text

Renaming Shrinking Repackaging Log/Data leak removal Control flow obfuscation String cipher Techniques 17%

Slide 15

Slide 15 text

When Log Data leak removal Development Renaming Shrinking Repackaging Control flow String cipher Build 18%

Slide 16

Slide 16 text

Step and Methodology Using only free tools 19%

Slide 17

Slide 17 text

App sample 20%

Slide 18

Slide 18 text

Application perspective 21%

Slide 19

Slide 19 text

Enable proguard Renaming Shrinking Repackaging Log/Data leak removal 22%

Slide 20

Slide 20 text

However, build is failing 24%

Slide 21

Slide 21 text

Disable warnings of dependencies 25%

Slide 22

Slide 22 text

But app crashes at runtime… 26%

Slide 23

Slide 23 text

Crash because of class renaming / reflection 28%

Slide 24

Slide 24 text

Library proguard conf 29%

Slide 25

Slide 25 text

List all my dependencies 30%

Slide 26

Slide 26 text

List all my dependencies ./gradlew :app:dependencies 32%

Slide 27

Slide 27 text

Apply proguard configuration of dependencies https://github.com/krschultz/android-proguard-snippets 33%

Slide 28

Slide 28 text

Still, something is missing 34%

Slide 29

Slide 29 text

App configuration missing Know your tools ! Gson is based on reflection 36%

Slide 30

Slide 30 text

Without configuration 37%

Slide 31

Slide 31 text

With configuration 38%

Slide 32

Slide 32 text

With configuration 40%

Slide 33

Slide 33 text

Working now ! 41%

Slide 34

Slide 34 text

Library perspective 42%

Slide 35

Slide 35 text

App sample 44%

Slide 36

Slide 36 text

Enable proguard app/build.gradle library/build.gradle 45%

Slide 37

Slide 37 text

46% Enable proguard

Slide 38

Slide 38 text

Declare API of the library 48%

Slide 39

Slide 39 text

Manage dependencies 49%

Slide 40

Slide 40 text

Provide proguard rules 1 2 4 3 5 50%

Slide 41

Slide 41 text

Can I do better ? 52%

Slide 42

Slide 42 text

Repackaging 53%

Slide 43

Slide 43 text

54% Repackaging

Slide 44

Slide 44 text

Log removal 56%

Slide 45

Slide 45 text

57% Log removal

Slide 46

Slide 46 text

58% Log removal

Slide 47

Slide 47 text

60% Log removal

Slide 48

Slide 48 text

Timber lint rules are great ! if you are using the android logger instead of timber if you concatenate strings in a log message Will automatically check with lint 61%

Slide 49

Slide 49 text

62% Timber lint rules are great !

Slide 50

Slide 50 text

63% Timber lint rules are great !

Slide 51

Slide 51 text

Be careful with custom loggers getDefaultProguardFile('proguard-android.txt') 64%

Slide 52

Slide 52 text

Be careful with custom loggers getDefaultProguardFile('proguard-android-optimize.txt') 65%

Slide 53

Slide 53 text

Use compile-time code generation Better performance Resists proguard obfuscation Bigger APK Dagger 1 vs Dagger 2 Autovalue for serialization 65%

Slide 54

Slide 54 text

Avoid reflection for serialization Use Compile time generation 66%

Slide 55

Slide 55 text

Tip # Understand the @Keep support annotation. -keep class android.support.annotation.Keep -keep @android.support.annotation.Keep class * { *; } In sdk/tools/proguard/proguard-android.txt • Resists class refactor • No extra proguard configuration required Use @Keep ! 67%

Slide 56

Slide 56 text

Exploit / delivery 69%

Slide 57

Slide 57 text

.apk .dex .class Java code Build & obfuscation pipeline javac .class (obfuscated) proguard mapping Manifest Resources 70%

Slide 58

Slide 58 text

71% Always save proguard mapping file

Slide 59

Slide 59 text

Archive mapping.txt Automated solution #1 : archive it as a maven artifact 72%

Slide 60

Slide 60 text

Automated solution #2 : use a gradle task or crashlytics 74% Archive mapping.txt

Slide 61

Slide 61 text

* install https://plugins.jetbrains.com/idea/plugin/101-proguard-unscramble-plugin /tools/proguard/bin Android Studio Analyze Stracktrace * Automatically done on crashlytics 75% Deobfuscate the stacktrace

Slide 62

Slide 62 text

Go Further 76%

Slide 63

Slide 63 text

Techniques Renaming Shrinking Repackaging Log/Data leak removal Control flow obfuscation String cipher Code encryption /integrity Assets/ressources encryption Dynamic analysis countermeasures 78%

Slide 64

Slide 64 text

Control flow obfuscation 80% Techniques

Slide 65

Slide 65 text

String cipher 82% Techniques

Slide 66

Slide 66 text

Code encryption /integrity Assets/ressources encryption Dynamic analysis countermeasures 86% Techniques for a better binary protection

Slide 67

Slide 67 text

Conclusion 90%

Slide 68

Slide 68 text

Application steps Choose your tools propertly Proguard conf library Enable repackaging Proguard conf application Remove log Decompile Publish Save mapping 92%

Slide 69

Slide 69 text

SDK steps Choose your tools propertly Proguard conf library Provide proguard conf of your dependencies Declare your API Enable repackaging Remove log Decompile Publish Save mapping 94%

Slide 70

Slide 70 text

Conclusion Obfuscation doesn’t prevent reverse engineering, but just discourages it. 96%

Slide 71

Slide 71 text

Github App Sample https://github.com/flolom/obfuscation-tutorial 98%

Slide 72

Slide 72 text

Questions? Renaud Boulard @_renaudb Francois Lolom @flolom 100%