Android hacking for dummies ‘if’ operator demolition Michael Pustovit Software Engineer @ Stanfy 

#dfua WARNING #1 This presentation is for newbies in Android applications hacking. *If you are a pro or just know enough - pretend that you are interested in the topic. Please. 

#dfua WARNING #2 Stay on the light side of the force! *Reverse engineering can be illegal. 

#dfua Objectives Reverse Engineering methods APK build process Analysis tools Small demo Defence approaches 

Reverse engineering What is this? 

#dfua - extracting knowledge or design information from anything man-made - re-producing it based on the extracted information Reverse engineering 

#dfua Reverse engineering aims Steal resources Analyze algorithms Repack ● Remove ads ● Piracy ● Add malware ● Algorithms ● API details ● Assets ● DB 

#dfua Types of reverse engineering analysis Observation of information exchange Disassembly ● Logs ● Memory ● Storage ● Network ● get/view a program in raw machine language Decompilation ● get/view a program in high-level language 

APK build process Only basic steps 

#dfua Overview .java Files javac .class Files dx .dex file apkbuilder Resources .so APK jarsigner source aapt zipalign 

#dfua APK structure Resources in binary form Executables in DEX form Manifest in binary form Str resources in bin form 

#dfua Digital signature Certificate Jar manifest Signed hash list 

#dfua .class - stack VM - registers VM VS .dex pop 20 pop 7 add 20, 7, result push result * result on a stack top mov r1, 20 mov r2, 7 add r1, r2, r3 * result in a register r3 

#dfua .class - stack VM - registers VM VS .dex - a single file per java class - all java classes in a single file - better compression (because of single file) 

Analysis tools Hacker toys! 

#dfua Analysis tools Decompilers dex2jar apktools ● Smali/backsmali ● Resources unpacker ● Manifest unpacker ● “Unpack” - “Modify” - “Pack” scenario ● Transforms .dex back to set of .class files ● Transforms .class files back to java code 

#dfua Smali/backsmali - smali/baksmali = assembler/disassembler (in Icelandic) - syntax is loosely based on Jasmin's/dedexer's syntax - supports the full functionality of the dex format 

#dfua Smali format overview public static int sum( final int a, final int b) { return a + b; } java smali .method public static sum(II)I .locals 1 .param p0, "a" # I .param p1, "b" # I .prologue .line 8 add-int v0, p0, p1 return v0 .end method 

#dfua public static int sum( final int a, final int b) { return a + b; } .method public static sum(II)I .locals 1 .param p0, "a" # I .param p1, "b" # I .prologue .line 8 add-int v0, p0, p1 return v0 .end method Local registers count Line num for debugger Main operation Method params java smali Smali format overview 

#dfua Basic modification process Get APK > apktool d app.apk -o app Make modifications > apktool b app -o reapp.apk Sign & Install 

Demo time! 

Defense Armors? 

#dfua Tool types Packers Obfuscators ● transform sources ● encode binaries 

#dfua Obfuscation * Java compiler leaves names in bytecode Obfuscator ○ renames ○ shrink unused code/res ○ encodes names ○ adds junk-code ○ etc 

#dfua Obfuscation position .java Files javac .class Files dx .dex file apkbuilder APK source Obfuscation 

#dfua Code shrinking and name encoding +org |-+lampapos |-+crackmeapp |-BuildConfig.smali |-MainActivity$1.smali |-MainActivity.smali |-MainActivity_ViewBinder.smali |-MainActivity_ViewBinding.smali |-R$anim.smali |-R$attr.smali |-R$bool.smali |-R$color.smali |-R$dimen.smali |-R$drawable.smali |-R$id.smali |-R$integer.smali |-R$layout.smali |-R$mipmap.smali |-R$string.smali |-R$style.smali |-R$styleable.smali |-R.smali +a |-+a |-+a |-a.smali |-b$1.smali |-b.smali |-b_a.smali before after 

#dfua String encryption - java representation public static final String P = "123"; byte[] P = new byte[] {5, 6, 7}; byte KEY = 52; unencrypted encrypted byte[] P = new byte[] {5, 6, 7}; byte KEY = 52; byte[] realPassBytes = new byte[P.length]; for (int i = 0; i < P.length; i++) { realPassBytes[i] = (byte)(P[i] ^ KEY); } String pass = new String(realPassBytes); 

#dfua String encryption - smali representation .field public static final P:Ljava/lang/String; = "123" const/4 v0, 0x3 new-array v0, v0, [B fill-array-data v0, :array_0 sput-object v0, Lorg/lampapos/crackmeapp/MainActivi ty;->P:[B return-void nop .array-data 1 0x5t 0x6t 0x7t .end array-data unencrypted encrypted 

#dfua Reflection System.exit(0); Class.forName("java.lang.System") .getMethod("exit", Integer.TYPE).invoke(null, Integer.valueOf("0")); Class.forName(e.d("amF2YS5sYW5nLlN5c3RlbQ==")) .getMethod(e.d("ZXhpdA=="), Integer.TYPE) .invoke(null, Integer.valueOf(e.d("MCA="))); 

#dfua Native code * but remember that there are disassemblers for a native code binaries Want to hide an algorithm? Move it to a native (C/C++) part ** can be reused even without decompilation 

#dfua Packers Wrapper APK Wrappers DEX file Native lib Mangled/encoded DEX Original APK DEX file Resources Resources Packer 

#dfua Packers APK Original DEX file Native lib 1. anti-emulator 2. anti-debugging Decode/fix DEX 

#dfua Tools Packers Obfuscators ● Proguard ● DexGuard ● Allatori ● SecNeo (Bangcle) ● Ijiami ● ApkProtect 

Summary 4 more slides and coffee break, snacks, freedom... ;) 

#dfua Summary Don’t store secrets in your code! 

#dfua Summary ● Smartphone is not a “trusted environment” ● “Security through obscurity ” doesn’t stop but slows down a hacker ● Everything can be hacked, it’s question of cost and time 

#dfua Sources ● Android hacker protection level 0 (video) ● Understanding the Dalvik bytecode with the Dedexer tool ● Code protection in Android ● Hacking APK for fun and for profit ● Reverse engineering android apps ● Android reverse engineering 101 ● Understanding the Android build process ● Stack based vs Register based VM Architecture, and the Dalvik VM 

Michael Pustovit @pustovit https://github.com/lampapos Questions? Thank you!