Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reverse Engineering android apps

Reverse Engineering android apps

Android apps are easy to reverse engineer, with growing popularity of android platform, it becomes essential to know what tools and techniques some with bad intentions can use to reverse engineer your app, gain access to your code db images and sensitive API. This presentation walks you through different tools which are commonly used and what are the different techniques which you can use to guard against such attacks. We will see various reverse engineering tools like AXML, dex2-jar etc. Also we will see how you can use progaurd to obfuscate your code, how you can protect your api with google play services etc.

A1b9f102bf3ca93bc731d9e176282285?s=128

Pranay Airan

March 02, 2013
Tweet

More Decks by Pranay Airan

Other Decks in Technology

Transcript

  1. Securing Your Android Apps By Pranay Airan @pranayairan

  2. Pranay Airan Web application developer @Intuit Android Developer by choice

     Assistant organizer Blrdroid @pranayairan
  3. Current Threats Code Protection Tools Code Analysis Tools Android App

    Build Process How to disassemble Different protection techniques
  4. Current Threats Stealing App Code Stealing App Assets Unauthorized API

    Access Stealing App DB Repackaging and selling Malwares and viruses Piracy
  5. Code Protectors Progaurd Dexgaurd Java obfuscators

  6. Code Analysis Tools Dexdump Smali IDA Pro Dex2jar

  7. Android Application Build Process .java files Java Compiler .class files

    Dx tool .dex files APK Builder .apk files Jar Signer .so files resource Obfuscator Obfuscator Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf
  8. Reverse Engineering An App

  9. Federal Offence This can be used on your apps Use

    this methods ethically
  10. Lets disassemble .apk files Extract APK Images DB asset etc

    .class files dex -> class (dex2jar) Java files Class -> java App on phone Apk Extractor .dex files resource Manifest AAPT Readable XML
  11. Code Protection Using Progaurd in Android Obfuscation Shrinker Optimization Progaurd

  12. Reversed APK with Progaurd

  13. Reversed APK with Dexgaurd

  14. Other Techniques junk byte insertion Dynamic Code loading Self Modifying

    code Obfuscation at dex level Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf
  15. API Protection Google Play Service Google Authutil audience:server:client_id:9414861317621.apps.googleusercontent.com Token +

    Your Parameters Access Token Client id Your Backend Google Verify Token Signature Verify Token Fields
  16. API Protection Use HTTPS (self signed will work) Use User

    Agent Identifier Use time & encoding in parameters Hiding url & parameters
  17. DB Protection Hash your data 3rd Party DB encryption like

    SQLCipher String Encryption
  18. To Sum Up Nothing is full proof Don’t give away

    your code just like that Use progaurd to protect your code Use Google Api Verification for Sensitive backend calls
  19. Questions ??

  20. Thank You @pranayairan Pranay.airan@iiitb.net http://goo.gl/okiJp

  21. Useful Links • http://www.honeynet.org/downloads/Android.tar.gz • http://proguard.sourceforge.net/index.html#manual/examples. html • http://code.google.com/p/dex2jar/ •

    http://code.google.com/p/android-apktool/ • http://android-developers.blogspot.in/2013/01/verifying-back- end-calls-from-android.html • http://sqlcipher.net/sqlcipher-for-android/