Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reverse Engineering android apps

Pranay Airan
March 02, 2013
Technology
2
1.2k

Reverse Engineering android apps

Android apps are easy to reverse engineer, with growing popularity of android platform, it becomes essential to know what tools and techniques some with bad intentions can use to reverse engineer your app, gain access to your code db images and sensitive API. This presentation walks you through different tools which are commonly used and what are the different techniques which you can use to guard against such attacks. We will see various reverse engineering tools like AXML, dex2-jar etc. Also we will see how you can use progaurd to obfuscate your code, how you can protect your api with google play services etc.

Pranay Airan

March 02, 2013
Tweet

More Decks by Pranay Airan

See All by Pranay Airan
Android 101
pranayairan
5
320
Take Your Android Apps Offline via SMS
pranayairan
0
99

Other Decks in Technology

See All in Technology
Meta Quest 3 で動く桜マシマシ WebXR アプリを IBM Cloud Code Engine と Babylon.js で作った話
1ftseabass
PRO
0
120
一生覚えておきたい「システム開発=コミュニケーション」〜初めての実務案件振り返りLT〜
maimyyym
0
120
Hands-on Gemini, the Google DeepMind LLM
meteatamel
1
110
リテール金融(キャッシュレス・ネット銀行・ネット証券)の競争環境と経済圏
8maki
0
650
ServiceNow Knowledge 24の歩き方 EYストラテジー・アンド・コンサルティング
manarobot
0
190
Google Cloud Next '24でブログを10本書いた方法と勉強会を沸かせた方法
yasumuusan
0
290
[新卒向け研修資料] テスト文字列に「うんこ」と入れるな(2024年版)
infiniteloop_inc
3
12k
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
4
900
「スニダン」開発組織の構造に込めた意図 ~組織作りはパッションや政治ではない!~
rinchsan
3
550
Postman v10リリース後を振り返る / Looking back at Postman v10 after release
yokawasa
1
160
継続的な改善 x ⾮連続的な進化
sansantech
PRO
3
150
AWSに詳しくない人でも始められるコスト最適化ガイド
yuhta28
0
170

Featured

See All Featured
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
14
1.5k
Building a Scalable Design System with Sketch
lauravandoore
456
32k
Atom: Resistance is Futile
akmur
259
25k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
How to Ace a Technical Interview
jacobian
272
22k
Adopting Sorbet at Scale
ufuk
68
8.6k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
226
51k
For a Future-Friendly Web
brad_frost
172
9k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
Building Your Own Lightsaber
phodgson
99
5.7k
Agile that works and the tools we love
rasmusluckow
325
20k

Transcript

  1. Securing Your Android Apps By Pranay Airan @pranayairan

  2. Pranay Airan Web application developer @Intuit Android Developer by choice

     Assistant organizer Blrdroid @pranayairan

  3. Current Threats Code Protection Tools Code Analysis Tools Android App

    Build Process How to disassemble Different protection techniques

  4. Current Threats Stealing App Code Stealing App Assets Unauthorized API

    Access Stealing App DB Repackaging and selling Malwares and viruses Piracy

  5. Code Protectors Progaurd Dexgaurd Java obfuscators

  6. Code Analysis Tools Dexdump Smali IDA Pro Dex2jar

  7. Android Application Build Process .java files Java Compiler .class files

    Dx tool .dex files APK Builder .apk files Jar Signer .so files resource Obfuscator Obfuscator Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf

  8. Reverse Engineering An App

  9. Federal Offence This can be used on your apps Use

    this methods ethically

  10. Lets disassemble .apk files Extract APK Images DB asset etc

    .class files dex -> class (dex2jar) Java files Class -> java App on phone Apk Extractor .dex files resource Manifest AAPT Readable XML

  11. Code Protection Using Progaurd in Android Obfuscation Shrinker Optimization Progaurd

  12. Reversed APK with Progaurd

  13. Reversed APK with Dexgaurd

  14. Other Techniques junk byte insertion Dynamic Code loading Self Modifying

    code Obfuscation at dex level Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf

  15. API Protection Google Play Service Google Authutil audience:server:client_id:9414861317621.apps.googleusercontent.com Token +

    Your Parameters Access Token Client id Your Backend Google Verify Token Signature Verify Token Fields

  16. API Protection Use HTTPS (self signed will work) Use User

    Agent Identifier Use time & encoding in parameters Hiding url & parameters

  17. DB Protection Hash your data 3rd Party DB encryption like

    SQLCipher String Encryption

  18. To Sum Up Nothing is full proof Don’t give away

    your code just like that Use progaurd to protect your code Use Google Api Verification for Sensitive backend calls

  19. Questions ??

  20. Thank You @pranayairan [email protected] http://goo.gl/okiJp

  21. Useful Links • http://www.honeynet.org/downloads/Android.tar.gz • http://proguard.sourceforge.net/index.html#manual/examples. html • http://code.google.com/p/dex2jar/ •

    http://code.google.com/p/android-apktool/ • http://android-developers.blogspot.in/2013/01/verifying-back- end-calls-from-android.html • http://sqlcipher.net/sqlcipher-for-android/