Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Reverse Engineering android apps

Pranay Airan
March 02, 2013
Technology
2
1.2k

Reverse Engineering android apps

Android apps are easy to reverse engineer, with growing popularity of android platform, it becomes essential to know what tools and techniques some with bad intentions can use to reverse engineer your app, gain access to your code db images and sensitive API. This presentation walks you through different tools which are commonly used and what are the different techniques which you can use to guard against such attacks. We will see various reverse engineering tools like AXML, dex2-jar etc. Also we will see how you can use progaurd to obfuscate your code, how you can protect your api with google play services etc.

Pranay Airan

March 02, 2013
Tweet

More Decks by Pranay Airan

See All by Pranay Airan
Android 101
pranayairan
5
330
Take Your Android Apps Offline via SMS
pranayairan
0
100

Other Decks in Technology

See All in Technology
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
1.3k
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
420
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
Python(PYNQ)がテーマのAMD主催のFPGAコンテストに参加してきた
iotengineer22
0
520
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
130
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
110
アプリエンジニアのためのGraphQL入門.pdf
spycwolf
0
100
20241120_JAWS_東京_ランチタイムLT#17_AWS認定全冠の先へ
tsumita
2
300
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
180
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
390
BLADE: An Attempt to Automate Penetration Testing Using Autonomous AI Agents
bbrbbq
0
320

Featured

See All Featured
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
900
Code Reviewing Like a Champion
maltzj
520
39k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.8k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.3k
Facilitating Awesome Meetings
lara
50
6.1k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
Visualization
eitanlees
145
15k
Agile that works and the tools we love
rasmusluckow
327
21k

Transcript

  1. Securing Your Android Apps By Pranay Airan @pranayairan

  2. Pranay Airan Web application developer @Intuit Android Developer by choice

     Assistant organizer Blrdroid @pranayairan

  3. Current Threats Code Protection Tools Code Analysis Tools Android App

    Build Process How to disassemble Different protection techniques

  4. Current Threats Stealing App Code Stealing App Assets Unauthorized API

    Access Stealing App DB Repackaging and selling Malwares and viruses Piracy

  5. Code Protectors Progaurd Dexgaurd Java obfuscators

  6. Code Analysis Tools Dexdump Smali IDA Pro Dex2jar

  7. Android Application Build Process .java files Java Compiler .class files

    Dx tool .dex files APK Builder .apk files Jar Signer .so files resource Obfuscator Obfuscator Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf

  8. Reverse Engineering An App

  9. Federal Offence This can be used on your apps Use

    this methods ethically

  10. Lets disassemble .apk files Extract APK Images DB asset etc

    .class files dex -> class (dex2jar) Java files Class -> java App on phone Apk Extractor .dex files resource Manifest AAPT Readable XML

  11. Code Protection Using Progaurd in Android Obfuscation Shrinker Optimization Progaurd

  12. Reversed APK with Progaurd

  13. Reversed APK with Dexgaurd

  14. Other Techniques junk byte insertion Dynamic Code loading Self Modifying

    code Obfuscation at dex level Ref: http://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2012-Schulz-Code_Protection_in_Android.pdf

  15. API Protection Google Play Service Google Authutil audience:server:client_id:9414861317621.apps.googleusercontent.com Token +

    Your Parameters Access Token Client id Your Backend Google Verify Token Signature Verify Token Fields

  16. API Protection Use HTTPS (self signed will work) Use User

    Agent Identifier Use time & encoding in parameters Hiding url & parameters

  17. DB Protection Hash your data 3rd Party DB encryption like

    SQLCipher String Encryption

  18. To Sum Up Nothing is full proof Don’t give away

    your code just like that Use progaurd to protect your code Use Google Api Verification for Sensitive backend calls

  19. Questions ??

  20. Thank You @pranayairan [email protected] http://goo.gl/okiJp

  21. Useful Links • http://www.honeynet.org/downloads/Android.tar.gz • http://proguard.sourceforge.net/index.html#manual/examples. html • http://code.google.com/p/dex2jar/ •

    http://code.google.com/p/android-apktool/ • http://android-developers.blogspot.in/2013/01/verifying-back- end-calls-from-android.html • http://sqlcipher.net/sqlcipher-for-android/