Getting the most of Android obfuscation tools

Transcript

1. Découvrir et maîtriser l’obfuscation sur Android 0%

2. About us Renaud Boulard @_renaudb Francois Lolom @flolom 1%

3. Steps and Methodology Obfuscation technics Go further Conclusion Introduction Delivery

   and Exploit Summary 2%

4. To render obscure To darken To hide Obfuscate To make

   something less clear and harder to understand, especially intentionally Obfuscate * wiktionary.org *dictionary. cambridge.org Obfuscation 4%

5. Obfuscation goals Makes sensitive assets harder to find Limits cloning

   / app repackaging Protects other security features located on the app Makes inner implementation « more secret » 8%

6. Security Improper Platform Usage Insecure Data Storage Insecure Communication Insecure

   Authentication Insufficient Cryptography Insecure Authorization Client Code Quality Code Tampering Reverse Engineering Extraneous functionality 9%

7. Improper Platform Usage Insecure Data Storage Insecure Communication Insecure Authentication

   Insufficient Cryptography Insecure Authorization Client Code Quality Code Tampering Reverse Engineering Extraneous functionality 10% Security

8. Obfuscation Techniques & tools 12%

9. .apk .dex .class Java code Build & obfuscation pipeline javac

   Manifest Resources 13%

10. .apk .dex .class Java code apktool baksmali JD-GUI JD-Core Apktool

    Tools .smali Dex2jar 14%

11. Some GUI Jadx JD-GUI ClassyShark 15%

12. .apk .dex .class Java code Build & obfuscation pipeline javac

    Manifest Resources 16%

13. .apk .dex .class Java code javac .class (obfuscated) proguard mapping

    Manifest Resources 16% Build & obfuscation pipeline

14. Renaming Shrinking Repackaging Log/Data leak removal Control flow obfuscation String

    cipher Techniques 17%

15. When Log Data leak removal Development Renaming Shrinking Repackaging Control

    flow String cipher Build 18%

16. Step and Methodology Using only free tools 19%

17. App sample 20%

18. Application perspective 21%

19. Enable proguard Renaming Shrinking Repackaging Log/Data leak removal 22%

20. However, build is failing 24%

21. Disable warnings of dependencies 25%

22. But app crashes at runtime… 26%

23. Crash because of class renaming / reflection 28%

24. Library proguard conf 29%

25. List all my dependencies 30%

26. List all my dependencies ./gradlew :app:dependencies 32%

27. Apply proguard configuration of dependencies https://github.com/krschultz/android-proguard-snippets 33%

28. Still, something is missing 34%

29. App configuration missing Know your tools ! Gson is based

    on reflection 36%

30. Without configuration 37%

31. With configuration 38%

32. With configuration 40%

33. Working now ! 41%

34. Library perspective 42%

35. App sample 44%

36. Enable proguard app/build.gradle library/build.gradle 45%

37. 46% Enable proguard

38. Declare API of the library 48%

39. Manage dependencies 49%

40. Provide proguard rules 1 2 4 3 5 50%

41. Can I do better ? 52%

42. Repackaging 53%

43. 54% Repackaging

44. Log removal 56%

45. 57% Log removal

46. 58% Log removal

47. 60% Log removal

48. Timber lint rules are great ! if you are using

    the android logger instead of timber if you concatenate strings in a log message Will automatically check with lint 61%

49. 62% Timber lint rules are great !

50. 63% Timber lint rules are great !

51. Be careful with custom loggers getDefaultProguardFile('proguard-android.txt') 64%

52. Be careful with custom loggers getDefaultProguardFile('proguard-android-optimize.txt') 65%

53. Use compile-time code generation Better performance Resists proguard obfuscation Bigger

    APK Dagger 1 vs Dagger 2 Autovalue for serialization 65%

54. Avoid reflection for serialization Use Compile time generation 66%

55. Tip # Understand the @Keep support annotation. -keep class android.support.annotation.Keep

    -keep @android.support.annotation.Keep class * { *; } In sdk/tools/proguard/proguard-android.txt • Resists class refactor • No extra proguard configuration required Use @Keep ! 67%

56. Exploit / delivery 69%

57. .apk .dex .class Java code Build & obfuscation pipeline javac

    .class (obfuscated) proguard mapping Manifest Resources 70%

58. 71% Always save proguard mapping file

59. Archive mapping.txt Automated solution #1 : archive it as a

    maven artifact 72%

60. Automated solution #2 : use a gradle task or crashlytics

    74% Archive mapping.txt

61. * install https://plugins.jetbrains.com/idea/plugin/101-proguard-unscramble-plugin <android sdk>/tools/proguard/bin Android Studio Analyze Stracktrace *

    Automatically done on crashlytics 75% Deobfuscate the stacktrace

62. Go Further 76%

63. Techniques Renaming Shrinking Repackaging Log/Data leak removal Control flow obfuscation

    String cipher Code encryption /integrity Assets/ressources encryption Dynamic analysis countermeasures 78%

64. Control flow obfuscation 80% Techniques

65. String cipher 82% Techniques

66. Code encryption /integrity Assets/ressources encryption Dynamic analysis countermeasures 86% Techniques

    for a better binary protection

67. Conclusion 90%

68. Application steps Choose your tools propertly Proguard conf library Enable

    repackaging Proguard conf application Remove log Decompile Publish Save mapping 92%

69. SDK steps Choose your tools propertly Proguard conf library Provide

    proguard conf of your dependencies Declare your API Enable repackaging Remove log Decompile Publish Save mapping 94%

70. Conclusion Obfuscation doesn’t prevent reverse engineering, but just discourages it.

    96%

71. Github App Sample https://github.com/flolom/obfuscation-tutorial 98%

72. Questions? Renaud Boulard @_renaudb Francois Lolom @flolom 100%