Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Getting the most of Android obfuscation tools

Getting the most of Android obfuscation tools

With the increasing use of smartphone in banking and payment industry, we need to build applications more secured. This presentation focuses on one specific part of the App security field: Android app/SDK obfuscation.

Obfuscation makes retro engineering of your system harder and prevents the leak of sensitive information.

During the talk, we will show you how to analyse the result of your obfuscation, propose relevant tools to accomplish that, and present a rigorous methodology to achieve the best possible result.

renaudboulard

April 10, 2017
Tweet

More Decks by renaudboulard

Other Decks in Programming

Transcript

  1. Découvrir et maîtriser
    l’obfuscation sur
    Android
    0%

    View Slide

  2. About us
    Renaud Boulard
    @_renaudb
    Francois Lolom
    @flolom
    1%

    View Slide

  3. Steps and
    Methodology
    Obfuscation
    technics
    Go further
    Conclusion
    Introduction Delivery and
    Exploit
    Summary
    2%

    View Slide

  4. To render obscure
    To darken
    To hide
    Obfuscate
    To make something
    less clear and harder
    to understand,
    especially intentionally
    Obfuscate
    * wiktionary.org
    *dictionary.
    cambridge.org
    Obfuscation
    4%

    View Slide

  5. Obfuscation goals
    Makes sensitive
    assets harder to find
    Limits cloning / app
    repackaging
    Protects other security
    features located on the app
    Makes inner implementation
    « more secret »
    8%

    View Slide

  6. Security
    Improper
    Platform Usage
    Insecure Data
    Storage
    Insecure
    Communication
    Insecure
    Authentication
    Insufficient
    Cryptography
    Insecure
    Authorization
    Client Code
    Quality
    Code Tampering
    Reverse
    Engineering
    Extraneous
    functionality
    9%

    View Slide

  7. Improper
    Platform Usage
    Insecure Data
    Storage
    Insecure
    Communication
    Insecure
    Authentication
    Insufficient
    Cryptography
    Insecure
    Authorization
    Client Code
    Quality
    Code Tampering
    Reverse
    Engineering
    Extraneous
    functionality
    10%
    Security

    View Slide

  8. Obfuscation
    Techniques & tools
    12%

    View Slide

  9. .apk
    .dex
    .class
    Java code
    Build & obfuscation pipeline
    javac
    Manifest
    Resources
    13%

    View Slide

  10. .apk
    .dex
    .class
    Java code
    apktool
    baksmali
    JD-GUI
    JD-Core
    Apktool
    Tools
    .smali
    Dex2jar
    14%

    View Slide

  11. Some GUI
    Jadx
    JD-GUI
    ClassyShark
    15%

    View Slide

  12. .apk
    .dex
    .class
    Java code
    Build & obfuscation pipeline
    javac
    Manifest
    Resources
    16%

    View Slide

  13. .apk
    .dex
    .class
    Java code
    javac
    .class
    (obfuscated)
    proguard
    mapping
    Manifest
    Resources
    16%
    Build & obfuscation pipeline

    View Slide

  14. Renaming Shrinking
    Repackaging
    Log/Data
    leak removal
    Control flow
    obfuscation
    String cipher
    Techniques
    17%

    View Slide

  15. When
    Log
    Data leak removal
    Development
    Renaming
    Shrinking
    Repackaging
    Control flow
    String cipher
    Build
    18%

    View Slide

  16. Step and
    Methodology
    Using only free tools
    19%

    View Slide

  17. App sample
    20%

    View Slide

  18. Application perspective
    21%

    View Slide

  19. Enable proguard
    Renaming Shrinking
    Repackaging
    Log/Data
    leak removal
    22%

    View Slide

  20. However, build is failing
    24%

    View Slide

  21. Disable warnings of dependencies
    25%

    View Slide

  22. But app crashes at runtime…
    26%

    View Slide

  23. Crash because of class renaming / reflection
    28%

    View Slide

  24. Library proguard conf
    29%

    View Slide

  25. List all my dependencies
    30%

    View Slide

  26. List all my dependencies
    ./gradlew :app:dependencies
    32%

    View Slide

  27. Apply proguard configuration of dependencies
    https://github.com/krschultz/android-proguard-snippets
    33%

    View Slide

  28. Still, something is missing
    34%

    View Slide

  29. App configuration missing
    Know your tools !
    Gson is based on reflection
    36%

    View Slide

  30. Without configuration
    37%

    View Slide

  31. With configuration
    38%

    View Slide

  32. With configuration
    40%

    View Slide

  33. Working now !
    41%

    View Slide

  34. Library perspective
    42%

    View Slide

  35. App sample
    44%

    View Slide

  36. Enable proguard
    app/build.gradle
    library/build.gradle
    45%

    View Slide

  37. 46%
    Enable proguard

    View Slide

  38. Declare API of the library
    48%

    View Slide

  39. Manage dependencies
    49%

    View Slide

  40. Provide proguard rules
    1
    2
    4
    3
    5
    50%

    View Slide

  41. Can I do better ?
    52%

    View Slide

  42. Repackaging
    53%

    View Slide

  43. 54%
    Repackaging

    View Slide

  44. Log removal
    56%

    View Slide

  45. 57%
    Log removal

    View Slide

  46. 58%
    Log removal

    View Slide

  47. 60%
    Log removal

    View Slide

  48. Timber lint rules are great !
    if you are using the android logger instead of timber
    if you concatenate strings in a log message
    Will automatically check with lint
    61%

    View Slide

  49. 62%
    Timber lint rules are great !

    View Slide

  50. 63%
    Timber lint rules are great !

    View Slide

  51. Be careful with custom loggers
    getDefaultProguardFile('proguard-android.txt')
    64%

    View Slide

  52. Be careful with custom loggers
    getDefaultProguardFile('proguard-android-optimize.txt')
    65%

    View Slide

  53. Use compile-time code generation
    Better performance
    Resists proguard
    obfuscation
    Bigger APK
    Dagger 1 vs Dagger 2
    Autovalue for serialization
    65%

    View Slide

  54. Avoid reflection for serialization
    Use Compile time generation
    66%

    View Slide

  55. Tip
    # Understand the @Keep support annotation.
    -keep class android.support.annotation.Keep
    -keep @android.support.annotation.Keep class * {
    *;
    }
    In sdk/tools/proguard/proguard-android.txt
    • Resists class refactor
    • No extra proguard configuration required
    Use @Keep !
    67%

    View Slide

  56. Exploit / delivery
    69%

    View Slide

  57. .apk
    .dex
    .class
    Java code
    Build & obfuscation pipeline
    javac
    .class
    (obfuscated)
    proguard
    mapping
    Manifest
    Resources
    70%

    View Slide

  58. 71%
    Always save proguard mapping file

    View Slide

  59. Archive mapping.txt
    Automated solution #1 : archive it as a maven artifact
    72%

    View Slide

  60. Automated solution #2 : use a gradle task or crashlytics
    74%
    Archive mapping.txt

    View Slide

  61. * install https://plugins.jetbrains.com/idea/plugin/101-proguard-unscramble-plugin
    /tools/proguard/bin
    Android Studio Analyze Stracktrace *
    Automatically done on crashlytics
    75%
    Deobfuscate the stacktrace

    View Slide

  62. Go Further
    76%

    View Slide

  63. Techniques
    Renaming Shrinking Repackaging
    Log/Data leak
    removal
    Control flow
    obfuscation
    String cipher
    Code encryption
    /integrity
    Assets/ressources
    encryption
    Dynamic analysis
    countermeasures
    78%

    View Slide

  64. Control flow
    obfuscation
    80%
    Techniques

    View Slide

  65. String
    cipher
    82%
    Techniques

    View Slide

  66. Code encryption
    /integrity
    Assets/ressources
    encryption
    Dynamic analysis
    countermeasures
    86%
    Techniques for a better binary protection

    View Slide

  67. Conclusion
    90%

    View Slide

  68. Application steps
    Choose your tools
    propertly
    Proguard conf
    library
    Enable repackaging
    Proguard conf
    application
    Remove log
    Decompile
    Publish
    Save mapping
    92%

    View Slide

  69. SDK steps
    Choose your tools
    propertly
    Proguard conf
    library
    Provide proguard conf
    of your dependencies
    Declare your API
    Enable repackaging
    Remove log
    Decompile
    Publish
    Save mapping
    94%

    View Slide

  70. Conclusion
    Obfuscation
    doesn’t prevent reverse engineering,
    but just discourages it.
    96%

    View Slide

  71. Github App Sample
    https://github.com/flolom/obfuscation-tutorial
    98%

    View Slide

  72. Questions?
    Renaud Boulard @_renaudb
    Francois Lolom @flolom
    100%

    View Slide