Getting the most of Android obfuscation tools

Getting the most of Android obfuscation tools

With the increasing use of smartphone in banking and payment industry, we need to build applications more secured. This presentation focuses on one specific part of the App security field: Android app/SDK obfuscation.

Obfuscation makes retro engineering of your system harder and prevents the leak of sensitive information.

During the talk, we will show you how to analyse the result of your obfuscation, propose relevant tools to accomplish that, and present a rigorous methodology to achieve the best possible result.

4ba9454c776e3d1b279fe373c1c18fb8?s=128

renaudboulard

April 10, 2017
Tweet

Transcript

  1. Découvrir et maîtriser l’obfuscation sur Android 0%

  2. About us Renaud Boulard @_renaudb Francois Lolom @flolom 1%

  3. Steps and Methodology Obfuscation technics Go further Conclusion Introduction Delivery

    and Exploit Summary 2%
  4. To render obscure To darken To hide Obfuscate To make

    something less clear and harder to understand, especially intentionally Obfuscate * wiktionary.org *dictionary. cambridge.org Obfuscation 4%
  5. Obfuscation goals Makes sensitive assets harder to find Limits cloning

    / app repackaging Protects other security features located on the app Makes inner implementation « more secret » 8%
  6. Security Improper Platform Usage Insecure Data Storage Insecure Communication Insecure

    Authentication Insufficient Cryptography Insecure Authorization Client Code Quality Code Tampering Reverse Engineering Extraneous functionality 9%
  7. Improper Platform Usage Insecure Data Storage Insecure Communication Insecure Authentication

    Insufficient Cryptography Insecure Authorization Client Code Quality Code Tampering Reverse Engineering Extraneous functionality 10% Security
  8. Obfuscation Techniques & tools 12%

  9. .apk .dex .class Java code Build & obfuscation pipeline javac

    Manifest Resources 13%
  10. .apk .dex .class Java code apktool baksmali JD-GUI JD-Core Apktool

    Tools .smali Dex2jar 14%
  11. Some GUI Jadx JD-GUI ClassyShark 15%

  12. .apk .dex .class Java code Build & obfuscation pipeline javac

    Manifest Resources 16%
  13. .apk .dex .class Java code javac .class (obfuscated) proguard mapping

    Manifest Resources 16% Build & obfuscation pipeline
  14. Renaming Shrinking Repackaging Log/Data leak removal Control flow obfuscation String

    cipher Techniques 17%
  15. When Log Data leak removal Development Renaming Shrinking Repackaging Control

    flow String cipher Build 18%
  16. Step and Methodology Using only free tools 19%

  17. App sample 20%

  18. Application perspective 21%

  19. Enable proguard Renaming Shrinking Repackaging Log/Data leak removal 22%

  20. However, build is failing 24%

  21. Disable warnings of dependencies 25%

  22. But app crashes at runtime… 26%

  23. Crash because of class renaming / reflection 28%

  24. Library proguard conf 29%

  25. List all my dependencies 30%

  26. List all my dependencies ./gradlew :app:dependencies 32%

  27. Apply proguard configuration of dependencies https://github.com/krschultz/android-proguard-snippets 33%

  28. Still, something is missing 34%

  29. App configuration missing Know your tools ! Gson is based

    on reflection 36%
  30. Without configuration 37%

  31. With configuration 38%

  32. With configuration 40%

  33. Working now ! 41%

  34. Library perspective 42%

  35. App sample 44%

  36. Enable proguard app/build.gradle library/build.gradle 45%

  37. 46% Enable proguard

  38. Declare API of the library 48%

  39. Manage dependencies 49%

  40. Provide proguard rules 1 2 4 3 5 50%

  41. Can I do better ? 52%

  42. Repackaging 53%

  43. 54% Repackaging

  44. Log removal 56%

  45. 57% Log removal

  46. 58% Log removal

  47. 60% Log removal

  48. Timber lint rules are great ! if you are using

    the android logger instead of timber if you concatenate strings in a log message Will automatically check with lint 61%
  49. 62% Timber lint rules are great !

  50. 63% Timber lint rules are great !

  51. Be careful with custom loggers getDefaultProguardFile('proguard-android.txt') 64%

  52. Be careful with custom loggers getDefaultProguardFile('proguard-android-optimize.txt') 65%

  53. Use compile-time code generation Better performance Resists proguard obfuscation Bigger

    APK Dagger 1 vs Dagger 2 Autovalue for serialization 65%
  54. Avoid reflection for serialization Use Compile time generation 66%

  55. Tip # Understand the @Keep support annotation. -keep class android.support.annotation.Keep

    -keep @android.support.annotation.Keep class * { *; } In sdk/tools/proguard/proguard-android.txt • Resists class refactor • No extra proguard configuration required Use @Keep ! 67%
  56. Exploit / delivery 69%

  57. .apk .dex .class Java code Build & obfuscation pipeline javac

    .class (obfuscated) proguard mapping Manifest Resources 70%
  58. 71% Always save proguard mapping file

  59. Archive mapping.txt Automated solution #1 : archive it as a

    maven artifact 72%
  60. Automated solution #2 : use a gradle task or crashlytics

    74% Archive mapping.txt
  61. * install https://plugins.jetbrains.com/idea/plugin/101-proguard-unscramble-plugin <android sdk>/tools/proguard/bin Android Studio Analyze Stracktrace *

    Automatically done on crashlytics 75% Deobfuscate the stacktrace
  62. Go Further 76%

  63. Techniques Renaming Shrinking Repackaging Log/Data leak removal Control flow obfuscation

    String cipher Code encryption /integrity Assets/ressources encryption Dynamic analysis countermeasures 78%
  64. Control flow obfuscation 80% Techniques

  65. String cipher 82% Techniques

  66. Code encryption /integrity Assets/ressources encryption Dynamic analysis countermeasures 86% Techniques

    for a better binary protection
  67. Conclusion 90%

  68. Application steps Choose your tools propertly Proguard conf library Enable

    repackaging Proguard conf application Remove log Decompile Publish Save mapping 92%
  69. SDK steps Choose your tools propertly Proguard conf library Provide

    proguard conf of your dependencies Declare your API Enable repackaging Remove log Decompile Publish Save mapping 94%
  70. Conclusion Obfuscation doesn’t prevent reverse engineering, but just discourages it.

    96%
  71. Github App Sample https://github.com/flolom/obfuscation-tutorial 98%

  72. Questions? Renaud Boulard @_renaudb Francois Lolom @flolom 100%