andevcon: android reverse engineering

Agenda: -Intro -Purpose -Tools -APK Structure -Obtaining APKs -Decompiling -Manipulation -Repackage/signing -Examples -Prevention !

Ego slide Mobile Developer @ Sixt M. Sc. UCM/RWTH CS Teacher at Alcalá University !!! +EnriqueLópezMañas

@eenriquelopez

Reverse Engineering Obtaining source code from a compiled source !

Why Java? -Java code is partially compiled and then interpreted -JVM and opcodes are fixed -Few instructions -No real protection

Why Android? -APKs are easily downloadable -Obfuscation does not happen by default - APK to JAR translation is easy

Legal issuesSmall set: !- Don’t decompile, recompile and pass it off as your own - Don’t try to sell it as your own - If License Agreement forbids decompiling, do not decompile -Don’t decompile to remove protection mechanisms

Legal issues US !- Precedents allowing decompilation !(Sega vs. Acolade, http://digital-law-online.info/cases/24PQ2D1561.htm)

Legal issuesEU (Directive on the Legal Protection of Computer Programs )

- Allows decompilation !(if you need access to internal calls and authors refuse to divulge API) !BUT: !-Only to interface your program -Only if they are not protected

GenerallyYES: !- Understand interoperatibility - Create a program interface !NO: !- Create a copy and sell it.

Malware Privacy leaks Cheating

Code injection Passwords Score manipulation

Download from obscure sources

Personal data

Asset manipulation

Unrequested data collection/steal Ads

Educational Interfacing Protection

Learning code Creating interfaces

Checking our own mistakes!

Researching bugsImproving existing

resources

Dex2Jar

JD-GUI

JAD

apktool

Eclipse

Java programming (SDK/NDK)

Compiling to DEX, running

in DVM

Package signed as APK

Distribution (freely,

Google Play or other)

Obtaining APK

Converting DEX to Jar

Decompiling Java

How to obtain APKs

1.- Pulling from device 2.- Using GooglePlay Python API 3.- Alternative sources 4.- Sniffer transfer

Pulling from device:

Connect with USB cable ADB Root

Alternative Sources:

Sniffer:

Google Play Python API:

First unzip

Using dex2jar to create a Jar

Using a Java Decompiler

Some tips:

•Look for known strings •Not only code: also XML and resources

•Be aware of obfuscation

•Edit and modify resources •Change essential code •SMALI

•Create certificate with JDK Keytool

•Sign Jar with JDK jarsigner

•HelloWorld •Crackme •Code injection

Protecting your source

[We want] to protect [the] code by making reverse engineering so technically difficult that it becomes impossible or at the very least economically inviable. !-Christian Collberg,

Idea #1

Writing two versions of the app

Idea #2

Obfuscation

When obfu scation is outlawed, only outlaw s will sifj difdm wofiefiemf eifm.

Idea #3

WebServices

Idea #4

FingerPrinting our code

Idea #5

Native methods

Thank you !

+ Enrique López Mañas

@eenriquelopez