Download - AnDevCon: Android Reverse Engineering
Agenda: -Intro -Purpose -Tools -APK Structure -Obtaining APKs -Decompiling -Manipulation -Repackage/signing -Examples -Prevention !
Ego slide Mobile Developer @ Sixt M. Sc. UCM/RWTH CS Teacher at Alcalá University !!! +EnriqueLópezMañas
@eenriquelopez
Reverse Engineering Obtaining source code from a compiled source !
Why Java? -Java code is partially compiled and then interpreted -JVM and opcodes are fixed -Few instructions -No real protection
Why Android? -APKs are easily downloadable -Obfuscation does not happen by default - APK to JAR translation is easy
Legal issuesSmall set: !- Don’t decompile, recompile and pass it off as your own - Don’t try to sell it as your own - If License Agreement forbids decompiling, do not decompile -Don’t decompile to remove protection mechanisms
Legal issues US !- Precedents allowing decompilation !(Sega vs. Acolade, http://digital-law-online.info/cases/24PQ2D1561.htm)
Legal issuesEU (Directive on the Legal Protection of Computer Programs )
- Allows decompilation !(if you need access to internal calls and authors refuse to divulge API) !BUT: !-Only to interface your program -Only if they are not protected
GenerallyYES: !- Understand interoperatibility - Create a program interface !NO: !- Create a copy and sell it.
Malware Privacy leaks Cheating
Code injection Passwords Score manipulation
Download from obscure sources
Personal data
Asset manipulation
Unrequested data collection/steal Ads
Educational Interfacing Protection
Learning code Creating interfaces
Checking our own mistakes!
Researching bugsImproving existing
resources
Dex2Jar
JD-GUI
JAD
apktool
Eclipse
Java programming (SDK/NDK)
Compiling to DEX, running
in DVM
Package signed as APK
Distribution (freely,
Google Play or other)
Obtaining APK
Converting DEX to Jar
Decompiling Java
How to obtain APKs
1.- Pulling from device 2.- Using GooglePlay Python API 3.- Alternative sources 4.- Sniffer transfer
Pulling from device:
Connect with USB cable ADB Root
Alternative Sources:
Sniffer:
Google Play Python API:
First unzip
Using dex2jar to create a Jar
Using a Java Decompiler
Some tips:
•Look for known strings •Not only code: also XML and resources
•Be aware of obfuscation
•Edit and modify resources •Change essential code •SMALI
•Create certificate with JDK Keytool
•Sign Jar with JDK jarsigner
•HelloWorld •Crackme •Code injection
Protecting your source
[We want] to protect [the] code by making reverse engineering so technically difficult that it becomes impossible or at the very least economically inviable. !-Christian Collberg,
Idea #1
Writing two versions of the app
Idea #2
Obfuscation
When obfu scation is outlawed, only outlaw s will sifj difdm wofiefiemf eifm.
Idea #3
WebServices
Idea #4
FingerPrinting our code
Idea #5
Native methods
Thank you !
+ Enrique López Mañas
@eenriquelopez