Transcript
Page 1: AnDevCon: Android Reverse Engineering
Page 2: AnDevCon: Android Reverse Engineering

Agenda: -Intro -Purpose -Tools -APK Structure -Obtaining APKs -Decompiling -Manipulation -Repackage/signing -Examples -Prevention !

Page 3: AnDevCon: Android Reverse Engineering

Ego slide Mobile Developer @ Sixt M. Sc. UCM/RWTH CS Teacher at Alcalá University !!! +EnriqueLópezMañas

@eenriquelopez

Page 4: AnDevCon: Android Reverse Engineering

Reverse Engineering Obtaining source code from a compiled source !

Page 5: AnDevCon: Android Reverse Engineering

Why Java? -Java code is partially compiled and then interpreted -JVM and opcodes are fixed -Few instructions -No real protection

Page 6: AnDevCon: Android Reverse Engineering

Why Android? -APKs are easily downloadable -Obfuscation does not happen by default - APK to JAR translation is easy

Page 7: AnDevCon: Android Reverse Engineering

Legal issuesSmall set: !- Don’t decompile, recompile and pass it off as your own - Don’t try to sell it as your own - If License Agreement forbids decompiling, do not decompile -Don’t decompile to remove protection mechanisms

Page 8: AnDevCon: Android Reverse Engineering

Legal issues US !- Precedents allowing decompilation !(Sega vs. Acolade, http://digital-law-online.info/cases/24PQ2D1561.htm)

Page 9: AnDevCon: Android Reverse Engineering

Legal issuesEU (Directive on the Legal Protection of Computer Programs )

- Allows decompilation !(if you need access to internal calls and authors refuse to divulge API) !BUT: !-Only to interface your program -Only if they are not protected

Page 10: AnDevCon: Android Reverse Engineering

GenerallyYES: !- Understand interoperatibility - Create a program interface !NO: !- Create a copy and sell it.

Page 11: AnDevCon: Android Reverse Engineering

Malware Privacy leaks Cheating

Code injection Passwords Score manipulation

Download from obscure sources

Personal data

Asset manipulation

Unrequested data collection/steal Ads

Page 12: AnDevCon: Android Reverse Engineering

Educational Interfacing Protection

Learning code Creating interfaces

Checking our own mistakes!

Researching bugsImproving existing

resources

Page 13: AnDevCon: Android Reverse Engineering

Dex2Jar

Page 14: AnDevCon: Android Reverse Engineering

JD-GUI

Page 15: AnDevCon: Android Reverse Engineering

JAD

Page 16: AnDevCon: Android Reverse Engineering

apktool

Page 17: AnDevCon: Android Reverse Engineering

Eclipse

Page 18: AnDevCon: Android Reverse Engineering

Java programming (SDK/NDK)

Compiling to DEX, running

in DVM

Package signed as APK

Distribution (freely,

Google Play or other)

Page 19: AnDevCon: Android Reverse Engineering

Obtaining APK

Converting DEX to Jar

Decompiling Java

Page 20: AnDevCon: Android Reverse Engineering

How to obtain APKs

1.- Pulling from device 2.- Using GooglePlay Python API 3.- Alternative sources 4.- Sniffer transfer

Page 21: AnDevCon: Android Reverse Engineering

Pulling from device:

Connect with USB cable ADB Root

Page 22: AnDevCon: Android Reverse Engineering

Alternative Sources:

Page 23: AnDevCon: Android Reverse Engineering

Sniffer:

Page 24: AnDevCon: Android Reverse Engineering

Google Play Python API:

Page 25: AnDevCon: Android Reverse Engineering

First unzip

Page 26: AnDevCon: Android Reverse Engineering

Using dex2jar to create a Jar

Page 27: AnDevCon: Android Reverse Engineering

Using a Java Decompiler

Page 28: AnDevCon: Android Reverse Engineering

Some tips:

•Look for known strings •Not only code: also XML and resources

•Be aware of obfuscation

Page 29: AnDevCon: Android Reverse Engineering

•Edit and modify resources •Change essential code •SMALI

Page 30: AnDevCon: Android Reverse Engineering

•Create certificate with JDK Keytool

•Sign Jar with JDK jarsigner

Page 31: AnDevCon: Android Reverse Engineering

•HelloWorld •Crackme •Code injection

Page 32: AnDevCon: Android Reverse Engineering

Protecting your source

[We want] to protect [the] code by making reverse engineering so technically difficult that it becomes impossible or at the very least economically inviable. !-Christian Collberg,

Page 33: AnDevCon: Android Reverse Engineering

Idea #1

Writing two versions of the app

Page 34: AnDevCon: Android Reverse Engineering

Idea #2

Obfuscation

When obfu scation is outlawed, only outlaw s will sifj difdm wofiefiemf eifm.

Page 35: AnDevCon: Android Reverse Engineering

Idea #3

WebServices

Page 36: AnDevCon: Android Reverse Engineering

Idea #4

FingerPrinting our code

Page 37: AnDevCon: Android Reverse Engineering

Idea #5

Native methods

Page 38: AnDevCon: Android Reverse Engineering
Page 39: AnDevCon: Android Reverse Engineering

Thank you !

+ Enrique López Mañas

@eenriquelopez


Top Related