ieee day 2013 - reverse engineering an android application
TRANSCRIPT
IEEE Day 2013
Rufat BABAKISHIYEVSoftware Engineer Komtec LTD
01 October 2013, Qafqaz University
Reverse Engineering an Android Application
Plan
April 12, 20232
Reverse Engineering & Forensic research Review of Android OS Architecture Yahoo Email Client Application Research questions Decompiling the Application File System Database and files of Yahoo Email Android Client Attachment files of Email Application Compare App Info Uninstall Yahoo Email Android Client Security Warnings Acronyms Bibliography (references)
Reverse Engineering & Forensic research
April 12, 20233
Reverse engineering, in computer programming, is a technique used to analyze software in order to identify and understand the parts it is composed of. The usual reasons for reverse engineering a piece of software are to recreate the program, to build something similar to it, to exploit its weaknesses or strengthen its defenses.
Forensic Science - The word forensic comes from the Latin word forensis: public; to the forum or public discussion; argumentative, rhetorical, belonging to debate or discussion.
Review of Android OS Architecture
April 12, 20234
Android relies on Linux Kernel version 2.6 for core system services such as security, memory management, process management, network stack, and driver model. It does not include full set of standard Linux utilities.
Android provides a number of system libraries in C/C++ which are made accessible through the Application Framework. It must be noted that . Android does not provide the complete functionality required of the standard GNU C libraries in Linux. Followings are libraries provided by
Android; Surface Manager, Mefia Framework, SQLite , WebKit, OpenGL and etc. The Dalvik Virtual Machine (VM) is the core runtime component of Android. It is a
process-based virtual machine which uses the register architecture and is optimized for low memory footprint and better performance efficiency. The VM runs classes compiled by a Java language compiler that have been transformed into the Dalvik Executable (.dex) format by the included “dx” tool
An Android application can be composed of 4 types of components namely: Activity, Service, Content Provider and Broadcast Receiver.
In Applications layer we have applications that developers create and users use.
Review of Android OS Architecture
April 12, 20235
Yahoo Email Client Application
April 12, 20236
Why Yahoo ?
Yahoo Email is most widely used email application and number of app download is between 50,000,000 – 100,000,000 which is way much big number. The application is compatible with all Android devices as it can be installed on any device having Android 2.2 or above version.
Research questions
April 12, 20237
What files are created after installation? What files are deleted after uninstallation? What data are synchronized in the app? What data are available for offline use? How SQLite database is used? How cache and memory is managed?
Decompiling the Application
April 12, 20238
Firstly the app (Yahoo) is downloaded from the market and install it. For our research we need .apk file of the app therefore we download and use ES File Explorer.
After launching the app, we choose “Tools” from Sliding Menu and then select “Manager”. We see all the applications of the user in a grid view. Then we long press Yahoo Email and select it and a tab bar appears below where we click “Backup” menu and then in the SD Card .apk file is created in backups folder.
Decompiling the Application
April 12, 20239
Apktool - reverses .apk file to an android project (unfortunately not .class files, these are .smali files).
Dex2jar - reverses .apk file to .jar file.
JD-Compiler – with this tool can decompile .jar file and get java source codes.
Reverse .apk file to Android Project
Decompiling the Application
April 12, 202310
With JD-Gui we can look source codes of Yahoo Email Android Client.
After decompilation we get obfuscated source codes therefore we won’t understand anything from source codes.
File System
April 12, 202311
With Eclipse’s Android tools we can look at device’s data which when installed every application system creates data under data/data folder (as Windows Program Files).
install Yahoo Email Android Client on AVD
File System
April 12, 202312
With Eclipse’s Android tools we can look at device’s data which when installed every application system creates data under data/data folder (as Windows Program Files).
Database and file of Yahoo Email Client
April 12, 202313
In order to make a forensic research about DB and artifacts we need to create some email accounts for testing in yahoo. We have created 2 different Yahoo Email accounts because with Yahoo Email Android Client user can manage more than one Yahoo email account.Email 1 : rufatf123. Email 2 : rufatf124.Then we sign in with first email and add second email.
Database and file of Yahoo Email Client
April 12, 202314
Sent some test email from both email accounts, some text and media emails (attached doc, mp3 files). Then we start to look at DB. From Eclipse File Explorer we look at \data\databases files and try to pull them with this tool. (For pulling, we select file then click right top disket icon, and then select folder for save)
Database and file of Yahoo Email Client
April 12, 202315
Every table were created for both account
Attachment files of Yahoo Email Client
April 12, 202316
When we want to look at attachment file the system offers us two options. One of them is View another is Save. So we choose Save for to explorer artifacts. When we try to save it the system shows us to which directory it will save the application.
Compare App Info
April 12, 202317
Installed Used
Uninstall Yahoo Email Android Client
April 12, 202318
At the end we uninstall Yahoo Email Android Client (from Application Manager) and explore data\data and folders. Let’s find out which folders and files removed by system, and which ones remained.
After the uninstallation we see that system removed Yahoo Email Andorid Application package under \data\data directory. So it removed cache and database files. Now look at files, see that it removed Yahoo directory from sdcard. So the system removes all artifacts when the application is uninstalled.
Security Warnings
April 12, 202319
Do not “root” your device !
Do not install applications from unknown sources !
Read permissions when install application !
Acronyms
April 12, 202320
APK Android Application Package
JVM Java Virtual Machine
Java SE Java Standard Edition
Java ME Java Mobile Edition
SD Card Secure Digital Card
OS Operating System
AVD Android Virtual Device
DEX Dalvik Executable
SDK Software Development Kit
Bibliography
April 12, 202321
References [1] Android OS - is a Linux-based operating system designed primarily for touchscreen mobile devices such as smartphones and tablet computers.http://en.wikipedia.org/wiki/Android_(operating_system)Official web site : http://www.android.com/ and most used sub site http://developer.android.com/index.html[2] Android Architecture – The Key Conceptshttp://www.android-app-market.com/android-architecture.html[3] Reverse Engineeringhttp://searchcio-midmarket.techtarget.com/definition/reverse-engineering[4] android apk toolhttps://code.google.com/p/android-apktool/[5] dex2jarhttps://code.google.com/p/dex2jar/[6] DJ-GUIhttps://code.google.com/p/innlab/downloads/detail?name=jd-gui-0.3.3.windows.zip&can=2&q=[7] Google Play For downloads applications. Yahoo and ES File Explorerhttps://play.google.com/store
Bibliography
April 12, 202322
References [8] Techopedia.comhttp://www.techopedia.com/definition/3868/reverse-engineering
[9] ES File Explorerhttps://play.google.com/store/apps/details?id=com.estrongs.android.pop
Thanks for attention …
April 12, 202323
QUESTIONS ?